Hi, I am trying to implement role policies, and it...
# help
s
Hi, I am trying to implement role policies, and it seems to be denying everything even though I have added an exhaustive list of resources and allowable actions. Am I missing something here?
Copy code
apiVersion: api.cerbos.dev/v1
rolePolicy:
  role: "supportcoordinator"
  rules:
    - resource: BI&Reporting
      allowActions:
        - access
    
    - resource: Billing
      allowActions:
        - access
      condition:
        match:
          expr: 18 in P.attr.modules

    - resource: DocumentCenter
      allowActions:
        - accessDocumentsTab
      condition:
        match:
          expr: 14 in P.attr.modules 

    - resource: EVV
      allowActions:
        - access
      condition:
        match:
          expr: 11 in P.attr.modules
    
    - resource: FinancialReporting
      allowActions:
        - access
      condition:
        match:
          expr: 19 in P.attr.modules

    - resource: SecureCommunication
      allowActions:
        - access
      condition:
        match:
          expr: 21 in P.attr.modules

    - resource: FormBuilder
      allowActions:
        - access
      condition:
        match:
          expr: 15 in P.attr.modules

    - resource: TeleHealth
      allowActions:
        - access
      condition:
        match:
          expr: 17 in P.attr.modules
    
    - resource: Scheduler
      allowActions:
        - accessSchedulerTab
        - access
      condition:
        match:
          expr: 20 in P.attr.modules
      

    - resource: TimeManagement
      allowActions:
        - accessTimesheetsTab
      condition:
        match:
          expr: 12 in P.attr.modules
This is the role policy I have defined.
Copy code
{
  "principal": {
    "id": "700869",
    "roles": [
      "supportcoordinator"
    ],
    "attr": {
      "states": [
        "NJ"
      ],
      "modules": [
        57,
        55,
        54,
        50,
        52,
        53,
        58,
        56,
        80,
        60,
        62,
        68,
        67,
        66,
        64,
        65,
        63,
        61,
        101,
        69,
        99,
        71,
        72,
        19,
        21,
        16,
        17,
        12,
        15,
        20,
        11,
        14,
        18,
        22
      ],
      "company_type": 101
    }
  },
  "resources": [
    {
      "resource": {
        "kind": "LocateTab",
        "id": "LocateTab#700869"
      },
      "actions": [
        "access"
      ]
    },
    {
      "resource": {
        "kind": "NewTab",
        "id": "NewTab#700869"
      },
      "actions": [
        "access"
      ]
    },
    {
      "resource": {
        "kind": "EVV",
        "id": "EVVNJ#700869",
        "attr": {
          "evv_state": "NJ"
        }
      },
      "actions": [
        "accessEVVTab"
      ]
    },
    {
      "resource": {
        "kind": "EVV",
        "id": "EVVAZ#700869",
        "attr": {
          "evv_state": "AZ"
        }
      },
      "actions": [
        "accessEVVTab"
      ]
    },
    {
      "resource": {
        "kind": "TimeManagement",
        "id": "TimesheetsTab#700869"
      },
      "actions": [
        "accessTimesheetsTab"
      ]
    },
    {
      "resource": {
        "kind": "Billing",
        "id": "BillingTab#700869",
        "attr": {
          "billing_state": "NJ"
        }
      },
      "actions": [
        "accessBillingTab"
      ]
    },
    {
      "resource": {
        "kind": "DocumentCenter",
        "id": "DocumentsTab#700869"
      },
      "actions": [
        "accessDocumentsTab"
      ]
    },
    {
      "resource": {
        "kind": "Scheduler",
        "id": "SchedulerTab#700869"
      },
      "actions": [
        "accessSchedulerTab"
      ]
    }
  ]
}
This is my request object. I am not sure what is wrong here. I have not added any parent roles as of now since I wanted to test if this will work for a totally custom role.
a
Hi a similar question was answered in this thread - https://cerboscommunity.slack.com/archives/C02A364JYMQ/p1747155345950379
s
I think my question is a little different, because I'm not trying to add a parent role, since that is optional. We need to add a custom role, so the permissions might differ from every other role that were defined in resource policies.