How to Retrieve a List of Permissions Associated with a "Cerbos" Role? about cerbos HOT 12 CLOSED

Hi. It's currently not possible to obtain the set of permissions across all resources for a given role. This is because Cerbos is a dynamic system that provides context-sensitive role augmentation (derived roles) and policy rules. So, given a single static role name, it is not possible to find all the permissions that role has because a lot of it depends on the context (attributes of the principal and the resource).

The closest we have is the PlanResources API which takes as input a user and their known attributes and gives you a set of conditions that must be satisfied by resource instances in order to be accessible by that user. However, the plan is for a single resource kind so it's probably not useful for the use case you have in mind.

from cerbos.

Thank you @charithe for your response to my previous question. Your answer clarified a lot of things for me. However, this brings up another issue that I'm currently grappling with.

I am looking to develop an admin page within my application. The idea is for a system admin to have the ability to view permissions associated with a particular role, and to set or assign new permissions to roles. This would be somewhat similar to the IAM service provided by GCP or AWS.

Considering your previous response, where you mentioned it's not possible to find and list all permissions associated with a role due to the dynamic nature of Cerbos, what would you recommend as the best approach to achieve this?

Is there a workaround to simulate this feature or an entirely different approach you would suggest, keeping in mind the design principles and functionalities of Cerbos?

Any guidance would be much appreciated. Thank you in advance.

from cerbos.

Yes, I see the problem you're facing. Due to the dynamic nature of Cerbos that I mentioned above and the resource-oriented way of implementing access rules, it's quite tricky to render a traditional "access matrix" screen with Cerbos where someone could tick boxes to grant permissions.

If all your resources have the same set of actions and no attribute-based rules, then they would be in a standard format. That would allow you to parse them and build the access matrix without too much effort. Because Cerbos policies can be read and written as JSON documents, your UI would be essentially manipulating JSON in the background. I know it's not ideal and requires some work but that's the only way that I can think of to build the screen you're describing.

from cerbos.

Thanks again, @charithe, for yet another helpful answer.
In your experience, what kind of User Interface do you think would be ideal for managing permissions, roles, and accesses based on Cerbos? I'm not particularly concerned with following traditional approaches like using an access matrix. Instead, I'm eager to implement a user-friendly solution that our system administrator can utilize to efficiently handle user-specific permissions, roles, and accesses via our user-friendly admin panel.

Are there any existing UI solutions available for this purpose, or do you have any ideas on how we can design an intuitive and effective UI specifically for managing permissions and roles for users based on Cerbos? I'm eager to hear your thoughts on potential solutions or any existing examples that can serve as inspiration for managing users, permissions, and roles seamlessly with Cerbos.

I would like to note that your suggestion of managing JSON ourselves carries a significant implementation and maintenance cost, and it may introduce a higher likelihood of errors. I really prefer to go ahead with a more straightforward approach if possible (via standard API or at least without messing around with structure of JSON)

from cerbos.

I am afraid I don't have a satisfactory answer for you at this point. Consider the fact that all of Cerbos access rules are encapsulated within policies. Any change to access rules would require some modification being applied to at least one policy. Therefore, any kind of UI would have to trigger those policy edits somehow.

Because Cerbos policies can be used to model quite complex access scenarios and there are multiple ways to model things based on your preference (see https://docs.cerbos.dev/cerbos/latest/policies/best_practices.html#_modelling_policies), we currently don't have a UI solution or an edit API that would cater to all (or at least a majority) of our users. It's something we do want to tackle soon though.

from cerbos.

Thank you once again, @charithe. Let's consider a practical scenario where we have multiple users interacting with a SaaS application. These users can access some public resources categorized based on their subscription tiers (free, standard, premium, gold, enterprise), and we want to offer them varying levels of access and control based on their respective tiers. Additionally, we want to empower a superadmin to oversee all these users. Furthermore, each user might need to invite other members from their organization to their online project, and these invited members should have permissions based on the scope of their invitation.

Given the dynamic nature of Cerbos and its context-sensitive role augmentation and policy rules, how can we manage (not implement) these different tiers without resorting to the traditional roles/permission matrix that you mentioned? Of course, we have already implemented this hierarchy, but we don't have a way to manage to assign these tiers effectively using Cerbos.

I'm afraid without using an API, managing the content of the JSON ourselves would be extremely tedious.

from cerbos.

Won't you be just assigning a role to a user (or set a principal attribute) to denote their subscription tier? That would be done at the identity provider or at the application. The Cerbos policies are for defining what capabilities each tier grants a user, and those policies would be relatively static. Unless you want to create custom tiers and packages for users on the fly, you don't need to modify Cerbos policies at all. We have an example of that here: https://play.cerbos.dev/p/s60f5ee11Q3kwi5kuZEhBeL5zwYCHOk1

from cerbos.

Absolutely, @charithe. The crux of the matter is that we want a super admin to be able to easily "manage" permissions within these tiers (using a UI or an API), not just assign roles to users. On the application level, we also want to determine if a requested permission is associated with a specific role before executing certain actions (which you've already clarified is not currently supported by Cerbos). The question then is, what alternatives do we have? Apart from parsing JSON files ourselves to determine if a permission is tied to a specific tier, or allowing a superadmin user to manage these permissions via a dashboard, are there any other options?

Given your recent response, it seems that assigning a role to a user or setting a principal attribute to denote their subscription tier would be done at the identity provider or at the application level. The Cerbos policies would then define what capabilities each tier grants a user. You are right and that's exactly what we are doing at the moment, but how does this approach align with our need to manage permissions effectively using Cerbos (via an admin panel or API), especially considering the potential complexity of managing JSON files ourselves?

from cerbos.

I completely understand your requirement. Unfortunately, we don't currently have a UI component that can translate your admin's intentions into a series of edits to underlying policies. As it stands, either your admins need to be familiar enough with Cerbos and be comfortable editing them through an interface like the Cerbos Playground OR you'll have to build an interface yourself that takes care of that (ala JSON manipulation).

Sorry I am not able to give you a satisfactory answer at this point. Your requirements and feedback would be really valuable for us to build such a feature in the future though. Is it OK if someone from our team reaches out to you to discuss it?

from cerbos.

@charithe I appreciate your response. Certainly, I'm more than willing to assist. In the meantime, it seems that we'll need to take the initiative and develop an intermediary API to carry out this task on our behalf.
Thanks again.

from cerbos.

Hey, @michelgokan would you be up for a 30min call to chat through these requirements and what you are trying to implement? Use this link (https://go.cerbos.io/workshop) or drop me an email [email protected]

from cerbos.

@alexolivier Of course, I've already booked a session with you in July.

from cerbos.