👋! After reading the (very clear) docs I have a question: Could Cerbos answer the question: ‘to which tenants does this user have access?’. Our use case is a GQL frontend gateway that talks to unopiniated grpc backend microservices. We are exploring the pattern of having the external client sending an unfiltered request (/devices, without specifying tenantIDs) to the gateway. This GW should then enforce RBAC and make a filtered request to the /devices backend, containing only the tenants this user has access to.

👋 If I understand your question correctly, I think you're asking whether it's possible to lookup a list of things that a particular user has access to. You certainly can. Cerbos is stateless and doesn't have access to your data. But, what you can do is to ask Cerbos to produce a query plan for you based on the access policies that are in effect. You can then use that query plan to construct a query for your data store and fetch the data you need. You can read more about that in the following links: https://docs.cerbos.dev/cerbos/latest/api/index.html#resources-query-plan https://cerbos.dev/blog/filtering-data-using-authorization-logic

Very nice, thanks for clarifying! Is it a huge performance penalty, compared to asking a specific authZ question?

Producing the query plan does not have a performance penalty. It's not massively different from a standard access decision. We are just returning the unknown variables and the conditions they must satisfy back to you.