boilerplate/modules/iam/cerbos/policies/identity.yaml

# yaml-language-server: $schema=https://api.cerbos.dev/latest/cerbos/policy/v1/Policy.schema.json
# docs: https://docs.cerbos.dev/cerbos/latest/policies/resource_policies

apiVersion: api.cerbos.dev/v1
resourcePolicy:
  resource: identity
  version: default
  rules:

    # Admins can read any identity with limited fields

    - actions: ["read", "update"]
      effect: EFFECT_ALLOW
      roles: ["admin"]

    # Users can fully read, update, or delete their own identity

    - actions: ["read", "update", "delete"]
      effect: EFFECT_ALLOW
      roles: ["user"]
      condition:
        match:
          expr: request.resource.id == request.principal.id