Robert den Harink
02/08/2023, 8:35 PMGroup A
, it owns all lower groups/resources. So in the example, it also has an ownership role of Group B
, Group C
, Resource 1
and Resource 2
We currently use Authzed as a relational permission system. But we are investigating other solutions because we want attribute-based permissions in the near future and came across Cerbos!
I’m aware of the hierarchy functions, but we’re struggling with the correct way to represent the above. Could someone point us in the right direction?Charith (Cerbos)
02/09/2023, 8:04 AMGroup A > Group B > Group C
. In the request to Cerbos, the principal (Alice) would have the attributes editor: ["A.B"]
and owner: ["D"]
while the resource (X) would have member_of: "A.B.C"
. A Cerbos policy rule could then infer that Alice is an editor of X because there exists a value in request.principal.attr.editor
that is an ancestorOf
the request.resource.attr.member_of
attribute.
Now, if your system has unlimited, dynamically created hierarchies, doing the above is probably not very practical. Since you're already using a Zanzibar system (Authzed), it makes sense to resolve those relationships using that because it is optimized for solving that particular problem. Where Cerbos fits in is at the last stage after the relationships are established. Sure, the user is an editor of the resource. But, are they editing the resource from a trusted network? Are they accessing the resource during working hours? Are they trying to edit a resource that is classified as sensitive? This sort of attribute-driven, contextual decision making is what Cerbos is excellent at. Those kinds of decisions are hard/impossible to model with Zanzibar alone. There's a good synergy between Zanzibar-based systems and Cerbos because they complement each other in areas that they are not strong in. So, it doesn't have to be an either/or decision. It could be both.Robert den Harink
02/09/2023, 9:37 AMCharith (Cerbos)
02/09/2023, 11:11 AMRobert den Harink
02/09/2023, 12:05 PMCharith (Cerbos)
02/09/2023, 12:13 PMRobert den Harink
02/09/2023, 12:14 PM