Hello!
We are experimenting with Cerbos and wonde...
# helpc
Carl Bäckström
03/08/2023, 2:12 PMHello!
We are experimenting with Cerbos and wondering how one would go about enforcing specific permissions for an instance of a record rather than on the resource level.
I.E:
User1 has access to Document1 but not Document2
a
Alex Olivier (Cerbos)
03/08/2023, 2:15 PM
Hey,
In this case the Query Plan is the recommended approach. This produces a set of conditions that apply your policies in your data fetching layer.
https://cerbos.dev/blog/filtering-data-using-authorization-logic
https://docs.cerbos.dev/cerbos/latest/api/index.html#resources-query-plan
c
Carl Bäckström
03/08/2023, 3:52 PMTrying to enforce this with specific policies that would match on a resource principal pair is something I would assume is not recommended? 🙂
My thinking was that this could easily spiral out of control with amount of policies and heavily impact performance.
c
Charith (Cerbos)
03/08/2023, 5:09 PM
Hey, I wouldn't recommend individual policies for each resource instance. I think that in this case, you should probably store the instances the user has access to in your database and pass that list onto Cerbos as a principal attribute. Then you can either check that list in each rule or use a derived role rule to do that and refer to that in your policy rules.
Charith (Cerbos)
03/08/2023, 5:13 PM
If you're trying to implement something like an ACL system that could have thousands of entries for each principal, then instead of sending that list to Cerbos, it'd be better to do a pre-check in your application to make sure that the principal has access to that particular resource instance and then use Cerbos to enforce the other access rules. (E.g. your pre-check could determine that the principal is a
readerreaders12 Views