Cerbos is the open core, language-agnostic, scalable authorization solution that makes user permissions and authorization simple to implement and manage.

Cerbos Community

hello, what's the best way to model a hierachry of resources where decisions are made from the top down, such that a user would have access to an action on ChildResource only if they also have an allow decision from ParentResource? it doesn't seem like scoped policies will do what I want, since they're evaluated "bottom up" and a decision lower in the hierarchy shortcuts the chain

Hi Tara,
We’ve been working on precisely the behaviour you described - if the scoped policy results in no match or explicit deny, it returns deny; otherwise (if the scoped policy results in allow), it falls through to the parent.  This feature will be released soon.

We added it as an undocumented <https://github.com/cerbos/cerbos/pull/2325|feature> in the latest release (v0.40.0), so some details might still change, but currently, the policy can have optional attribute `scopePermissions`. if its value is set to `SCOPE_PERMISSIONS_REQUIRE_PARENTAL_CONSENT_FOR_ALLOWS` the fall-through behaviour will be enforced.