Hazel Boyle

10/05/2022, 2:07 PM
if i have a principal with two derived roles, and rules on a resource with allow for role1 based on condition, and allow for role2 unconditionally, and the condition for role1 is not met, i'm getting a deny. i'm assuming this is because failing a condition on an allow is treated as a deny (which takes precedence), rather than just 'don't allow yet, check the other rules'. how can i get the behaviour i want/that makes more sense to me?
2:12 PM
or to be clearer: role2 should always be allowed. role1 should be allowed only if a condition is met. users with both role1 and role2 are only being allowed based on the condition, rather than role2 overriding it. how can i achieve that?
Andrew Haines (Cerbos)

Andrew Haines (Cerbos)

10/05/2022, 2:15 PM
Hi Hazel, I think the behaviour you're expecting is correct. The precedence is that a matching deny rule overrides a matching allow rule - but a non-matching allow rule does not override a matching allow rule. So, I think you maybe have a different issue. If you write a test for your policy, you can use
cerbos compile --verbose
to get an execution trace to show what rules and derived roles matched. Alternatively, if you have a playground instance you can share with an example of what you're trying to achieve, I'd be happy to take a look.