Cerbos is the open core, language-agnostic, scalable authorization solution that makes user permissions and authorization simple to implement and manage.

Cerbos Community

Hey, is it possible (or idiomatic) to define what a role has access to, using principal policies, as opposed as to specifying this for each resources?

Eg instead of creating a `pots.yml, pans.yml, knives.yml` and then define what the roles can do in each of the resource policies.
you would create `cook.yml` and define what the role `cook` can do inside that single file for all resources `pots, pans, knives` ?

I guess you could have resource policies named `cook_pans.yml` , `cook_knives.yml` , but just want to ask if there’s a good pattern.

Thanks

Hi Guillaume! Principal policies only affect an individual principal (by ID) rather than all principals who have a given role, so I'm afraid that wouldn't work.

Cerbos always models policies as resource-oriented. You can structure resource policies around roles rather than actions if you prefer, though (see the docs on <https://docs.cerbos.dev/cerbos/latest/policies/best_practices.html#_modelling_policies|action-led vs role-led policy modelling>).

In your example, that would mean you need to have a single `knives.yaml` handling all the roles, but internally that could be structured as a role-led policy so that the list of actions that can be performed by the `cook` role are grouped together.