Ryan Killeen
03/01/2023, 10:30 PMconfig
. Config is made up of several different properties, with granularly permissions. Imagine someone might have permission to view
or edit
all of the config, or may only have the ability to view or edit config.branding
, or config.someOtherResource
.
Currently our principal permissions are attribute-based, eg ["config:branding:*", "config:view"]
What would be an ideal way to author resource policies without a ton of repetition? Many actions on a single resource config
? Separate resource policies for nested parts? Using scopes? Any guidance is appreciated, happy to provide more context and examples.apiVersion: api.cerbos.dev/v1
resourcePolicy:
version: "default"
importDerivedRoles:
- common_roles
resource: "config:fields"
rules:
- actions: ["*"]
effect: EFFECT_ALLOW
condition:
match:
any:
of:
- expr: ("config:*" in P.attr.permissions)
- expr: ("config:fields:*" in P.attr.permissions)
Charith (Cerbos)
03/02/2023, 10:37 AMconfig
and then defining hierarchical actions such as config:branding:view
or config:branding:edit
might be the easiest way to model it because then you can use wildcards like config:branding:*
or config:*:view
to define rules for swathes of stuff.
There are some guidelines here that you might find helpful as well: https://docs.cerbos.dev/cerbos/latest/policies/best_practices.htmlRyan Killeen
03/02/2023, 3:41 PMsdktr
03/22/2023, 11:33 PMCharith (Cerbos)
03/23/2023, 3:14 PM