Jesum Yip

02/07/2023, 2:02 AM
btw is it intentional that derived roles cannot have a
tag attached to it?
would be nice to have that because then i can have a set of derived roles that follow the resource policy and principal policy versions.

Charith (Cerbos)

02/07/2023, 8:50 AM
Yeah, they are intentionally not versioned because they are used to augment identity (which is not usually versioned) and meant to be shared by importing into other policies. If they had a version component, the system would become quite complicated to reason about because of the added dimension. The version field in policies was originally intended to be used as a way of distinguishing between environments like dev, staging, prod etc. Typically you'd have the same set of roles in all environments but what they can do in each environment is different.