Resource policies
---
apiVersion: api.cerbos.dev/v1
variables: (1)
is_corporate_network: |-
P.attr.ip_address.inIPAddrRange("10.20.0.0/16")
resourcePolicy:
version: "default" (2)
importDerivedRoles:
- apatr_common_roles (3)
resource: "album:object" (4)
rules:
- actions: ['*'] (5)
effect: EFFECT_ALLOW
derivedRoles:
- owner (6)
- actions: ['view']
effect: EFFECT_ALLOW
roles:
- user (7)
condition:
match:
expr: request.resource.attr.public == true
- name: moderator_rule (8)
actions: ['view', 'delete']
effect: EFFECT_ALLOW
condition:
match:
expr: V.is_corporate_network
derivedRoles:
- abuse_moderator| 1 | Optional variables section. Each variable is evaluated before any rule condition. A variable expression can contain anything that condition expression can have. |
| 2 | Version of this policy. Policies are uniquely identified by the resource name and version pair. You can have multiple policy versions for the same resource (e.g. production vs. staging). The version value default is special as it is the default fallback when no version is specified in the request. |
| 3 | Import a set of derived roles. |
| 4 | Name of the resource to which this policy applies. |
| 5 | Actions can contain wildcards. Wildcards honour the : delimiter. E.g. a:*:d would match a:x:d but not a:x. |
| 6 | This rule applies to a derived role. |
| 7 | Rules can also refer directly to static roles. |
| 8 | Optional name for the rule. |