10/17/2022, 3:39 PM
In Cerbos lingo, how does one ask for the authorizations a principle has on a resource? My case is ‘users’ have access to different privilidge levels on ‘devices’. I want to spit out ‘priv level’ 1,2 or 3. Do I define these levels as ‘actions’? And then request for all of them in one cerbos request?

Andrew Haines (Cerbos)

10/17/2022, 4:07 PM
Hi @sdktr, yes, it sounds like you could model that with actions and use CheckResources to check all the privilege levels in one request. The one thing I wonder is if privilege levels end up working a bit like roles - are there different actions you can perform with a device if you have priv level 3 vs 1? If so, it might be preferable to model those actions directly in the policies.


10/17/2022, 5:31 PM
Nice catch! The priv levels indeed end up being used as ‘roles’ in the device. I’m tinkering around using cerbos as a backend for a tacacs+ server. This priv level will be sent down to the device, where it’s mapped to a set of commands a user should be able to run.
Now, this technique allows for authorizing each command that is entered in the CLI as well. In that case hunderds of different ‘actions’ could end up in the policy. I’m hoping they support regex as well. If not, we’ll have to keep these commands as a custom variable. I believe they do support wildcard matches