https://cerbos.dev logo
#help
Title
# help
g

Guillaume Picard

03/10/2023, 11:55 AM
Hey, is it possible (or idiomatic) to define what a role has access to, using principal policies, as opposed as to specifying this for each resources? Eg instead of creating a
pots.yml, pans.yml, knives.yml
and then define what the roles can do in each of the resource policies. you would create
cook.yml
and define what the role
cook
can do inside that single file for all resources
pots, pans, knives
? I guess you could have resource policies named
cook_pans.yml
,
cook_knives.yml
, but just want to ask if there’s a good pattern. Thanks
a

Andrew Haines (Cerbos)

03/10/2023, 12:12 PM
Hi Guillaume! Principal policies only affect an individual principal (by ID) rather than all principals who have a given role, so I'm afraid that wouldn't work. Cerbos always models policies as resource-oriented. You can structure resource policies around roles rather than actions if you prefer, though (see the docs on action-led vs role-led policy modelling). In your example, that would mean you need to have a single
knives.yaml
handling all the roles, but internally that could be structured as a role-led policy so that the list of actions that can be performed by the
cook
role are grouped together.
2 Views