Did you ever consider calculating derived actions as well Or Cerbos Community #help

Join Slack

Did you ever consider calculating ‘derived actions...

# help

sdktr

11/07/2022, 6:40 PM

Did you ever consider calculating ‘derived actions’ as well? Or should that be a responsibility of the app?

Charith (Cerbos)

11/07/2022, 7:01 PM

I am not sure whether I understood your question correctly. But, if your question is "why isn't there a concept of derived actions", then the answer is that we didn't think that there was a need for that, given that all actions are defined by the application anyway. It's different with roles because they are usually defined in a separate system (IdP) and don't have the level of granularity required for some access decisions.

sdktr

11/07/2022, 7:04 PM

Understood.

sdktr

11/07/2022, 7:05 PM

Are actions matched on a full string match only? Or is some regex in place? So actions ‘show_run’ can match the action ‘show_*’?

Charith (Cerbos)

11/07/2022, 7:10 PM

You can use wildcards to match actions in your policy rules. So, yes, if you write a rule like

show_*

it will match anything with the prefix

show_

. They also support hierarchical matching based on the

separator. So,

x:*:z

would match things like

x:foo:z

. https://docs.cerbos.dev/cerbos/latest/policies/authoring_tips.html

sdktr

11/07/2022, 7:17 PM

And what about ‘response attributes’? Can Cerbos send additional reply data besides ‘yes/no’?

Charith (Cerbos)

11/07/2022, 7:21 PM

Currently no. But, it's a popular request and we are giving it some thought.

4 Views

Open in Slack

Previous Next