if i have a principal with two derived roles and rules on a

Question

if i have a principal with two derived roles and rules on a resource with allow for role1 based on condition and allow for role2 unconditionally and the condition for role1 is not met i m getting a deny i m assuming this is because failing a condition on an allow is treated as a deny which takes precedence rather than just don t allow yet check the other rules how can i get the behaviour i want that makes more sense to me

Hazel Boyle · Answer

or to be clearer role2 should always be allowed role1 should be allowed only if a condition is met users with both role1 and role2 are only being allowed based on the condition rather than role2 overriding it how can i achieve that

Andrew Haines (Cerbos) · Answer

Hi Hazel I think the behaviour you re expecting is correct The precedence is that a matching deny rule overrides a matching allow rule but a non matching allow rule does not override a matching allow rule So I think you maybe have a different issue If you write a for your policy you can use `cerbos compile verbose` to get an execution trace to show what rules and derived roles matched Alternatively if you have a instance you can share with an example of what you re trying to achieve I d be happy to take a look