Hi, I understand that one can map the resource pol...
# helpd
Dimitris Bouras
08/14/2024, 9:36 AMHi, I understand that one can map the resource policies 1:1 to each data set, Could the cerbos pdp respond to questions get all dataset user xxx has access to?
a
Alex Olivier (Cerbos)
08/14/2024, 9:41 AM
Hi - yes this is what the query plan is used for https://docs.cerbos.dev/cerbos/latest/api/#resources-query-plan
Alex Olivier (Cerbos)
08/14/2024, 9:42 AM
Rather than giving you back a ALLOW or DENY, Cerbos will give you back a set of conditions to apply to your data lookup (eg SQL WHERE clause) to return just the records a user would have a specific permission to
Alex Olivier (Cerbos)
08/14/2024, 9:42 AM
We also have some reference adapters avaliable https://github.com/cerbos/query-plan-adapters
d
Dimitris Bouras
08/14/2024, 9:49 AMSo Cerbos does not hold the actual metadata of the datasets (id,owner,createAT) in a postgres table for example?
a
Alex Olivier (Cerbos)
08/14/2024, 9:53 AM
Correct - Cerbos is a stateless policy decision point (some background https://www.cerbos.dev/blog/the-importance-of-stateless-architecture-in-authorization-systems)
🙌 1
✅ 1
d
Dimitris Bouras
08/14/2024, 10:58 AMThanks for your reply if i would like to map every dataset to specific policy (one-to-one) i would pass the id relationship to the policy it applies under the
condition:match:expr:a
Alex Olivier (Cerbos)
08/14/2024, 2:31 PM
Yes that would be one approach