Hey team - very basic question, when making a request and sending the Principal object, why is an empty/null

Principal.Roles

not allowed? Is the idea that we should make the decision in code to reject the request without sending it to cerbos?

Hi. Policy rules require at least one role to be known. That's because access rules are not usually written for individual users but for a group of users (as an indirection). So that's why

principal.roles

is mandatory. If you don't have any, you can make up something instead.

Hi @B Cerkezi, What is your use case? Anything else we can help with?