Cerbos is the open core, language-agnostic, scalable authorization solution that makes user permissions and authorization simple to implement and manage.

Cerbos Community

Hi! Is it possible to determine which authorised actions a given actor is allowed to take on a resource without having to specify the actions in the request payload?

i.e. instead of specifying to check the resources against the `actions: ['read', 'update, 'delete']`, i would like for the policy to respond with all of the authorised actions the user can take. If I'm thinking about things correctly, this would make things a little more simple at call site?

I'm assuming this isn't possible by design on Cerbos because of the following documentation about the `CheckResources` API?

> List of actions being performed on the resource. Up to 50 actions per resource may be provided by default. This <https://docs.cerbos.dev/cerbos/latest/configuration/server#request-limits|limit can be configured>.

Hey, you’re right. This is not supported.

No worries, thanks. And to clarify this is by intent, rather than being some functionality for which there are plans to add in the future?

There are several aspects why Cerbos requires an “action” in the check resources request. My take they are:
1. Performance.
2. Resolution logic on the server side: rule actions might contain wildcards.
3. Auditing. Cerbos can keep an audit log of application intents.