Hi Apologies if this has been asked before but I m wondering Cerbos Community #help

Hi, Apologies if this has been asked before but I'...

Joe Cantwell

07/30/2025, 3:35 PM

Hi, Apologies if this has been asked before but I'm wondering what the syntax is to handle an attribute that may or may not exist. for example, suppose I have an attribute on a resource called

dataClass

and its value can be

public

private

. if the attribute is missing from the resource, I should assume its

private

I can do something like the following to match it in a derived role

Copy code

- all:
    of:
    - expr: R.attr.dataClass <= ''

and that works if I specify the

dataClass

attribute on my test resource but set its value as ' ' like below

Copy code

unclassified_data:
    id: unclassified_data
    kind: data
    policyVersion: default
    attr:
      exportControl: None
      dataClass: ''

but what I'd really like is to be able to pass a resource thats missing this attribute and be able to detect it in the policy. Maybe something like

Copy code

unclassified_data:
    id: unclassified_data
    kind: data
    policyVersion: default
    attr:
      exportControl: None
 ---

 - all:
    of:
    - expr: !exists(R.attr.dataClass)

Does anyone have a neat way of doing that?

Dennis (Cerbos)

07/31/2025, 12:29 AM

Hi @Joe Cantwell, No worries. Detecting the presence of an attribute is easy with the

has

macro. For example,

has(R.attr.dataClass)

has

doesn’t work with

R.attr["dataClass"]

syntax, though. For this, use

R.attr.exists(k, k == "dataClass")

🙌 1

Andrew Haines (Cerbos)

07/31/2025, 10:17 AM

You can also use the

in

operator, e.g.

"dataClass" in R.attr

Joe Cantwell

07/31/2025, 10:23 AM

TIL. thanks guys

🙌🏼 1

🙌 1

Open in Slack