Title
#help
n

Nimit

11/04/2022, 1:45 PM
hi @Charith (Cerbos) 2 quick questions1. I have 2 policies (for 2 different resources - both accessed by a user_role - see below), can i somehow combine these 2 policies in 1 (i mean policy for a user_role for 2 separate resources)? I see it can be done for a single principal, but can be done for a role ? 2. Is there a simple function call where i can just get back the list of allowed actions on a resource (not send a list of actions and get back the allowed list). for e.g in the policy below can i just get back CUS01, CUS02 ?
{
"apiVersion": "<http://api.cerbos.dev/v1|api.cerbos.dev/v1>",
"resourcePolicy": {
"resource": "*customers*",
"version": "default",
"rules": [
{
"actions": [
"CUS01",
"CUS02"
],
"roles": [
"*customer-user*"
],
"effect": "EFFECT_ALLOW"
},
{
"actions": [
"CUS11",
"CUS12"
]
],
"scope": "T8eeab29e-9622-48e6-967d-5137b485d8aa"
}
}
{
"apiVersion": "<http://api.cerbos.dev/v1|api.cerbos.dev/v1>",
"resourcePolicy": {
"resource": "*salh*",
"version": "default",
"rules": [
{
"actions": [
"SALH01",
"SALH02"
],
"roles": [
"*customer-user*"
],
"effect": "EFFECT_ALLOW"
}
"scope": "T8eeab29e-9622-48e6-967d-5137b485d8aa"
}
}
Charith (Cerbos)

Charith (Cerbos)

11/04/2022, 1:59 PM
The answer is no for both questions, I am afraid. You can create a principal policy but it's for a particular user, not a role.
n

Nimit

11/04/2022, 2:03 PM
thanks
2:13 PM
charith is there any possibility we can raise a enhancement request ? point-2 is esp essential as this can potentially have a big impact when we attempt to scale up (say 1 have 1/2 a million customers and i only have 5 that should be allowed access - i dont want to keep sending all 1/2 a mil in the request.. rather just request the allowed list)
Charith (Cerbos)

Charith (Cerbos)

11/04/2022, 2:17 PM
I am not sure I understand you. Why do you need to send 0.5 million customers in a request?
n

Nimit

11/04/2022, 2:20 PM
so in the first policy [CUS01 and CUS02] is a list of 2 customers whose data i as a user am allowed to view.. The only way i get that list back is if i send the full list of customers [CUS01, 02, 03 ......<any number>], cerbos api responds with CUS01-ALLOW, CUS02-ALLOW, CUSxx....-DENY
Charith (Cerbos)

Charith (Cerbos)

11/04/2022, 2:22 PM
Oh wait, so your
actions
are actually customer identifiers?
n

Nimit

11/04/2022, 2:22 PM
precisely
Charith (Cerbos)

Charith (Cerbos)

11/04/2022, 2:23 PM
Hmmm... I won't recommend doing that. Actions are meant to be a finite set of things you could do on a resource.
2:23 PM
What are you trying to model here?
n

Nimit

11/04/2022, 2:30 PM
hmm .. in that case im thinking maybe that relation needs to go into a database and not a policy
Charith (Cerbos)

Charith (Cerbos)

11/04/2022, 2:33 PM
Yes, absolutely. If you need to check whether a particular principal has access to a particular customer account, you should do that lookup using your database. You can then issue a JWT that contains the set of customer accounts that principal has access to and inspect the JWT in your Cerbos policies when making access decisions to the resources belonging to customers.