When you make an API call to cerbos, you submit a JSON payload which has the details of the principal and resource to be accessed. These details are evaluated against the derived role policy and if it matches then that principal gets assigned the necessary derived roles. Then cerbos looks through the resource that the JSON payload says the user is trying to access and checks if this derived role is allowed to access it. If yes then cerbos API returns a result of effect allow.