--- apiVersion: "api.cerbos.dev/v1" resourcePolicy: version: "default" importDerivedRoles: - buyer_derived_roles resource: purchase_order schemas: principalSchema: ref: cerbos:///principal.json resourceSchema: ref: cerbos:///purchase_order.json rules: - actions: ["*"] effect: EFFECT_ALLOW roles: - support - admin - actions: - create - view - update - delete effect: EFFECT_ALLOW derivedRoles: - buyer