Hi I m trying to use `Principal policies` for managing user

Question

Hi I m trying to use `Principal policies` for managing user access to client orders Unfortunately it doesn t work as I expected I ve created following principal policy ```apiVersion api cerbos dev v1 principalPolicy principal user 123 version dev rules resource client 12345 actions name view data action view effect EFFECT ALLOW``` and test for this policy ```name test principals user id user 123 roles user resources clients id client 12345 kind client tests name User should view client records input principals user resources clients actions view expected principal user resource clients actions view EFFECT ALLOW``` My intention is to allow principal `user 123` to execute `view` action on `client 12345` resource However when I compile ant test policy I always get `EFFECT DENY` What did I wrong

Charith (Cerbos) · Answer

Hi Two things Principal policies apply to resource kinds In your case the resource kind is `client` and the rule should be written to target `client` not `client 12345` If the policy version is not `default` you have to explicitly set the `policyVersion` field in the test data So your principal definitions should have `policyVersion dev` in the test fixtures

Charith (Cerbos) · Answer

So this would work ```apiVersion api cerbos dev v1 principalPolicy principal user 123 version dev rules resource client actions name view data action view effect EFFECT ALLOW condition match expr | R id == client 12345 ``` ```name test principals user id user 123 policyVersion dev roles user resources clients id client 12345 kind client tests name User should view client records input principals user resources clients actions view expected principal user resource clients actions view EFFECT ALLOW```

Łukasz Sierakowski · Answer

Thank you slightly smiling face It is working now