I am using Cerbos (https://www.cerbos.dev/) to implement user permission level,
I have defined a derived role like this:
description: |-
Lending abc derived role
derivedRoles:
name: abc_user_derived_role
definitions:
- name: abc_user
parentRoles: ["customer_user", "api_user"]
condition:
match:
expr: ("abc_id" in P.attr) && (P.attr.abc_id != "00000000-0000-0000-0000-000000000000")
Now in the "loan" resource yml file, I want an action called "read_funding_amount" which can be allowed if a user have either customer_user or api_user And Admin role
I got the code below in the loan.yml file:
resourcePolicy:
version: "default"
resource: "loan"
importDerivedRoles:
- abc_user_derived_role
rules:
- actions:
- read_funding_amount
effect: EFFECT_ALLOW
derivedRoles:
- abc_user
roles:
- Admin
condition:
match:
expr: P.attr.abc_id in R.attr.abc_ids
But issue with above rule is that if a user have either customer_user or api_user it still get EFFECT_ALLOW for read_funding_amount action even though the user don't have Admin role, but I want the user to have an admin role in order to access that action.
Seems like the abc_user and Admin role is in OR condition here but I want them in And condition, how can I achieve this in Cerbos?