Glossary of Cerbos terms
This documentation is for an as-yet unreleased version of Cerbos. Choose 0.40.0 from the version picker at the top right or navigate to https://docs.cerbos.dev for the latest version. |
- ACTION
-
Any application-defined operation that could be performed on a
RESOURCE
. Actions could be coarse-grained likecreate
,update
,delete
,view
or fine-grained likeview:public
,update:invoice_amt
. What actions are possible is determined by the application developers and they can use Cerbos policies to define the rules that must be satisfied in order for a givenPRINCIPAL
to perform one of those actions on aRESOURCE INSTANCE
. - ATTRIBUTE
-
A piece of information about a
PRINCIPAL
or aRESOURCE INSTANCE
that is useful for making an access decision. Cerbos is stateless and has no access to your application data. In order to make access decisions, Cerbos needs to know relevant information about the users and the objects they are trying to access. This information is sent asattributes
in the Cerbos API request. For example, if you want to restrict users from a particular geography to access only objects from that same geography, you might define a Cerbos rule condition likerequest.resource.attr.geography == request.principal.attr.geography
. Then, in the Cerbos API request, you must send thegeography
attribute (as determined by your application) for both the principal and the resource instance. - CONDITION
-
Cerbos policy rules can make dynamic, context-aware decisions by evaluating conditional logic against the
ATTRIBUTES
sent through the API request. See Conditions for details. - DERIVED ROLE
-
Most applications have a statically defined set of roles such as
admin
,writer
,employee
and so on. Cerbos derived roles are a feature in which these static roles can be dynamically augmented with context-awareness. For example, someone with theemployee
role can be augmented tous_employee
by checking whether their location is in the USA. Cerbos policies can then be written to target theus_employee
derived role instead of theemployee
role — which removes repetition of logic across policy files. See Derived roles for details. - PDP
-
Policy decision point. Essentially, where policies are executed and decisions are made. When you start a Cerbos server through one of the distribution artefacts (binary, container, Helm chart), you start a PDP.
- PRINCIPAL
-
A human or an automated process that wants to perform one or more
ACTIONS
on one or moreRESOURCE INSTANCES
. Typically called a "user" in most settings but Cerbos uses the termPrincipal
to avoid any ambiguity about whether the user is human or not. You can create principal policies to create exceptions for particular users. - RESOURCE
-
A kind or a category of application objects with similar characteristics. The concept is very similar to a
class
in object-oriented programming. For example, in an inventory system,Invoice
is a resource. Your system might have thousands or millions of invoices (RESOURCE INSTANCES
: similar toobjects
in object-oriented programming) but there would only be a single Cerbos resource policy forInvoice
which encodes all the access rules.Sometimes the term resource
is used to refer to aRESOURCE INSTANCE
when the meaning is obvious from the context (the API request fields are a good example of this). - RESOURCE INSTANCE
-
A specific item of a
RESOURCE
kind. If aRESOURCE
is aclass
, aRESOURCE INSTANCE
is anobject
of that class. For example, an invoice that was issued to "Acme Corp." with ID "I23456" is aRESOURCE INSTANCE
. When making access decisions using Cerbos, you need to send information about the resource instances to the CerbosCheckResources
API endpoint. The CerbosPDP
would then use the appropriate resource policy (determined by thekind
specified in the resource instance) to process the information and make an access decision.