Cerbos is the open core, language-agnostic, scalable authorization solution that makes user permissions and authorization simple to implement and manage.

Cerbos Community

Is there a best practice as to checking for authorization on a non-specific resource? I.e. "can this user list products?" as far as I can see, the resource ID is mandatory in the /check call and the SDKs

Is it as simple as just sending "ALL" (or any other arbitrary value) as the ID?

This field can be anything unless a policy has a rule for a particular resource ID.

I implemented something akin to this by making the access a resource in itself. In our case, we're multitenant with a ton of possible ways a user can access parts of the admin section. We simply created an "Admin" resource and calculated the permissions based on the user's roles and owned entities. For an ID, we always just use `*`

This basically lets a subset of users get past our admin middleware, and we then do more specific checks on the resources they are able to view/mutate

Alright, got it! Sounds like a good approach; I was considering the asterisk but was unsure if it was reserved. Nice to know. Thanks for the feedback :slightly_smiling_face: