Cerbos is the open core, language-agnostic, scalable authorization solution that makes user permissions and authorization simple to implement and manage.

Cerbos Community

if i have a principal with two derived roles, and rules on a resource with allow for role1 based on condition, and allow for role2 unconditionally, and the condition for role1 is not met, i'm getting a deny. i'm assuming this is because failing a condition on an allow is treated as a deny (which takes precedence), rather than just 'don't allow yet, check the other rules'. how can i get the behaviour i want/that makes more sense to me?

or to be clearer: role2 should always be allowed. role1 should be allowed only if a condition is met. users with both role1 and role2 are only being allowed based on the condition, rather than role2 overriding it. how can i achieve that?

Hi Hazel, I think the behaviour you're expecting is correct. The precedence is that a matching deny rule overrides a matching allow rule - but a non-matching allow rule does not override a matching allow rule.

So, I think you maybe have a different issue. If you write a <https://docs.cerbos.dev/cerbos/latest/policies/compile.html#testing|test> for your policy, you can use `cerbos compile --verbose` to get an execution trace to show what rules and derived roles matched.

Alternatively, if you have a <https://play.cerbos.dev/|playground> instance you can share with an example of what you're trying to achieve, I'd be happy to take a look.