Derived roles
---
apiVersion: "api.cerbos.dev/v1"
description: |-
Common dynamic roles used within the Apatr app
derivedRoles:
name: apatr_common_roles (1)
definitions:
- name: owner (2)
parentRoles: ["user"] (3)
condition: (4)
match:
expr: request.resource.attr.owner == request.principal.id
- name: abuse_moderator
parentRoles: ["moderator"]
condition:
match:
expr: request.resource.attr.flagged == true
1 | Name to use when importing this set of derived roles. |
2 | Descriptive name for this derived role. |
3 | The static roles (from the identity provider) to which this derived role applies to. |
4 | An (optional) set of expressions that should evaluate to true for this role to activate. |