https://cerbos.dev logo
Join Slack
Powered by
[help needed: nested principals] hey there Cerbos ...
# help
y
[help needed: nested principals] hey there Cerbos community, it’d be great if you can help me with the following scenario: • I have a 
BUSINESS
principal, which has 2 other principals nested under it: 
API_KEY
and 
USER
. • How can I use Cerbos to map the constraints such that: ◦ A 
USER
will be constrained by it’s 
BUSINESS
’s policies? For example: ▪︎ The 
BUSINESS
is banned from accessing Product A ▪︎ The 
USER
that belongs to this 
BUSINESS
should also be banned from accessing Product A
d
In my view principal is a concrete entity that wants to perform an action and the application asks cerbos whether the principal is allowed to do it. Can you please elaborate what you mean by saying that a 
USER
belongs to 
BUSINESS
? Is the latter a group of users?
c
As Dennis said, we consider a principal to be the actual person/service/entity that performs an action. If I understand your question correctly, what you are trying to model is a group membership scenario where 
BUSINESS
is the "group". We have support for modelling such tree-like relationships using hierarchy functions: https://docs.cerbos.dev/cerbos/latest/policies/conditions.html#hierarchies
You can write your policy rules to inspect the hierarchy that the principal belongs to (which should be sent as an attribute in the request) and model your rules that way.
a
Here is an example that has the concept of organisations which the principal belongs to and defines their access to resources. It is modeled after a finance application https://play.cerbos.dev/p/hTScZq617bc385f0m9LhKf5JpYmxTOm6
y
Hey thanks for the responses!
Can you please elaborate what you mean by saying that a 
USER
 belongs to 
BUSINESS
 ? Is the latter a group of users? 
Yes, I’m trying to model something like a group membership scenario, where 
BUSINESS
is the group here, with the 
USERS
as members.
You can write your policy rules to inspect the hierarchy that the principal belongs to (which should be sent as an attribute in the request) and model your rules that way.
I see! So that means i’ll need to keep passing in those attributes every time we evaluate the rules and policies?
Here is an example that has the concept of organisations which the principal belongs to and defines their access to resources. It is modeled after a finance application https://play.cerbos.dev/p/hTScZq617bc385f0m9LhKf5JpYmxTOm6
Thanks I’ll take a look at this.
I think it’d be useful if there’s an example showing how 2 related principals can access a resource? e.g. A 
User
is in a 
Group
. 
Group
has generic Read/Write permissions to 
Resource A
, and how 
Users
within that 
Group
can again have a second level of Read/Write permissions to 
Resource A
.
c
So individual users have specific permissions that the group does not?
y
So individual users have specific permissions that the group does not?
yep, so if I am the 
Group
Admin
, I can change the access of my own 
Users
to 
Resource A
.
c
Oh I see. I think you're talking about ACLs where each individual resource instance can have different access rules. There's currently no nice way of modelling ACLs in Cerbos. We are focusing on RBAC/ABAC type access control at the moment.
a
@Yong Cheng Toh I'm keen to understand your requirements a bit more and see if we can model something for you - even if it is for another part of your system. If you are happy to have a quick call, you can pick some time that works for you
👍 1
12 Views
Open in Slack
PreviousNext
Powered by