Ivano
12/21/2022, 12:03 PMCharith (Cerbos)
12/21/2022, 2:08 PMcerbosctl
CLI can also be used for that purpose. If you need more advanced things, probably best to schedule a call with us so that we can understand your requirements and give you some personalised advice.
In terms of preventing logic errors introduced by users authoring policies, that's a tough problem. That's one of the reasons why we advocate the GitOps model for most users because that could at least catch some of those bugs. Presumably, in a SaaS setting, you don't want to go through that manual review process. Cerbos tools can help you catch syntax errors and bad data but, as you can probably appreciate, it's nearly impossible for any tool to prevent someone from creating a logic error.
Cerbos scoped policies can give you some guard rails by providing a base set of rules you can enforce on your resources. You could also use tests to ensure that your absolute invariants don't change. Other than that, the only other thing I can think of is having a custom UI that restricts what kind of rules users could construct (e.g. write
permission can only be applied to resources X,Y and Z).
Hope that helps.Ivano
12/22/2022, 7:48 AMCharith (Cerbos)
12/22/2022, 8:32 AM