Principal policies

The policies for this section can be found on Github.

The final type of policy that Cerbos supports is a principal policy which is a special type that allows user-specific overrides to be defined.

In the case of Cerbforce there is a Data Protection Officer (DPO) that handles any data deletion requests. By default, they would not have any delete access to contacts unless they were the owner of the record or have the admin role. To overcome this a principal policy has been created which targets their userId and overrides this for the delete action on a contact resource:

---
apiVersion: "api.cerbos.dev/v1"
principalPolicy:
  version: "default"
  principal: "dpo1"
  rules:
    - resource: contact
      actions:
        - name: contact_delete
          action: "delete"
          effect: EFFECT_ALLOW

With this policy in place, when an authorization check is made with the principal ID of dpo1 the delete action on a contact resource is overridden to be allowed.

Full documentation can be found here.