If you're trying to implement something like an ACL system that could have thousands of entries for each principal, then instead of sending that list to Cerbos, it'd be better to do a pre-check in your application to make sure that the principal has access to that particular resource instance and then use Cerbos to enforce the other access rules. (E.g. your pre-check could determine that the principal is a
reader
of the resource. Pass that information on to Cerbos to enforce the access restrictions that
readers
should have.)