Title
n
Nimit
11/04/2022, 1:45 PMhi @Charith (Cerbos) 2 quick questions
1. I have 2 policies (for 2 different resources - both accessed by a user_role - see below), can i somehow combine these 2 policies in 1 (i mean policy for a user_role for 2 separate resources)? I see it can be done for a single principal, but can be done for a role ?
2. Is there a simple function call where i can just get back the list of allowed actions on a resource (not send a list of actions and get back the allowed list). for e.g in the policy below can i just get back CUS01, CUS02 ?
{"apiVersion": "<http://api.cerbos.dev/v1|api.cerbos.dev/v1>","resourcePolicy": {"resource": "*customers*","version": "default","rules": [{"actions": ["CUS01","CUS02"],"roles": ["*customer-user*"],"effect": "EFFECT_ALLOW"},{"actions": ["CUS11","CUS12"]],"scope": "T8eeab29e-9622-48e6-967d-5137b485d8aa"}}{"apiVersion": "<http://api.cerbos.dev/v1|api.cerbos.dev/v1>","resourcePolicy": {"resource": "*salh*","version": "default","rules": [{"actions": ["SALH01","SALH02"],"roles": ["*customer-user*"],"effect": "EFFECT_ALLOW"}"scope": "T8eeab29e-9622-48e6-967d-5137b485d8aa"}}c
Charith (Cerbos)
11/04/2022, 1:59 PMThe answer is no for both questions, I am afraid. You can create a principal policy but it's for a particular user, not a role.
n
Nimit
11/04/2022, 2:03 PMthanks
charith is there any possibility we can raise a enhancement request ? point-2 is esp essential as this can potentially have a big impact when we attempt to scale up (say 1 have 1/2 a million customers and i only have 5 that should be allowed access - i dont want to keep sending all 1/2 a mil in the request.. rather just request the allowed list)
c
Charith (Cerbos)
11/04/2022, 2:17 PMI am not sure I understand you. Why do you need to send 0.5 million customers in a request?
n
Nimit
11/04/2022, 2:20 PMso in the first policy [CUS01 and CUS02] is a list of 2 customers whose data i as a user am allowed to view..
The only way i get that list back is if i send the full list of customers [CUS01, 02, 03 ......<any number>], cerbos api responds with CUS01-ALLOW, CUS02-ALLOW, CUSxx....-DENY
c
Charith (Cerbos)
11/04/2022, 2:22 PMOh wait, so your
actionsn
Nimit
11/04/2022, 2:22 PMprecisely
c
Charith (Cerbos)
11/04/2022, 2:23 PMHmmm... I won't recommend doing that. Actions are meant to be a finite set of things you could do on a resource.
What are you trying to model here?
n
Nimit
11/04/2022, 2:30 PMhmm .. in that case im thinking maybe that relation needs to go into a database and not a policy
c
Charith (Cerbos)
11/04/2022, 2:33 PMYes, absolutely. If you need to check whether a particular principal has access to a particular customer account, you should do that lookup using your database. You can then issue a JWT that contains the set of customer accounts that principal has access to and inspect the JWT in your Cerbos policies when making access decisions to the resources belonging to customers.