https://cerbos.dev logo
Join Slack
Powered by
Hi, I’m trying to use `Principal policies` for man...
# help
ł
Hi, I’m trying to use 
Principal policies
for managing user access to client orders. Unfortunately it doesn’t work as I expected. I’ve created following principal policy
Copy code
apiVersion: api.cerbos.dev/v1
principalPolicy:
  principal: user-123
  version: "dev"
  rules:
    - resource: client-12345
      actions:
        - name: view-data
          action: "view"
          effect: EFFECT_ALLOW
and test for this policy
Copy code
name: test
principals:
  user:
    id: user-123
    roles:
      - user
resources:
  clients:
    id: client-12345
    kind: client
tests:
  - name: User should view client records
    input:
      principals:
        - user
      resources:
        - clients
      actions:
        - view
    expected:
      - principal: user
        resource: clients
        actions:
          view: EFFECT_ALLOW
My intention is to allow principal 
user-123
to execute 
view
action on 
client-12345
resource. However when I compile ant test policy I always get 
EFFECT_DENY
What did I wrong?
c
Hi. Two things: • Principal policies apply to resource kinds. In your case, the resource kind is 
client
and the rule should be written to target 
client
, not 
client-12345
. • If the policy version is not 
default
, you have to explicitly set the 
policyVersion
field in the test data. So, your principal definitions should have 
policyVersion: dev
in the test fixtures.
So this would work:
Copy code
apiVersion: api.cerbos.dev/v1
principalPolicy:
  principal: user-123
  version: "dev"
  rules:
    - resource: client
      actions:
        - name: view-data
          action: "view"
          effect: EFFECT_ALLOW
          condition:
            match:
              expr: |-
                R.id == "client-12345"
Copy code
name: test
principals:
  user:
    id: user-123
    policyVersion: dev
    roles:
      - user
resources:
  clients:
    id: client-12345
    kind: client
tests:
  - name: User should view client records
    input:
      principals:
        - user
      resources:
        - clients
      actions:
        - view
    expected:
      - principal: user
        resource: clients
        actions:
          view: EFFECT_ALLOW
ł
Thank you 🙂 It is working now
4 Views
Open in Slack
PreviousNext
Powered by