https://cerbos.dev logo
Title
s

sdktr

11/07/2022, 6:40 PM
Did you ever consider calculating ‘derived actions’ as well? Or should that be a responsibility of the app?
c

Charith (Cerbos)

11/07/2022, 7:01 PM
I am not sure whether I understood your question correctly. But, if your question is "why isn't there a concept of derived actions", then the answer is that we didn't think that there was a need for that, given that all actions are defined by the application anyway. It's different with roles because they are usually defined in a separate system (IdP) and don't have the level of granularity required for some access decisions.
s

sdktr

11/07/2022, 7:04 PM
Understood.
Are actions matched on a full string match only? Or is some regex in place? So actions ‘show_run’ can match the action ‘show_*’?
c

Charith (Cerbos)

11/07/2022, 7:10 PM
You can use wildcards to match actions in your policy rules. So, yes, if you write a rule like
show_*
it will match anything with the prefix
show_
. They also support hierarchical matching based on the
:
separator. So,
x:*:z
would match things like
x:foo:z
. https://docs.cerbos.dev/cerbos/latest/policies/authoring_tips.html
s

sdktr

11/07/2022, 7:17 PM
And what about ‘response attributes’? Can Cerbos send additional reply data besides ‘yes/no’?
c

Charith (Cerbos)

11/07/2022, 7:21 PM
Currently no. But, it's a popular request and we are giving it some thought.