Alexander Ramin
08/24/2022, 8:28 AMAccount
These Accounts can be of Staff
or Customer
Accounts.
I have a scenario where I want to grant certain principals permission to Update Staff Accounts.
Every other principal should not be able to update staff accounts (but may update Customer Accounts).
What I tried was adding a check for the Resource Attribute in the Principal Policy.
e.g.
# Principal Policy
derivedRoles:
name: foo
definitions:
- name: foo.admin
condition:
match: V.is_staff & R.attr.is_staff_account == true
- name: foo.dev
condition:
match: V.is_staff & R.attr.is_staff_account == false
Is this just a bad idea?
Would it be better to just create separate StaffAccount
and CustomerAccount
Resources instead of checking the resource attribute in the principal policy?
Thanks a lot.Charith (Cerbos)
08/24/2022, 8:49 AMAlexander Ramin
08/24/2022, 8:50 AM