Hello again: having some trouble with resource_plan call. one of our policies states:

P.attr.permissions.folder.read.exists(f, R.attr.folder_path.contains(f))

when P.attr.permissions.folder.read is a list of ids and P.attr.folder.path is a string of ids separated by ‘.’ character. for the resource_plan call i provide the attr of the Principal but not of the resource (expecting to get a plan with conditions on the resource attributes) but i seem to get an error:

error evaluating condition \"P.attr.permissions.folder.read.exists(f, R.attr.folder_path.contains(f))\": no such attribute: id: 4, attributes: [0xc000f2ad20 0xc000f2acc0 0xc000f2ac60]

any suggestions to what I’m doing wrong? or did i not understand something about the resource_plan call

Hi. I am not sure what's happening there. Let us investigate and get back to you.

Sure thing… thank you very much

OK, this is a tricky one. The condition here is "check whether any of the ids in

read

is a substring of `folder_path`". It's deeply nested and depends on the value of

folder_path

. I am sure you can appreciate that it's almost impossible to generate a plan for it without knowing what

folder_path

is. That's what this not very helpful error message is trying to tell us. Is there any reason why

folder_path

a delimited string? If you are able to convert it to a list instead, you can write the condition as

hasIntersection(P.attr.permissions.folder.read, R.attr.folder_path)

. That makes it less tricky to generate a plan when

folder_path

is unknown and is also more robust than substring checks.

Thanks for the quick response.. yeah i figured it would be hard to “plan”/“explain” this part of the query but i thought it would return this condition to me as is. thanks for the suggestion… I’d consider this… it makes more sense actually than what we did with the string 🙂 thanks again

You're welcome