Cerbos is the open core, language-agnostic, scalable authorization solution that makes user permissions and authorization simple to implement and manage.

Cerbos Community

Hey team - very basic question, when making a request and sending the Principal object, why is an empty/null `Principal.Roles` not allowed? Is the idea that we should make the decision in code to reject the request without sending it to cerbos?

Hi. Policy rules require at least one role to be known. That's because access rules are not usually written for individual users but for a group of users (as an indirection). So that's why `principal.roles` is mandatory. If you don't have any, you can make up something instead.

Hi <@U03TSP3LMQD>, What is your use case? Anything else we can help with?