Nimit
11/28/2022, 3:00 PM{
"apiVersion": "<http://api.cerbos.dev/v1|api.cerbos.dev/v1>",
"resourcePolicy": {
"resource": "crm_prospects",
"version": "default",
"importDerivedRoles": [
"sales-i-roles"
],
"rules": [
{
"actions": [
"VIEW"
],
"roles": [
"poweruser"
],
"effect": "EFFECT_ALLOW"
},
{
"actions": [
"VIEW"
],
"roles": [
"restricted-user"
],
"effect": "EFFECT_DENY"
}
],
"scope": "TENANT-00101581-3dd4-40b8-a2e3-175624586f85"
}
}
Policy2:
{
"apiVersion": "<http://api.cerbos.dev/v1|api.cerbos.dev/v1>",
"resourcePolicy": {
"resource": "crm_prospects",
"version": "default",
"importDerivedRoles": [
"sales-i-roles"
],
"rules": [
{
"actions": [
"VIEW"
],
"roles": [
"poweruser"
],
"effect": "EFFECT_ALLOW"
},
{
"actions": [
"VIEW"
],
"derivedRoles": [
"nimit-restrict"
],
"effect": "EFFECT_ALLOW"
}
],
"scope": "TENANT-00101581-3dd4-40b8-a2e3-175624586f85"
}
}
Derived Role:
{
"apiVersion": "<http://api.cerbos.dev/v1|api.cerbos.dev/v1>",
"derivedRoles": {
"name": "sales-i-roles",
"definitions": [
{
"name": "nimit-restrict",
"parentRoles": [
"restricted-user"
],
"condition": {
"match": {
"any": {
"of": [
{
"expr": "R.attr.createdByID == P.attr.subjectid"
},
{
"expr": "R.attr.updatedByID == P.attr.subjectid"
}
]
}
}
}
}
]
}
}
Charith (Cerbos)
DENY
rules. So isn't it working as expected or am I missing something?Nimit
11/28/2022, 3:08 PMNimit
11/28/2022, 3:09 PMCharith (Cerbos)
Nimit
11/28/2022, 3:11 PMCharith (Cerbos)
Nimit
11/28/2022, 3:12 PMNimit
11/28/2022, 8:01 PMNimit
11/28/2022, 8:09 PMCharith (Cerbos)
Nimit
11/29/2022, 9:45 AMCharith (Cerbos)
cat <<EOF | curl --silent "<http://localhost:3592/api/plan/resources?pretty>" -d @-
{
"requestId": "query-plan",
"resource": {
"kind": "crm_prospects"
},
"principal": {
"id": "foo",
"roles": [
"poweruser",
"restricted-user"
],
"attr": {
"subjectid": "bar"
}
},
"action": "VIEW",
"includeMeta": true
}
EOF
{
"requestId": "query-plan",
"action": "VIEW",
"resourceKind": "crm_prospects",
"filter": {
"kind": "KIND_CONDITIONAL",
"condition": {
"expression": {
"operator": "not",
"operands": [
{
"expression": {
"operator": "or",
"operands": [
{
"expression": {
"operator": "eq",
"operands": [
{
"variable": "request.resource.attr.createdByID"
},
{
"value": "bar"
}
]
}
},
{
"expression": {
"operator": "eq",
"operands": [
{
"variable": "request.resource.attr.updatedByID"
},
{
"value": "bar"
}
]
}
}
]
}
}
]
}
}
},
"meta": {
"filterDebug": "(not (or (eq request.resource.attr.createdByID \"bar\") (eq request.resource.attr.updatedByID \"bar\")))"
}
}
Charith (Cerbos)
Nimit
11/29/2022, 12:07 PMNimit
11/29/2022, 12:08 PMCharith (Cerbos)
poweruser
access, the plan would be unconditional as well.Nimit
11/29/2022, 12:12 PMCharith (Cerbos)
Nimit
11/30/2022, 3:55 PMCharith (Cerbos)
Nimit
11/30/2022, 4:08 PMCharith (Cerbos)
Nimit
11/30/2022, 4:21 PM