-
Say, we have a multi-tenant application and every tenant needs to be configured to have access to certain modules (features). This is blanket access, YES/NO. regards, Yogesh |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
The tenant to module mapping should be stored in your own database because it can be very efficiently queried to find the set of modules enabled for a given tenant. If all users belonging to the tenant have complete access to the enabled modules, then you can make the decision at the application level itself using just a query. If you require more fine-grained control, you can make a request to Cerbos with the set of enabled modules as a principal attribute. Your policies can then make access control decisions based on that set. ---
apiVersion: api.cerbos.dev/v1
resourcePolicy:
resource: "foo"
version: "default"
rules:
- actions: ['frobnicate']
effect: EFFECT_ALLOW
roles: ["user"]
condition:
match:
expr: |-
"M1" in P.attr.enabled_modules |
Beta Was this translation helpful? Give feedback.
The tenant to module mapping should be stored in your own database because it can be very efficiently queried to find the set of modules enabled for a given tenant. If all users belonging to the tenant have complete access to the enabled modules, then you can make the decision at the application level itself using just a query. If you require more fine-grained control, you can make a request to Cerbos with the set of enabled modules as a principal attribute. Your policies can then make access control decisions based on that set.