Hi !
Is it possible to use regular expression to m...
# helpe
Elodie Philippe
02/23/2022, 10:45 AMHi !
Is it possible to use regular expression to match `principal`to an
ida
Alex Olivier (Cerbos)
02/23/2022, 10:51 AM
Hey - principal policies currently target a single principal so it is a direct match only.
What is your use case for regex? We can look at adding it in the future.
Alex Olivier (Cerbos)
02/23/2022, 10:52 AM
There is a good chance you can model this via a condition in a resource policy instead depending on what you need it to do.
e
Elodie Philippe
02/23/2022, 10:56 AMI'd like to grant admin-like authorization for people from my organization.
I want to use emails as id for Principals, so I wondered if I could use Principal override to grant these authorizations by matching our organization domain against the PrincipalPolicy `principal`property instead of setting a condition in each resource.
Elodie Philippe
02/23/2022, 10:57 AMMaybe I should dig into the new scope feature? I haven't read much about that yet
a
Alex Olivier (Cerbos)
02/23/2022, 10:58 AM
Got it.
A way to approach this is to create a derived role which is activated based on the email address regex in a condition.
This derived role can then be added to a wildcard rules on each resource. It is a bit more flexible this way as you can then control which specific actions these ‘admin-like’ users can do.
e
Elodie Philippe
02/23/2022, 10:59 AMOk thank you 🙂, that was the way I did it until I thought about principal policies.
Elodie Philippe
02/23/2022, 11:06 AMIf I have feedback, do you prefer to collect them through Slack, mail or github issue?
a
Alex Olivier (Cerbos)
02/23/2022, 11:16 AM
Whatever is easiest for you, but everything will end up in a Github issue anyway so you have visibility
3 Views