Combined with https://play.cerbos.dev/p/BOjBdsZv7Flz62a9abc4NNkxN1Rm9LSc
To check if a person can read an article, I have two ways:
set all roles to the resourcePolicy; when checked, no need to query roles using the IdP system
- actions: ['read']
effect: EFFECT_ALLOW
roles: ["member", "editor", "admin"]
In the program, I don't even need an IdP, just read the user role from user
table of database; Then checked like following:
// get currentRole from the user table of database
const currentRole = 'admin';
await cerbos.isAllowed({
principal: { roles: [currentRole], /** ... */ },
resource: {
// ...
},
action: "read",
});
The disadvantage of this approach is: I have to list all roles with read permission in resourcePolicy, this makes dynamic creating roles very tricky.
set the low required role to the resourcePolicy; when checked, have to query all roles using the IdP system
- actions: ['read']
effect: EFFECT_ALLOW
roles: ["member"]
In the program, I don't even need an IdP, just read the user role from user
table of database; Then checked like following:
// get currentRole from the user table of database
const currentRole = 'admin';
// get all roles of the user;
const roles = await rbac.getAllExtendRoles(currentRole); // ['admin', 'editor', 'member', 'guest']
await cerbos.isAllowed({
principal: { roles, /** ... */ },
resource: {
// ...
},
action: "read",
});
The disadvantage of this approach is: I have to use another rbac permission management system.