Im new to Cerbos and trying to solve the below use-case • User has an attribute

locations

• User has Roles like admin, viewer, etc.. • Resource Project has attribute

location

• both users and resources are dynamic, even the value of locations is bound to change. How to create Policies in Cerbos in such a way that • User can only access the resource if User

locations

has the resource location • User's level of access is controlled by the role of the User Can Cerbos also help Hierarchical access , like a manager/parent of a User can access all the data that a User can manage Thanks 🙏

Hi @Hari Krishna Sunkari You can use the

in

operator to check if any of the principals allowed locations matches the resource’s location. Example playground here: Check how

Resource 1

and

Resource 2

behaves differently. This way, each time you send a request, Cerbos will evaluate based on the

User

and `Principal`’s attributes. Regarding the roles, check how

Principal 1

and

Principal 2

behave differently based on the roles they have. You can find all the other conditions you can use in policies here. Re: Hierarchical access Cerbos does not maintain your directory information. Every request is stateless. When you pass a user’s role in each request, Cerbos will make a decision based on what roles are sent as part of the principal. So, the relationship of the user and manager are managed by your application.

cool, thanks @Emre (Cerbos)