Hari Krishna Sunkari
01/24/2023, 3:58 AMlocations
• User has Roles like admin, viewer, etc..
• Resource Project has attribute location
• both users and resources are dynamic, even the value of locations is bound to change.
How to create Policies in Cerbos in such a way that
• User can only access the resource if User locations
has the resource location
• User's level of access is controlled by the role of the User
Can Cerbos also help Hierarchical access , like a manager/parent of a User can access all the data that a User can manage
Thanks 🙏Emre (Cerbos)
01/24/2023, 8:49 AMin
operator to check if any of the principals allowed locations matches the resource’s location. Example playground here: Check how Resource 1
and Resource 2
behaves differently.
This way, each time you send a request, Cerbos will evaluate based on the User
and `Principal`’s attributes.
Regarding the roles, check how Principal 1
and Principal 2
behave differently based on the roles they have.
You can find all the other conditions you can use in policies here.
Re: Hierarchical access
Cerbos does not maintain your directory information. Every request is stateless. When you pass a user’s role in each request, Cerbos will make a decision based on what roles are sent as part of the principal. So, the relationship of the user and manager are managed by your application.Hari Krishna Sunkari
01/24/2023, 10:01 AM