Hey is it possible or idiomatic to define what a role has ac

Question

Hey is it possible or idiomatic to define what a role has access to using principal policies as opposed as to specifying this for each resources Eg instead of creating a `pots yml pans yml knives yml` and then define what the roles can do in each of the resource policies you would create `cook yml` and define what the role `cook` can do inside that single file for all resources `pots pans knives` I guess you could have resource policies named `cook pans yml` `cook knives yml` but just want to ask if there s a good pattern Thanks

Andrew Haines (Cerbos) · Answer

Hi Guillaume Principal policies only affect an individual principal by ID rather than all principals who have a given role so I m afraid that wouldn t work Cerbos always models policies as resource oriented You can structure resource policies around roles rather than actions if you prefer though see the docs on <https docs cerbos dev cerbos latest policies best practices html modelling policies|action led vs role led policy modelling> In your example that would mean you need to have a single `knives yaml` handling all the roles but internally that could be structured as a role led policy so that the list of actions that can be performed by the `cook` role are grouped together