We value your privacy

This website or its third-party tools process personal data. You can opt out of the sale of your personal information by clicking on the “Do Not Sell or Share My Personal Information” link.

Opt-out Preferences

We use third-party cookies that help us analyze how you use this website, store your preferences, and provide the content and advertisements that are relevant to you. However, you can opt out of these cookies by checking "Do Not Sell or Share My Personal Information" and clicking the "Save My Preferences" button. Once you opt out, you can opt in again at any time by unchecking "Do Not Sell or Share My Personal Information" and clicking the "Save My Preferences" button.

Do Not Sell or Share My Personal Information
Powered by Cookieyes logo

Role policies

This documentation is for an as-yet unreleased version of Cerbos. Choose 0.41.0 from the version picker at the top right or navigate to https://docs.cerbos.dev for the latest version.

Role policies are ABAC policies in which you specify a number of resources, each with a set of allowable actions that the role can carry out on the resource. Optionally, a condition can also be specified for each set of allowable actions. In the simple case, they allow you to author permissions from the view of an IdP role, rather than for a given resource.

Unlike resource and principal policies, role policies do not define explicit ALLOW or DENY effects. Instead, the allowable actions act as an exhaustive list of actions allowed on each resource. Any resource and action pair not defined in this list is immediately denied for that role.

The name of a role policy is effectively a custom role within the context of Cerbos. A role policy (custom role) can optionally define parentRoles, inheriting and narrowing their permissions by default. The policy can only define rules that are a strict subset of the parent role’s permissions and cannot introduce any extra rules beyond what the parent roles allow. They can immediately DENY an action but if they ALLOW an action, a parent policy higher up the scope chain must also ALLOW the same action.

A parent role can be either an arbitrary IdP role or the name of another role policy within the system. Parent role resolution is recursive—if a custom role inherits from another custom role that also has parent roles, it inherits and narrows their permissions as well.

---
apiVersion: api.cerbos.dev/v1
rolePolicy:
  role: "acme_admin" (1)
  scope: "acme.hr.uk" (2)
  parentRoles: (3)
    - admin
  rules:
    - resource: leave_request (4)
      allowActions: (5)
        - view:* (6)
        - deny

    - resource: salary_record
      allowActions:
        - edit
      condition: (7)
        match:
          expr: R.attr.owner == P.id

    - resource: "*" (8)
      allowActions: ["create"]
yaml
1 The role to which this policy applies.
2 Optional principal scope for this policy.
3 The list of parent roles that the custom role inherits.
4 The resource to which the following rule applies.
5 The list of allowable actions that the role can carry out on the given resource.
6 Wildcard actions are supported.
7 A condition that must be met for the action to be allowed.
8 Wildcard resources are also supported.