Cerbos is the open core, language-agnostic, scalable authorization solution that makes user permissions and authorization simple to implement and manage.

Cerbos Community

Hi, thought I post here before possibly opening a GH issue. I'm trying to use role policies with the plan resources endpoint (v0.43.0). In short, when a user has multiple roles where one allows an action and another doesn't, I'm seeing `KIND_ALWAYS_DENIED`, even though check resources will allow in practice.

If a user has a Reader and Admin role, for example, I would expect `thing:update` to result in either `KIND_ALWAYS_ALLOWED`  (or `KIND_CONDITIONAL` if more conditions are relevant), but it seems like because the Reader role would restrict the user on any update action the result ends up being `KIND_ALWAYS_DENIED`.

Is that expected?

Hi Byron, no, this doesn’t sound right to me. Please raise a GH issue.

Seconded :point_up:. I'm struggling to recreate in tests, so wondering if it's a specific scenario that causes this.

I saw 0.44.0 was just released and it seemed the issue was partially resolved. Still had an issue when the role policy had a condition, so I noted behavior for both 0.43.0 and 0.44.0 in my issue here:
<https://github.com/cerbos/cerbos/issues/2591>

I saw it was just closed as completed. Great!