ask for cerbos help of an article collaboration management system: https://github.com/issuebox/cerbos-discuss/blob/main/ask-for-cerbos-help.md

Hi. Thanks for the detailed spec. Off the top of my head, I think you might be able to use scoped policies to model this. Please have a look at that. I am away from my computer right now. I'll take a better look when I am back and try to give you a few more tips if possible.

Thanks @Charith (Cerbos) Let me implement some simple code first.

Hi. I see you have made some good progress 👍 I read your problem statement and if I understood it correctly, you have a finite set of organizations and channels that a user can belong to. In that case, when a user first logs in, you can issue them a JWT that contains that small set of organizations and channels that person has access to and then reference those in the policy rules. For example, say your JWT contains the following claims:

orgs: ["org_a", "org_b"]
channels: ["chan_x", "chan_y", "chan_z"]

and, in your request, you include the organization, channel and author of the resource:

{
  "resource": {
    "id": "XX125",
    "kind": "article",
    "attr": {
      "organization": "org_a",
      "channel": "chan_x",
      "author": "user_p"
    }
  }
}

You can define a derived role for

channel_editor

as follows:

- name: channel_editor 
  parentRoles: ["chan_editor"] 
  condition: 
    match:
      all:
        of:
          - expr: request.resource.attr.organization in request.aux_data.jwt.orgs
          - expr: request.resource.attr.channel in request.aux_data.jwt.channels

Then you can define a policy rule for article

edit

as follows:

- actions: ['edit']
  effect: EFFECT_ALLOW
  derivedRoles:
    - channel_editor 
  condition:
    match:
      expr: request.resource.attr.author == request.principal.id

Thanks @Charith (Cerbos). This is a good idea. but I have a little doubt: Suppose there is a userB, when he login, he is not in the channelA. After ten minutes(for instance), the channelA's owner join him into channelA, and set him to a admin role. How to update the userB's JWT data in this case?

Ah, if the memberships change during a session, then instead of the JWT you might have to use the principal attributes section to send the organization and channel memberships. That way they are always up-to-date.