Hello 👋 . I am currently evaluating Cerbos against our authz requirements and Im trying to understand how I would write a request/policy to filter a potentially large amount of resources that are hierarchically organized. As an example: a directory structure of fixed depth (2 levels) where each depth of folder can have its own permissions and also the file nodes can have their own permissions. The system would require a way to filter the list of files to just those “viewable” or “editable” by the user. I see some examples in the playground, but they appear to deal with small quantities of resources, and also the documentation indicates that up to 50 (a default) resources can be included in a request. Are there any other examples? Or maybe a policy pattern for handling this scenario? Thanks !

Hey! Thanks for evaluating Cerbos. The filtering challenge is one of the hardest things with decouple authorization. We’ve taken (what we think) is a novel approach to this, where Cerbos can produce a Query Plan which is an AST of conditions that you need to apply to your data fetching logic (eg a WHERE clause) to return just the resources that the user would have access to. This is a more optimal approach than sending a long list of resources and then reducing it one by one (which could lead to no results in some case which is inefficient) You can read more about it here: https://docs.cerbos.dev/cerbos/latest/api/index.html#resources-query-plan https://cerbos.dev/blog/filtering-data-using-authorization-logic https://cerbos.dev/blog/authorization-aware-data-fetching-cerbosctl-improvements-and-more-cerbos-v0-12-release

Thanks @Alex Olivier (Cerbos) - these definitely seem to describe the challenge we are facing. I will read through them in more detail. 👍

Great news - if you would find it useful, we run free policy workshops to help you out getting started with Cerbos and answer any questions you may have. You can pick some time that works for you https://go.cerbos.io/workshop

Awesome, will keep that in mind.