previous resource in policy file doesn't work

[9m-pwn]

Hi, I created the policy file look like this

apiVersion: api.cerbos.dev/v1
resourcePolicy:
  version: default

  resource: user
  rules:
    - actions:
        - "*"
      effect: EFFECT_ALLOW
      roles:
        - admin
        - super_user
    - actions:
        - read
      effect: EFFECT_ALLOW
      roles:
        - user
        - guest

  resource: project
  rules:
    - actions:
        - "*"
      effect: EFFECT_ALLOW
      roles:
        - super_user
    - actions:
        - read
      effect: EFFECT_ALLOW
      roles:
        - user
        - guest

But once I use dcheckResources API, only project policy can work correctly, not for user. Do I miss something in the policy file?

[haines]

Hi @9m-pwn, you need to create two separate YAML files (e.g. project.yaml and user.yaml) instead of putting them together in the same file.

user.yaml

apiVersion: api.cerbos.dev/v1
resourcePolicy:
  version: default
  resource: user
  rules:
    - actions:
        - "*"
      effect: EFFECT_ALLOW
      roles:
        - admin
        - super_user
    - actions:
        - read
      effect: EFFECT_ALLOW
      roles:
        - user
        - guest

project.yaml

apiVersion: api.cerbos.dev/v1
resourcePolicy:
  version: default
  resource: project
  rules:
    - actions:
        - "*"
      effect: EFFECT_ALLOW
      roles:
        - super_user
    - actions:
        - read
      effect: EFFECT_ALLOW
      roles:
        - user
        - guest