Mark Piper
11/14/2022, 7:22 PMEFFECT_ALLOW
/ DENY
? Use case would be adding Cerbos on top of existing authorization logic.
eg: If Cerbos returns an answer use it -- but if indeterminate, fallback to the existing logic (outside of Cerbos).Steve High (NTWRK)
11/14/2022, 7:37 PMAndrew Haines (Cerbos)
11/15/2022, 11:20 AMview
and view_with_fallback_logic
, and pass both actions to your check resources request.
• You could set includeMeta: true
on the check request and look for empty matchedPolicy
in the result metadata, which would indicate an implicit rather than explicit deny (the caveat here is that you would have to write two rules for every action, one allow and one deny, in order to be able to tell whether you have an answer or an indeterminate result).
• You could do a plan rather than a check, which allows three-valued results (KIND_ALWAYS_ALLOWED
, KIND_ALWAYS_DENIED
, or KIND_CONDITIONAL
); you could set it up so that you'll get a conditional result if you need to fall back to the existing logic.