I am seeking guidance on the optimal approach for my multi-organization service. Each organization needs the ability to assign permissions to resources based on their unique ID.
For example, let’s say we have a resource named “Project A” with an ID of 123. When utilizing Cerbos, should I:
• Define the permitted IDs in my policies and then include the ID as an attribute of the resource being accessed when checking if access is allowed? So if the user wants to access “Project A” with ID 123, i will send to Cerbos the resource with an an attribute ID = 123
• Store in my database the relationships between the resource “Project A” (with ID 123) and the users who are authorized to access it?
02/13/2023, 7:42 AM
Hi. If you want to control access to individual resource instances (rather than a whole group), it definitely makes sense to store the users who have access to the object in your database and do a "pre-check" to make sure they have access. Then, use Cerbos to make sure that they satisfy the other conditions required for access.