Hey, is it possible (or idiomatic) to define what ...
# help
Hey, is it possible (or idiomatic) to define what a role has access to, using principal policies, as opposed as to specifying this for each resources? Eg instead of creating a
pots.yml, pans.yml, knives.yml
and then define what the roles can do in each of the resource policies. you would create
and define what the role
can do inside that single file for all resources
pots, pans, knives
? I guess you could have resource policies named
, but just want to ask if there’s a good pattern. Thanks
Hi Guillaume! Principal policies only affect an individual principal (by ID) rather than all principals who have a given role, so I'm afraid that wouldn't work. Cerbos always models policies as resource-oriented. You can structure resource policies around roles rather than actions if you prefer, though (see the docs on action-led vs role-led policy modelling). In your example, that would mean you need to have a single
handling all the roles, but internally that could be structured as a role-led policy so that the list of actions that can be performed by the
role are grouped together.