hi; we would like to achieve the following: 1. allow the action starting with 'a_b_c*' 2) deny the action starting with 'a_b*' (there are 100+ options we'd rather not copy over to cerbos) 3) allow the action starting with 'a*' when specifying all three, the DENY from the 'a_b*' is causing a deny to the 'more specific' 'a_b_c'. How can we solve this? • other wildcard/regex options in the name of the deny action? • add an expression to the expression of the policy? • other? default behavior flag maybe? For all: what syntax should I use?

It doesn't seem like a straight up wildcard syntax (of the action) as documented is going to get you there -- You must further qualify your actions. If you don't want to qualify them by copying them to cerbos, have you considered whether it is feasible to do a blanket renaming of the actions in some way that will allow you to leverage the wildcarding more like what you have described? Per: https://docs.cerbos.dev/cerbos/latest/policies/resource_policies

understood; so the intended action seperator (semicolon) will behave as I intend it to for this case? Because we can't rebuild the app at the moment; how should my options 2 workaround look? So a expression that can do a regex match on the action? I don't know the special variable name for the 'action':

- expr: | 
              !R.action.matches("^a_b_c")

Invalid expression `!R.action.matches("^a_b_c")
`: [undefined field 'action']

The supported colon (

:

) delimiters are strict on their boundaries, so if your actions were of the form

a:b:*

rather than

a_b*

(etc), then I believe it behaves the way you're anticipating. This example policy:

---
apiVersion: api.cerbos.dev/v1
resourcePolicy:
  version: "default"
  resource: foo
  rules:
    - actions: ["a:b:c:*"]
      effect: EFFECT_ALLOW
      roles: ["user"]

    - actions: ["a:b:*"]
      effect: EFFECT_DENY
      roles: ["user"]

With this request:

{
  "requestId": "test",
  "principal": {
    "id": "sam",
    "policyVersion": "default",
    "scope": "",
    "roles": [
      "user"
    ]
  },
  "resources": [
    {
      "actions": [
        "a:b:c:d",
        "a:b:d",
        "a:b:c",
        "a:b:c:"
      ],
      "resource": {
        "kind": "foo",
        "policyVersion": "default",
        "id": "XX125"
      }
    }
  ]
}

Returns the following:

{
  "requestId": "test",
  "results": [
    {
      "resource": {
        "id": "XX125",
        "kind": "foo",
        "policyVersion": "default"
      },
      "actions": {
        "a:b:c": "EFFECT_DENY",
        "a:b:c:": "EFFECT_ALLOW",
        "a:b:c:d": "EFFECT_ALLOW",
        "a:b:d": "EFFECT_DENY"
      }
    }
  ],
  "cerbosCallId": "01K1DEH8EC29KKK83R6GK73RBV"
}