In the page for best practices (https://docs.cerbos.dev/cerbos/latest/policies/best_practices.html) I don't see a recommendation to design Resource-led policies. May I know why? I use JWT tokens extensively in the company, and we are a data-driven company. I find the resource-led approach works better. Are there some pitfalls I am not seeing?

Hi Jesum, thank you very much for pointing that out. We have not updated that page in a while, will do so shortly. In the mean time, please check out this blog post where you can see many examples. https://cerbos.dev/blog/mapping-business-requirements-to-authorization-policy

Hi Jesum! Thanks for raising. I’m not completely clear on what you mean by a resource-led approach in this sense. When you get a chance, could you provide an example of how you’re approaching it? Then I can build the example around that 👌

it's not very different from the examples in the best practices URL. i have multiple YAML policies that look a bit like this:

apiVersion: api.cerbos.dev/v1
resourcePolicy:
  resource: "attack_patterns"
  version: "production"
  rules:
    - actions:
        - "read"
      effect: EFFECT_ALLOW
      roles: ["*"]
      condition:
        match:
          all:
            of:
              - expr: has(request.aux_data.jwt.aud)
              - expr: >
                  "my.custom.audience" in request.aux_data.jwt.aud

so the roles aren't really important at this stage since i'm focused on the data. the policy above limits access to a very wide net (by

aud

). that can be further refined with the addition of roles and actions. however, the key is the YAMLs i write are a 1:1 mapping of a policy to a dataset.

This is super helpful, thank you very much