https://cerbos.dev logo
#help
Title
# help
r

Rael Max

09/13/2023, 3:26 PM
Hi team! I recently discovered Cerbos, and I'm currently working on some Proof of Concepts (POCs) to confirm that the project fits our needs. The question I'm trying to answer with Cerbos at this time is: "The User:1 can execute the LIST action on the BOOKS resource? If so, in which categories?" To model this problem, I have a list of "allowed categories" as
attr
of my Principal(user:1), associated with a role(e.g.:
{"user": {"categories": [1, 2]}, "admin": {"categories": ["*"]}}
. Are the policy
outputs
suitable for returning this category list to my application to perform some kind of filtering in the database, or do you have another recommendation for approaching this kind of problem?"
In my architecture, I would have a service that will manage the Roles&Custom attributes(categories, organization_id, etc.). So before calling the PDP, the only data that I have to perform filtering is the one in the user token(that would be converted into a Principal instance).
o

oguzhan

09/13/2023, 3:34 PM
Hi @Rael Max! I think what you’re looking for is
Query Plan API
(PlanResources /api/plan/resources) We have a really nice blog post about it: https://cerbos.dev/blog/unlocking-efficient-authz-with-cerbos-query-plan
r

Rael Max

09/13/2023, 3:53 PM
@oguzhan Thank you! I'll take a look at the blog post! 🙂
3 Views