Did you ever consider calculating derived actions as well Or

Question

Did you ever consider calculating derived actions as well Or should that be a responsibility of the app

Charith (Cerbos) · Answer

I am not sure whether I understood your question correctly But if your question is why isn t there a concept of derived actions then the answer is that we didn t think that there was a need for that given that all actions are defined by the application anyway It s different with roles because they are usually defined in a separate system IdP and don t have the level of granularity required for some access decisions

sdktr · Answer

Understood

sdktr · Answer

Are actions matched on a full string match only Or is some regex in place So actions show run can match the action show

Charith (Cerbos) · Answer

You can use wildcards to match actions in your policy rules So yes if you write a rule like `show ` it will match anything with the prefix `show ` They also support hierarchical matching based on the ` ` separator So `x z` would match things like `x foo z` <https docs cerbos dev cerbos latest policies authoring tips html|https docs cerbos dev cerbos latest policies authoring tips html>

sdktr · Answer

And what about response attributes Can Cerbos send additional reply data besides yes no

Charith (Cerbos) · Answer

Currently no But it s a popular request and we are giving it some thought