Should I just pop all the scopes into `attr` and do configur

Question

Should I just pop all the scopes into `attr` and do configure with expr instead

Alex Olivier (Cerbos) · Answer

Hey Yes that is how we would recommending that and using an expression to check if the action is in the list that the user has This means you can change a users access without having to change update principal polciies

Alex Olivier (Cerbos) · Answer

You can see an example of this in this demo <https play cerbos dev p IJxlK6131f642ND65F1EhPmiT18Ap1A5>

Rasmus Dencker · Answer

The reason I went the roles way was to utilize derived roles to make a sort of hierarchical permission system which is very nice

Rasmus Dencker · Answer

```apiVersion api cerbos dev v1 derivedRoles definitions name report read parentRoles report read report delete report update report create name report create parentRoles report create```

Rasmus Dencker · Answer

I could do that with expr but it wouldnt be as clean

Rasmus Dencker · Answer

Thanks for the link I ll take a look sunglasses

Rasmus Dencker · Answer

Oh I think I get the gist So roles should be used for higher level stuff right now I d only have USER for instance

Alex Olivier (Cerbos) · Answer

Simpliest expression could be ` report read in P attr permissions` where you principal looks like ``` id 123 roles USER attr permissions reports read reports write ```

Rasmus Dencker · Answer

We re using short lived JWT tokens inside our services so the other handy thing about using expr is that I could 1 Avoid extracting scopes from the jwt in the service 2 Bonus Avoid doing jwk on the service side and just check Cerbos for a bogus policy everyone has access to effectively making Cerbos do both authz and authn

Rasmus Dencker · Answer

pretty interesting

Rasmus Dencker · Answer

So I could basically just call cerbos with the bearer token to see if its valid

Rasmus Dencker · Answer

given I don t have to check any authz stuff in that request for instance just rendering a SPA

Alex Olivier (Cerbos) · Answer

You can definitely do that and a clever use of the JWT feature

Rasmus Dencker · Answer

Amazing how such a simple to understand product can solve so much smile

Rasmus Dencker · Answer

thanks for your thoughts < Alex Olivier Cerbos >

Alex Olivier (Cerbos) · Answer

Glad to hear it Let us know if we can help with anything else at all

Rasmus Dencker · Answer

Will do 100

Rasmus Dencker · Answer

One thing I like the cool WithPlaygroundInstance option but can I somehow use the playground with auxData

Rasmus Dencker · Answer

or is that just a limitation of the playground

Alex Olivier (Cerbos) · Answer

There is an aux data section in the right sidebar

Alex Olivier (Cerbos) · Answer

might need to scroll down

Rasmus Dencker · Answer

doh I just realized I sent an access token and not a jwt thats probably why it complained about failed to extract auxData joy

Alex Olivier (Cerbos) · Answer

Ah yes that would do it

Rasmus Dencker · Answer

``` cerbos err = client New localhost 3593 client WithPlaintext client WithPlaygroundInstance redacted ```

Rasmus Dencker · Answer

Seems it s still hitting my local cerbos Whats the trick to make it use the playground smile

Alex Olivier (Cerbos) · Answer

if you press try the API and goto the Go tab it will show you then client config

Rasmus Dencker · Answer

got it thanks

Rasmus Dencker · Answer

Just discovered your embedded testing framework This is probably the best balance between hyperfocused functionality and embedded tooling I ve ever seen in an open source project Damn good work

Alex Olivier (Cerbos) · Answer

Thank you We ve been building this project with a hyper focus on the developer experience as we have all had to build authorization systems many times in our past and wanted to make sure there is an off the shelf solution that does it all

Emre (Cerbos) · Answer

Hi < Rasmus Dencker> can we quote you on that one

Rasmus Dencker · Answer

Sure < Emre Cerbos > smile