```derived roles yaml gt gt apiVersion api cerbos dev v1 der Cerbos Community #help

```derived_roles.yaml:>> apiVersion: "api.c...

William Adjei

04/10/2025, 12:59 PM

Copy code

derived_roles.yaml:>>

apiVersion: "api.cerbos.dev/v1"
derivedRoles:
  name: navigation-roles
  definitions:
    - name: admin-role
      parentRoles: ["admin", "ADMIN", "Admin"]
    - name: manager-role  
      parentRoles: ["manager", "MANAGER", "Manager"]
    - name: user-role
      parentRoles: ["user", "USER", "User"]

menu_policy.yaml:>>

apiVersion: api.cerbos.dev/v1
resourcePolicy:
  version: "default"
  importDerivedRoles:
    - navigation-roles
  resource: navigation
  rules:
    # Fallback rule for debugging - allow access to everyone with basic menu
    - actions: ["access"]
      derivedRoles:
        - any-role
      effect: EFFECT_ALLOW
      output:
        expr: '{"allowed_menu_items": ["/dashboard"]}'

    # Regular rules
    - actions: ["access"]
      derivedRoles:
        - admin-role
      effect: EFFECT_ALLOW
      output:
        expr: '{"allowed_menu_items": ["/dashboard", "/sales", "/marketing"]}'

    - actions: ["access"]
      derivedRoles:
        - manager-role
      effect: EFFECT_ALLOW
      output:
        expr: '{"allowed_menu_items": ["/dashboard", "/sales"]}'

    - actions: ["access"]
      derivedRoles:
        - user-role
      effect: EFFECT_ALLOW
      output:
        expr: '{"allowed_menu_items": ["/dashboard"]}'

oguzhan

04/10/2025, 1:05 PM

Hey @William Adjei, I couldn't see any problems with your policies at the first sight. An example

CheckResources

request:

Copy code

{
  "requestId": "1",
  "principal": {
    "id": "1",
    "roles": [
      "USER"
    ],
    "attr": {}
  },
  "resources": [
    {
      "resource": {
        "kind": "navigation",
        "id": "1",
        "attr": {}
      },
      "actions": [
        "access"
      ]
    }
  ]
}

The response:

Copy code

{
  "requestId": "1",
  "results": [
    {
      "resource": {
        "id": "1",
        "kind": "navigation"
      },
      "actions": {
        "access": "EFFECT_ALLOW"
      },
      "outputs": [
        {
          "src": "resource.navigation.vdefault#rule-003",
          "val": {
            "allowed_menu_items": [
              "/dashboard"
            ]
          }
        }
      ]
    }
  ]
}

https://play.cerbos.dev/p/eV9YYejAAsj5XIO67f7c1e7oADrB38qf

William Adjei

04/10/2025, 1:53 PM

Thanks

cerbie 1

Sam Lock (Cerbos)

04/10/2025, 2:23 PM

One thing: you've defined a rule for the

derivedRole: any-role

in the resource policy. This isn't defined in your derived role policy so can never be assumed (so that particular rule will never resolve to

ALLOW

👍 1

William Adjei

04/10/2025, 2:48 PM

I noticed why I was getting

EFFECT_DENY

. When starting up its container in docker the logs had this

Found 0 executable policies

William Adjei

04/10/2025, 2:49 PM

This is my config.yaml:

Copy code

server:
  httpListenAddr: ":3592"

storage:
  driver: "disk"
  disk:
    directory: ./policies
    watchForChanges: true

William Adjei

04/10/2025, 2:49 PM

And this is the folder structure:

Copy code

cerbos/
├── config/
│   └── config.yaml
└── policies/
    └── navigation.yaml

William Adjei

04/10/2025, 2:50 PM

Am I missing something?

oguzhan

04/10/2025, 2:51 PM

Oh @Sam Lock (Cerbos), you're right, I somehow missed that rule while copying. Is there any log lines stating problem(s) with the policies @William Adjei? Also how do you run cerbos?

William Adjei

04/10/2025, 2:53 PM

@oguzhan would this suffice:

Copy code

2025-04-10 14:46:01 {"log.level":"info","@timestamp":"2025-04-10T14:46:01.351Z","log.logger":"cerbos.disk.store","message":"Initializing disk store from /policies"}
2025-04-10 14:46:01 {"log.level":"info","@timestamp":"2025-04-10T14:46:01.351Z","log.logger":"cerbos.index","message":"Found 0 executable policies"}
2025-04-10 14:46:01 {"log.level":"info","@timestamp":"2025-04-10T14:46:01.351Z","log.logger":"cerbos.telemetry","message":"Anonymous telemetry enabled. Disable via the config file or by setting the CERBOS_NO_TELEMETRY=1 environment variable"}

William Adjei

04/10/2025, 2:54 PM

I run it using:

Copy code

docker run --rm --name cerbos-cred -d \
  -v $(pwd)/cerbos:/opt/cerbos \
  -p 3592:3592 \
  <http://ghcr.io/cerbos/cerbos:0.43.0|ghcr.io/cerbos/cerbos:0.43.0> \
  server --config=/opt/cerbos/config/config.yaml

oguzhan

04/10/2025, 2:54 PM

The folder structure you've shared only consists of a policy named

navigation.yaml

btw. I think it should be like this:

Copy code

cerbos/
├── config/
│   └── config.yaml
└── policies/
    └── derived_roles.yaml
    └── menu_policy.yaml

William Adjei

04/10/2025, 3:00 PM

How do I change that?

oguzhan

04/10/2025, 3:12 PM

Could you change the

config.yaml

to this and try again?:

Copy code

server:
  httpListenAddr: ":3592"

storage:
  driver: "disk"
  disk:
    directory: /opt/cerbos/policies
    watchForChanges: true

William Adjei

04/10/2025, 3:34 PM

Alright let me try that

👍🏻 1

William Adjei

04/10/2025, 4:19 PM

It worked! thanks for the help

oguzhan

04/10/2025, 4:20 PM

Glad to hear that!

3 Views

Open in Slack

Previous Next