In Cerbos lingo, how does one ask for the authorizations a principle has on a resource? My case is ‘users’ have access to different privilidge levels on ‘devices’. I want to spit out ‘priv level’ 1,2 or 3.
Do I define these levels as ‘actions’? And then request for all of them in one cerbos request?
Andrew Haines (Cerbos)
10/17/2022, 4:07 PM
Hi @sdktr, yes, it sounds like you could model that with actions and use CheckResources to check all the privilege levels in one request.
The one thing I wonder is if privilege levels end up working a bit like roles - are there different actions you can perform with a device if you have priv level 3 vs 1? If so, it might be preferable to model those actions directly in the policies.
Now, this technique allows for authorizing each command that is entered in the CLI as well. In that case hunderds of different ‘actions’ could end up in the policy. I’m hoping they support regex as well. If not, we’ll have to keep these commands as a custom variable. I believe they do support wildcard matches