Cerbos is the open core, language-agnostic, scalable authorization solution that makes user permissions and authorization simple to implement and manage.

Cerbos Community

Hi team! I recently discovered Cerbos, and I'm currently working on some Proof of Concepts (POCs) to confirm that the project fits our needs. The question I'm trying to answer with Cerbos at this time is:

"The User:1 can execute the LIST action on the BOOKS resource? If so, in which categories?"

To model this problem, I have a list of "allowed categories" as `attr` of my Principal(user:1), associated with a role(e.g.: `{"user": {"categories": [1, 2]}, "admin": {"categories": ["*"]}}`. Are the policy `outputs` suitable for returning this category list to my application to perform some kind of filtering in the database, or do you have another recommendation for approaching this kind of problem?"

In my architecture, I would have a service that will manage the Roles&amp;Custom attributes(categories, organization_id, etc.). So before calling the PDP, the only data that I have to perform filtering is the one in the user token(that would be converted into a Principal instance).

Hi <@U05S90P6CNQ>!

I think what you’re looking for is `Query Plan API` (<https://docs.cerbos.dev/cerbos/latest/api/index.html#resources-query-plan|PlanResources /api/plan/resources>)

We have a really nice blog post about it: <https://cerbos.dev/blog/unlocking-efficient-authz-with-cerbos-query-plan>

<@U02HUKNGVDM> Thank you! I'll take a look at the blog post! :slightly_smiling_face: