👋 I'm evaluating a few different centralized authz language/engine combinations and I'm looking for help expressing our requirements naturally in each system. If anyone has advice on how to best approach this in Cerbos, I'd love your thoughts! I'm not looking for a full implementation, but I'd appreciate any policy snippets or suggestions on what part is policy, what part is preloaded data, and what part is auth-time context. • We offer a multi-tenant SaaS platform. Most of the clients are large enterprises who want to manage their authorization rules centrally. Edits to the policies are relatively infrequent after initial setup. For some authorization frameworks, this means putting each tenant's unique policy requirements directly in the policy, though I won't pre-judge the approach for Cerbos. • We have a few "very standard OLTP SaaS" data models and permissions. If this were Slack, it might be something like "Sam can view channel #random" • The more sophisticated part of authorization is a multi-dimensional time-series data-model. Think something like Datadog log events, each of which have 10-20 different attributes. Some of those attributes are hierarchical dimensions, e.g.

User-Agent: OSX > Chrome > 108.8

or

Geography: Europe > Germany > Berlin

. Tenants want to build rules around each dimension, e.g. "Kat can view User-Agent OSX and all descendants" or "Pal can view all cities in Europe > Germany, but not the country itself." For a given tenant, the set of hierarchies changes ~annually and the set of values changes ~monthly. Hierarchies range in size from 5 members all the way up to 50k.

Hi James, These questions require a nuanced answer. I can only give a crude one now. Please book a call with an engineer. We are happy to discuss the solution in detail. Cerbos supports multi-tenancy with scoped policies and scoped permissions. Although changes are infrequent, the dynamic nature of some policies might require writable policy storage (database). > For some authorization frameworks, this means putting each tenant’s unique policy requirements directly in the policy Typically, that’s the same with Cerbos. The second and third bullet points look like a case for role policies. The hierarchies

EU > Germany > Berlin

can be modelled with scopes, but also with a wildcard in resources:

resource: EU.Germany.*

)

I shall! Thank you for the kind offer 🙂