Is it possible to Cerbos serve for two or more apps?

[NormandoHall]

Hi all. And thanks for this OS software. A refine software about authorization.

I want to use a local Cerbos to server for two or more apps, each one with different rules and schemas. Say one app is a photo sharing (as example), and another is a financial one.

I can't figure how to layout the policies repository for those apps. I know scoped policies are for the same "schema" with distinction of development, staging, etc, but the concept about rules is the same.

Can you tell me if it is possible and how to layout the policy repository for two distinct app?

Thanks!

[bbodensieck]

You could just create resourcePolicies like this.

For the Photo-app

---
apiVersion: api.cerbos.dev/v1
resourcePolicy:
  version: "default"
  scope: "apps.photo-app"
  resource: "photo:object"

  rules:
    - actions: ['list', 'view']
      effect: EFFECT_ALLOW
      roles:
        - app-user

For the financial-app

---
apiVersion: api.cerbos.dev/v1
resourcePolicy:
  version: "default"
  scope: "apps.financial-app"
  resource: "stock:object"

  rules:
    - actions: ['list', 'view']
      effect: EFFECT_ALLOW
      roles:
        - app-user

You could also reuse DerivedRoles in both whenever it makes sense.

The folder structure could be like this

/policies
/policies/resource-policies
/policies/derived-roles
/policies/principal-policies

/policies/photo-app
/policies/photo-app/resource-policies
/policies/photo-app/derived-roles
/policies/photo-app/principal-policies

/policies/financial-app
/policies/financial-app/resource-policies
/policies/financial-app/derived-roles
/policies/financial-app/principal-policies

Hope that helps!
Björn

[NormandoHall]

Thank you so much @bbodensieck. Your reply is very useful!

[bbodensieck]

Additionally I guess the scope is only necessary when you would like to use the same resource in different applications. So you would be able to override/specify resource policies via scope.

When they are not overlapping, because you have different resources, it is fine without a scope I assume.

Maybe some of the core team can confirm.

[charithe]

If your two applications are completely independent of each other, you probably don't need to use scopes at all. Scopes are used for defining a base set of rules and then overriding some of them at different levels. An example would be a finance resource where the base policy restricts access to it for pretty much everybody but the Finance department has special privileges to work with it.

If it's possible that both your apps could have similarly named resources, then some kind of namespacing should be done. You could do this in couple of ways:

• Prefix resource kind with app name

  apiVersion: api.cerbos.dev/v1
  resourcePolicy:
    resource: finance:user_profile
    version: default

  apiVersion: api.cerbos.dev/v1
  resourcePolicy:
    resource: photo:user_profile
    version: default

• Use the version field to differentiate between the apps

  apiVersion: api.cerbos.dev/v1
  resourcePolicy:
   resource: user_profile
   version: finance

  apiVersion: api.cerbos.dev/v1
  resourcePolicy:
    resource: user_profile
    version: photo

[NormandoHall]

Superb! Thank you! Love Cerbos!