Modelling Tenant wise module access using Cerbos

[yogimogi]

Say, we have a multi-tenant application and every tenant needs to be configured to have access to certain modules (features). This is blanket access, YES/NO.
T1 - M1, M2 (any user belonging to tenant T1 should be able to see module M1 and M2 and in the UI and then based on the user role can perform actions).
T2 - M1, M2, M3
T3 - M5
Say application has roughly 100 Tenants and 10 modules.
If you are using Cerbos, can/should this also be modelled using Cerbos, if Yes, what the best way to capture this using Policy files?

regards, Yogesh

[charithe]

The tenant to module mapping should be stored in your own database because it can be very efficiently queried to find the set of modules enabled for a given tenant. If all users belonging to the tenant have complete access to the enabled modules, then you can make the decision at the application level itself using just a query. If you require more fine-grained control, you can make a request to Cerbos with the set of enabled modules as a principal attribute. Your policies can then make access control decisions based on that set.

---
apiVersion: api.cerbos.dev/v1
resourcePolicy:
  resource: "foo" 
  version: "default"
  rules: 
    - actions: ['frobnicate']
      effect: EFFECT_ALLOW
      roles: ["user"] 
      condition:
        match:
          expr: |-
            "M1" in P.attr.enabled_modules