Derived roles

Traditional RBAC roles are usually broad groupings with no context awareness. Derived roles are a way of augmenting those broad roles with contextual data to provide more fine-grained control at runtime. For example, a person with the broad manager role can be augmented to manager_of_scranton_branch by taking into account the geographic location (or another factor) and giving that derived role bearer extra privileges on resources that belong to the Scranton branch.

apiVersion: ""
description: |-
  Common dynamic roles used within the Apatr app
variables: (1)
  flagged_resource: request.resource.attr.flagged
  name: apatr_common_roles (2)
    - name: owner (3)
      parentRoles: ["user"] (4)
      condition: (5)
          expr: request.resource.attr.owner ==

    - name: abuse_moderator
      parentRoles: ["moderator"]
          expr: V.flagged_resource == true
1 Optional variables section. Each variable is evaluated before any rule condition. A variable expression can contain anything that condition expression can have.
2 Name to use when importing this set of derived roles.
3 Descriptive name for this derived role.
4 The static roles (from the identity provider) to which this derived role applies to.
5 An (optional) set of expressions that should evaluate to true for this role to activate.