Hey, new-time user to Cerbos and having some troub...
# helpa
Andrew Bettke
05/13/2025, 4:55 PMHey, new-time user to Cerbos and having some trouble getting some policy definitions in place. Could use some help on where I'm going wrong. I'm going to drop the details of what I'm trying to do and the troubles I'm seeing in the thread
Andrew Bettke
05/13/2025, 4:59 PMI'm trying to institute a very simple
superadmin Copy code
{
"apiVersion": "api.cerbos.dev/v1",
"rolePolicy": {
"role": "superadmin",
"rules": [
{
"resource": "*",
"allowActions": [
"*"
]
}
]
}
}superadminEFFECT_DENY Copy code
{
"principal": {
"id": "7700ebbc-05a2-4f64-acd7-e20f25aff527",
"scope": "fcdc562c-546c-4cca-8fee-e557a642dc9d",
},
"roles": [
"superadmin"
]
},
"resources": [
{
"actions": [
"get"
],
"resource": {
"kind": "myresource",
"id": "resourceId"
}
}
],
"includeMeta": true
}s
Sam Lock (Cerbos)
05/14/2025, 2:29 PMSo this is a little confusing (and I don't blame you for asking this question!), but, role policies only "narrow" permissions that are already defined in your system.
The shortest path to getting the above issuing ALLOWS is by defining a resource policy that looks something like this:
Copy code
---
apiVersion: api.cerbos.dev/v1
resourcePolicy:
version: "default"
resource: salary_record
rules:
- actions:
- create
- delete
effect: EFFECT_ALLOW
roles: ["admin"]parentRoles Copy code
---
apiVersion: "api.cerbos.dev/v1"
rolePolicy:
role: superadmin
parentRoles:
- admin
rules:
- resource: "*"
allowActions:
- "*"a
Andrew Bettke
05/14/2025, 2:51 PMAhh I see, I was able to get this working with a resource policy, but then in effect realized that the role policy here became redundant for me since I already know the 'superadmin' role at runtime (this is already determined in the IDP). Intead then, I'll just focus on resource polices and have separate rules for 'superadmins' vs. non superadmins
👍 1
Andrew Bettke
05/14/2025, 2:52 PMthanks for the feedback!
🙌 1