Hello, I am trying to migrate an existing system to cerbos, the exsiting has already some RBAC like authorisation implemented. there a super admin that has all permission, the admin can create a roles as they please and CRUD permission per resource. my question is can we write policies in cerbos, that is build on top the existing system? so for example in the existing system,

user with role of seller, the seller role can edit listing resource.

let's say the above is already defined in the existing system. so additional rules might be.

user id must be equal to the listing author

so the full rule will be

user can edit listing (existing system), user id must equal to listing author (cerbos)

Hi @Ahmad Fathallah, Yes, that could work. An example resource policy doing what you've described

apiVersion: api.cerbos.dev/v1
resourcePolicy:
  version: default
  resource: listing
  rules:

    - actions:
        - edit
      effect: EFFECT_ALLOW
      roles:
        - SELLER
      condition:
        match:
          expr: R.attr.authorId == P.id

After doing the internal authz check, you could use one of our SDKs to do the secondary authz check with Cerbos. JS SDK example exercising above policy

const allowed = await cerbos.isAllowed({
  principal: {
    id: "oguzhan",
    roles: [
      "SELLER",
    ],
    attributes: {},
  },
  resource: {
    kind: "listing",
    id: "1",
    attributes: {
      authorId: "oguzhan",
    },
  },
  action: "edit",
});

See the relevant playground: https://play.cerbos.dev/p/nlc685d0fcdFZoKCVTwoPDXdSujJBq73

thank you this is really helpful