Derived roles
This documentation is for an as-yet unreleased version of Cerbos. Choose 0.39.0 from the version picker at the top right or navigate to https://docs.cerbos.dev for the latest version. |
Traditional RBAC roles are usually broad groupings with no context awareness. They are static and they are provided by the Identity Provider(IDP), not by Cerbos. Cerbos provides derived roles as a way of augmenting those broad roles with contextual data to provide more fine-grained control at runtime. For example, a person with the broad manager
role can be augmented to manager_of_scranton_branch
by taking into account the geographic location (or another factor) and giving that derived role bearer extra privileges on resources that belong to the Scranton branch.
Derived roles are dynamically determined at runtime by matching the principal’s roles sent in the API request to the parentRoles specified in the derived roles definitions. Don’t use the derived role names as roles in the API request as Cerbos only expects that field to contain "normal" roles.
|
---
apiVersion: "api.cerbos.dev/v1"
description: |-
Common dynamic roles used within the Apatr app
derivedRoles:
name: apatr_common_roles (1)
constants:
import: (2)
- apatr_common_constants
local: (3)
corporate_network_ip_range: 10.20.0.0/16
variables:
import: (4)
- apatr_common_variables
local: (5)
flagged_resource: request.resource.attr.flagged
definitions:
- name: owner (6)
parentRoles: ["user"] (7)
condition: (8)
match:
expr: request.resource.attr.owner == request.principal.id
- name: abuse_moderator
parentRoles: ["moderator"]
condition:
match:
expr: variables.flagged_resource
- name: corporate_user
parentRoles: ["user"]
condition:
match:
expr: request.principal.attr.ip_address.inIPAddrRange(constants.corporate_network_ip_range)
1 | Name to use when importing this set of derived roles. |
2 | Constant definitions to import (optional). |
3 | Local constant definitions (optional). |
4 | Variable definitions to import (optional). |
5 | Local variable definitions (optional). |
6 | Descriptive name for this derived role. |
7 | The static roles (from the identity provider) to which this derived role applies to. The special value * can be used to match any role. |
8 | An (optional) set of expressions that should evaluate to true for this role to activate. |