Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Batch Policies[Question] #45

Open
nschuz opened this issue Dec 12, 2023 · 1 comment
Open

Batch Policies[Question] #45

nschuz opened this issue Dec 12, 2023 · 1 comment

Comments

@nschuz
Copy link

nschuz commented Dec 12, 2023

Hello Team Cerbos,

First of all, congratulations on the wonderful development of everything related to Cerbos. Currently, I am using Cerbos in a project, but I wanted to ask if there is any resource in the Cerbos admin or within its SDK for batch querying. In other words, suppose I have a user (Principal), and I want to know what resources they can access, i.e., perform a batch traversal through all policies. This would help me determine what to display and what not to display to the user from the frontend.

Thank you.
@charithe
Copy link
Contributor

Hi. I would like to make sure that I understand your question correctly because there are two subtly different ways of interpreting it.

  • If you want to filter a list of resource instances (e.g. list of inventory records) to get just the ones that principal has access to, you can use the PlanResources API to get Cerbos to tell you what conditions you need to add to your query. This is the most efficient way to render a listing page with correct pagination and so on but filtered with just the records the user has access to. If you're using SQLAlchemy, there's an adapter at https://github.com/cerbos/query-plan-adapters/ that can convert Cerbos query plans to SQLAlchemy queries.
  • If you have instances of multiple different resource kinds (e.g. inventory record and invoice) you can still use the CheckResources API because it's a batch API. You can include up to 50 different resource instances in a single request and get results for all of them.

If you're trying to render a UI with different buttons enabled etc., one way to do that is to create Cerbos policies for your UI components and then use the CheckResources batch API to give you a set of decisions about whether each component should be rendered or not. If you would like to do that on the client side on the browser, we've recently introduced "Embedded PDPs" which are basically Web Assembly bundles of Cerbos policies that you can use with the Cerbos Javascript SDK. They are only available through Cerbos Hub though.

Hope that helps.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@charithe @nschuz