https://cerbos.dev logo
#help
Title
# help
d

Deepika Agrawal

12/02/2022, 12:37 PM
Hi all, is there any way/api to get all allowed resources and actions for a given user/role? How could front-end be aware of user access ( resources and actions) so it can disable/hide components in the UI?
a

Andrew Haines (Cerbos)

12/02/2022, 1:54 PM
Hi Deepika, for a given resource (or list of resources), you can use the `CheckResources` API to check multiple actions at once (but you do have to specify the actions you want to check in the request, you can't just ask for "all allowed actions"). What I would generally recommend for making the frontend aware of user access is that you add a
permissions
field to each resource in your backend's API response, and populate that from the
CheckResources
results. So your API response might look something like this:
Copy code
{
  "blog_post": {
    "title": "What is Cerbos?",
    "author": "Bruce Wiggleston",
    "permissions": {
      "edit": true,
      "delete": false
    }
}
The permissions can be as fine-grained as you like, depending on what actions you need to expose in your UI. The more general problem of "what resources is a given user allowed to perform a given action on" is a bit harder. For that, we have the `PlanResources` API, which produces a query plan that allows you to e.g. add
WHERE
clauses an SQL query. We have adapters for Prisma and SQLAlchemy that integrate the query plan with those ORMs, but if you're using something else then you'd need to handle the translation from query plan to database query yourself.
32 Views