Hi All, For certain cases, like getting the list of resources, we are planning to use the outputs where once the access to reading a list of resources is allowed for a user, we plan to output a key called "constraint" which will have either a CEL or a mongo-query like expression which our controller will use as a filter expression while querying the list of resources from the database. I understand that the planResources have been provided by Cerbos to do this, but at the moment we find implementing our custom constraint in the "output" much easier given the limitations of converting the planResources output to an ORM query etc. One example is as follows:

- actions:
        - READ_ALL
      effect: EFFECT_ALLOW
      roles:
        - USER
      output:
        when:
          ruleActivated: |-
            {
              "constraint": {
                "ownerId": {
                  "$eq": P.id
                }
              }
            }

However, as per the docs (https://docs.cerbos.dev/cerbos/latest/policies/outputs), excessive use of outputs is not advised. Wanted to know if there is anything more concrete available on the excessive usage of outputs - whether the size of the output or the number of rules having output is the limiting factor here.

Hi @Kshitij Gupta,

Outputs

have overhead, the performance depends how complex they are and also how many of them there are. I am afraid you'll need to measure the performance for your use case and see if it is acceptable because it is not possible to give a general answer to this. Also we do not recommend using

outputs

the way you described (to generate a query plan, basically) due to the potential problems you may encounter in the future. This may not be guaranteed to work with every version of Cerbos. For example, currently

Role Policies

do not support

outputs

. Also, with more complex policies it is possible that the conditions for the policy and the outputs may drift apart by mistake.