Cerbos policies
There are five kinds of Cerbos policies:
- Derived roles
-
Traditional RBAC roles are usually broad groupings with no context awareness. Derived roles are a way of augmenting those broad roles with contextual data to provide more fine-grained control at runtime. For example, a person with the broad
managerrole can be augmented tomanager_of_scranton_branchby taking into account the geographic location (or another factor) and giving that derived role bearer extra privileges on resources that belong to the Scranton branch. - Resource policies
-
Defines rules for actions that can be performed on a given resource. A resource is an application-specific concept that applies to anything that requires access rules. For example, in an HR application, a resource can be as coarse-grained as a full employee record or as fine-grained as a single field in the record.
- Principal policies
-
Defines overrides for a specific user.
- Role policies
-
Define rules specific to a given role. Rules are defined as a list of permissible actions that apply to a particular resource. Role policies are evaluated before resource policies but don’t guarantee an
ALLOWin the case of a matching rule — resource policies must also resolve to anALLOWfor the same request. See the dedicated role policy documentation for more details. - Exported variables
-
Defines variables to be reused in condition expressions in other policies.
Policies are evaluated based on the metadata passed in the request to the Cerbos PDP. See Cerbos API for more information.
View the latest documentation and example requests by accessing a running Cerbos instance using a browser (http://localhost:3592/). The OpenAPI (Swagger) schema can be obtained by accessing /schema/swagger.json as well.
|