Derived roles

Traditional RBAC roles are usually broad groupings with no context awareness. Derived roles are a way of augmenting those broad roles with contextual data to provide more fine-grained control at runtime. For example, a person with the broad manager role can be augmented to manager_of_scranton_branch by taking into account the geographic location (or another factor) and giving that derived role bearer extra privileges on resources that belong to the Scranton branch.

---
apiVersion: "api.cerbos.dev/v1"
description: |-
  Common dynamic roles used within the Apatr app
variables: (1)
  flagged_resource: request.resource.attr.flagged
derivedRoles:
  name: apatr_common_roles (2)
  definitions:
    - name: owner (3)
      parentRoles: ["user"] (4)
      condition: (5)
        match:
          expr: request.resource.attr.owner == request.principal.id

    - name: abuse_moderator
      parentRoles: ["moderator"]
      condition:
        match:
          expr: V.flagged_resource == true

1	Optional variables section. Each variable is evaluated before any rule condition. A variable expression can contain anything that condition expression can have.
2	Name to use when importing this set of derived roles.
3	Descriptive name for this derived role.
4	The static roles (from the identity provider) to which this derived role applies to. The special value `*` can be used to match any role.
5	An (optional) set of expressions that should evaluate to true for this role to activate.