The policies for this section can be found on Github.
The final type of policy that Cerbos supports is a principal policy which is a special type that allows user-specific overrides to be defined.
In the case of Cerbforce there is a Data Protection Officer (DPO) that handles any data deletion requests. By default, they would not have any delete access to contacts unless they were the owner of the record or have the
admin role. To overcome this a principal policy has been created which targets their userId and overrides this for the delete action on a contact resource:
--- apiVersion: "api.cerbos.dev/v1" principalPolicy: version: "default" principal: "dpo1" rules: - resource: contact actions: - name: contact_delete action: "delete" effect: EFFECT_ALLOW
With this policy in place, when an authorization check is made with the principal ID of
dpo1 the delete action on a
contact resource is overridden to be allowed.
Full documentation can be found here.