Hi Is it possible to use regular expression to match `princi

Question

Hi Is it possible to use regular expression to match `principal`to an `id` in a PrincipalPolicy

Alex Olivier (Cerbos) · Answer

Hey principal policies currently target a single principal so it is a direct match only What is your use case for regex We can look at adding it in the future

Alex Olivier (Cerbos) · Answer

There is a good chance you can model this via a condition in a resource policy instead depending on what you need it to do

Elodie Philippe · Answer

I d like to grant admin like authorization for people from my organization I want to use emails as id for Principals so I wondered if I could use Principal override to grant these authorizations by matching our organization domain against the PrincipalPolicy `principal`property instead of setting a condition in each resource

Elodie Philippe · Answer

Maybe I should dig into the new scope feature I haven t read much about that yet

Alex Olivier (Cerbos) · Answer

Got it A way to approach this is to create a <https docs cerbos dev cerbos latest policies derived roles html|derived role> which is activated based on the email address regex in a condition This derived role can then be added to a wildcard rules on each resource It is a bit more flexible this way as you can then control which specific actions these admin like users can do

Elodie Philippe · Answer

Ok thank you slightly smiling face that was the way I did it until I thought about principal policies

Elodie Philippe · Answer

If I have feedback do you prefer to collect them through Slack mail or github issue

Alex Olivier (Cerbos) · Answer

Whatever is easiest for you but everything will end up in a Github issue anyway so you have visibility