https://cerbos.dev logo
#help
Title
# help
j

Jesum Yip

01/17/2023, 8:12 AM
In the page for best practices (https://docs.cerbos.dev/cerbos/latest/policies/best_practices.html) I don't see a recommendation to design Resource-led policies. May I know why? I use JWT tokens extensively in the company, and we are a data-driven company. I find the resource-led approach works better. Are there some pitfalls I am not seeing?
e

Emre (Cerbos)

01/17/2023, 8:36 AM
Hi Jesum, thank you very much for pointing that out. We have not updated that page in a while, will do so shortly. In the mean time, please check out this blog post where you can see many examples. https://cerbos.dev/blog/mapping-business-requirements-to-authorization-policy
s

Sam Lock (Cerbos)

01/17/2023, 10:24 AM
Hi Jesum! Thanks for raising. I’m not completely clear on what you mean by a resource-led approach in this sense. When you get a chance, could you provide an example of how you’re approaching it? Then I can build the example around that 👌
j

Jesum Yip

01/18/2023, 1:11 AM
it's not very different from the examples in the best practices URL. i have multiple YAML policies that look a bit like this:
Copy code
apiVersion: api.cerbos.dev/v1
resourcePolicy:
  resource: "attack_patterns"
  version: "production"
  rules:
    - actions:
        - "read"
      effect: EFFECT_ALLOW
      roles: ["*"]
      condition:
        match:
          all:
            of:
              - expr: has(request.aux_data.jwt.aud)
              - expr: >
                  "my.custom.audience" in request.aux_data.jwt.aud
so the roles aren't really important at this stage since i'm focused on the data. the policy above limits access to a very wide net (by
aud
). that can be further refined with the addition of roles and actions. however, the key is the YAMLs i write are a 1:1 mapping of a policy to a dataset.
s

Sam Lock (Cerbos)

01/19/2023, 11:33 AM
This is super helpful, thank you very much
7 Views