Carl Bäckström

03/08/2023, 2:12 PM
Hello! We are experimenting with Cerbos and wondering how one would go about enforcing specific permissions for an instance of a record rather than on the resource level. I.E: User1 has access to Document1 but not Document2

Alex Olivier (Cerbos)

03/08/2023, 2:15 PM
Hey, In this case the Query Plan is the recommended approach. This produces a set of conditions that apply your policies in your data fetching layer.

Carl Bäckström

03/08/2023, 3:52 PM
Trying to enforce this with specific policies that would match on a resource principal pair is something I would assume is not recommended? 🙂 My thinking was that this could easily spiral out of control with amount of policies and heavily impact performance.

Charith (Cerbos)

03/08/2023, 5:09 PM
Hey, I wouldn't recommend individual policies for each resource instance. I think that in this case, you should probably store the instances the user has access to in your database and pass that list onto Cerbos as a principal attribute. Then you can either check that list in each rule or use a derived role rule to do that and refer to that in your policy rules.
If you're trying to implement something like an ACL system that could have thousands of entries for each principal, then instead of sending that list to Cerbos, it'd be better to do a pre-check in your application to make sure that the principal has access to that particular resource instance and then use Cerbos to enforce the other access rules. (E.g. your pre-check could determine that the principal is a
of the resource. Pass that information on to Cerbos to enforce the access restrictions that
should have.)