I am seeking guidance on the optimal approach for my multi-organization service. Each organization needs the ability to assign permissions to resources based on their unique ID.
For example, let’s say we have a resource named “Project A” with an ID of 123. When utilizing Cerbos, should I:
• Define the permitted IDs in my policies and then include the ID as an attribute of the resource being accessed when checking if access is allowed? So if the user wants to access “Project A” with ID 123, i will send to Cerbos the resource with an an attribute ID = 123
• Store in my database the relationships between the resource “Project A” (with ID 123) and the users who are authorized to access it?