Resource policies

Resource policies define rules for actions that can be performed on a given resource. A resource is an application-specific concept that applies to anything that requires access rules. For example, in an HR application, a resource can be as coarse-grained as a full employee record or as fine-grained as a single field in the record.

---
apiVersion: api.cerbos.dev/v1
variables: (1)
  is_corporate_network: |-
    P.attr.ip_address.inIPAddrRange("10.20.0.0/16")
resourcePolicy:
  version: "default" (2)
  scope: "acme.corp" (3)
  importDerivedRoles:
    - apatr_common_roles (4)
  resource: "album:object"  (5)
  rules:
    - actions: ['*'] (6)
      effect: EFFECT_ALLOW
      derivedRoles:
        - owner (7)

    - actions: ['view']
      effect: EFFECT_ALLOW
      roles:
        - user (8)
      condition:
        match:
          expr: request.resource.attr.public == true

    - name: moderator_rule (9)
      actions: ['view', 'delete']
      effect: EFFECT_ALLOW
      condition:
        match:
          expr: V.is_corporate_network
      derivedRoles:
        - abuse_moderator
  schemas: (10)
    principalSchema:
      ref: cerbos:///principal.json (11)
    resourceSchema:
      ref: cerbos:///album/object.json (12)
1 Optional variables section. Each variable is evaluated before any rule condition. A variable expression can contain anything that condition expression can have.
2 Version of this policy. Policies are uniquely identified by the resource name and version pair. You can have multiple policy versions for the same resource (e.g. production vs. staging). The version value default is special as it is the default fallback when no version is specified in the request.
3 Optional scope for this policy. See Scoped Policies.
4 Import a set of derived roles.
5 Name of the resource to which this policy applies.
6 Actions can contain wildcards. Wildcards honour the : delimiter. E.g. a:*:d would match a:x:d but not a:x.
7 This rule applies to a derived role.
8 Rules can also refer directly to static roles. The special value * can be used to disregard roles when evaluating the rule.
9 Optional name for the rule.
10 Optional section for defining schemas that apply to this resource kind.
11 Optional schema for validating the principal attributes.
12 Optional schema for validating the resource attributes.