Cerbos is the open core, language-agnostic, scalable authorization solution that makes user permissions and authorization simple to implement and manage.

Cerbos Community

Hi,
I'm pretty familiar with the standard resource policies but I'm looking at a policy that is essentially duplicated 3 times - each for different (but related) resources. Each policy grants access to the same collection of IDP groups and has a single condition. I _think_ this could be handled with a role policy but the existing unit tests don't like my approach.

Am I missing something obvious? The parentRoles are real groups but my role itself is just a string. Does this also need to be a real role?
```apiVersion: api.cerbos.dev/v1
rolePolicy:
  role: "notaRealRole
  parentRoles:
    - group:default/admins
    - group:default/employees
    - group:default/users
  
  rules:
    - resource: "resource.action"
      allowActions: ["*"]
      condition:
        match:
          expr: P.attr.isemployee == true

    - resource: resource.task
      allowActions: ["*"]
      condition:
        match:
           expr: P.attr.isemployee == true

    - resource: resource.template
      allowActions: ["*"]
      condition:
        match:
           expr: P.attr.isemployee == true```

Hey, the `rolePolicy.role` doesn't have to be a real role but its value must be in the set of `principal.roles` sent in  the request.