Cerbos is the open core, language-agnostic, scalable authorization solution that makes user permissions and authorization simple to implement and manage.

Cerbos Community

Hi, after reading the docs, i have mixed feelings about the `derivedRoles`.
In this case, it's about too much responsibilities in Cerbos.
My expectation is, those `deriveRoles` is normal `role`, but it's determined via the `request` object instead. Could this simplify the system ? So i could send the `role` directly via `request`.

Derived roles are convenience, not necessity. Derived roles assume the necessary attributes are available in the request.
Suppose your application domain has a notion of a role based on another role and some complex criteria, for example, querying a database or a remote service. In that case, you can check these criteria in the application and pass them as principal attributes in the request.