I am trying to use cerbos-sqlalchemy v0.3.2 My cerbos policy like this: # derived_roles_common.yaml apiVersion: "api.cerbos.dev/v1" derivedRoles: name: common_roles definitions: - name: coordinator_same_destination parentRoles: [ "coordinator" ] condition: match: expr: request.resource.attr.destination in request.principal.attr.destinations # booking_resource.yaml apiVersion: api.cerbos.dev/v1 resourcePolicy: version: "default" importDerivedRoles: - common_roles resource: "booking" rules: - actions: - view effect: EFFECT_ALLOW derivedRoles: - coordinator_same_destination and my models like this: # models.py class ModelItinerary(Base, CommonMixin): tablename = "itinerary" id = Column(Integer, primary_key=True, index=True) destination_id = Column(Integer, ForeignKey("destination.id"), nullable=True) destination = relationship("ModelDestination", back_populates="itineraries") What I want is to get from the plan resources a filter

expression

that can be use to apply to sqlalchemy query:

db.query(ModelItinerary).filter(expression)

which will out put correct list of itineraries for coordinator role and when I change the policies the expression will correctly reflect the policies.

I'm not super familiar with SQLAlchemy but what you're describing is a typical use case for the

cerbos-sqlalchemy

adapter. Have you seen the usage example?

Yes, I tried to follow of cerbos-sqlalchemy examples but not successful yet