Hi all! 👋 Evaluating Cerbos--but how can you model it to allow users to add self-service custom roles? Imagine an admin in a multi-tenant SaaS w/ UI to copy an existing system role, give it a new name and click checkboxes for what permissions to enable/disable on the new role. Thanks!

Hey Mark. There are two ways to look at this: Static Policy / Dynamic Context In the vast majority of cases it is possible to have the policies statically defined and pass in dynamic context as attributes of a principal such as what roles it has in a specific context - eg a tenant or project. The static policy definitions are checking for context set in the principal which would be driven from your apps user/profile service. An example of this is our SaaS workspace policy. Dynamic Policy For cases where you want to create brand new resources and actions on the fly, then the Admin API can be used along with a mutable policy store in the form of one of the database storage engines. From your apps API layer, policies can be created or updated on the fly to add in the new authorization rules.

Thanks, I’ll definitely take a look at that SaaS workspace example. (It’d be helpful to have some docs on handling use cases like these too!) I was thinking it would need some dynamic logic in the app to copy the resource policies into a new scope for

tenant.custom_role_x.

Each resource policy in the scope would have a derived role activated by some

custom_role_x

condition on the user principal, w/ each action on the scope policy overridden to evaluate ALLOW/DENY. Appreciate the quick reply!!