Hari Krishna Sunkari01/24/2023, 3:58 AM
• User has Roles like admin, viewer, etc..
• Resource Project has attribute
• both users and resources are dynamic, even the value of locations is bound to change.
How to create Policies in Cerbos in such a way that
• User can only access the resource if User
has the resource location
• User's level of access is controlled by the role of the User
Can Cerbos also help Hierarchical access , like a manager/parent of a User can access all the data that a User can manage
operator to check if any of the principals allowed locations matches the resource’s location. Example playground here: Check how
This way, each time you send a request, Cerbos will evaluate based on the
and `Principal`’s attributes.
Regarding the roles, check how
behave differently based on the roles they have.
You can find all the other conditions you can use in policies here.
Re: Hierarchical access
Cerbos does not maintain your directory information. Every request is stateless. When you pass a user’s role in each request, Cerbos will make a decision based on what roles are sent as part of the principal. So, the relationship of the user and manager are managed by your application.
Hari Krishna Sunkari01/24/2023, 10:01 AM