The PlanResources API generates a query plan that describes the conditions under which a principal can perform specific actions on a resource kind. This is particularly useful for implementing filtered list views where you need to show only the resources a user has access to.
Endpoint rpc PlanResources(PlanResourcesRequest) returns (PlanResourcesResponse)
Request Parameters Optional application-specific ID useful for correlating logs for analysis. Example: "c2db17b8-4f9f-4fb1-acfd-9162a02be42b"
Opt to receive request processing metadata in the response.
A person or application attempting to perform the actions on the set of resources. ID of the principal. Example: "user123"
Roles assigned to this principal from your identity management system. Must contain at least one role. Example: ["user", "manager"]
Key-value pairs of contextual data about this principal that should be used during policy evaluation. Example: {"department": "engineering"}
The policy version to use to evaluate this request. If not specified, will default to the server-configured default version. Example: "default"
A dot-separated scope that describes the hierarchy this principal belongs to. This is used for determining policy inheritance. Example: "acme.corp"
The resource kind to generate the query plan for. Resource kind. Example: "album:object"
Key-value pairs of contextual data about the resource that are known at a time of the request.
The policy version to use to evaluate this request. If not specified, will default to the server-configured default version. Example: "default"
A dot-separated scope that describes the hierarchy this resource belongs to. This is used for determining policy inheritance.
Deprecated: Use actions instead. Action to be applied to each resource in the list.Example: "view"
List of actions to generate the query plan for. Mutually exclusive with the singular action field. Must contain at least one action and all actions must be unique. Example: ["view", "edit"]
Structured auxiliary data useful for evaluating the request. JWT from the original request. JWT from the original request.
Key ID to use when decoding the token (defined in the Cerbos server configuration).
Response Fields Request ID provided in the request. Example: "c2db17b8-4f9f-4fb1-acfd-9162a02be42b"
Deprecated: The action from the request.
Actions from the request. Example: ["view", "edit"]
Resource kind. Example: "album:object"
The policy version. Example: "default"
Filter that describes the conditions for accessing resources. Filter kind. Defines whether the given action is always allowed, always denied or allowed conditionally. Possible values:
KIND_ALWAYS_ALLOWED: The principal always has access to all resources of this kind for the specified action(s)KIND_ALWAYS_DENIED: The principal never has access to any resources of this kind for the specified action(s)KIND_CONDITIONAL: Access depends on resource attributes matching the condition Filter condition. Only populated if kind is KIND_CONDITIONAL. This contains a query expression that can be translated into a database query using query plan adapters.
Optional metadata about the request evaluation process. Filter textual representation for debugging purposes.
Matched policy scope for each action. Keys are action names, values are scope paths.
List of validation errors (if schema validation is enabled).
Audit log call ID associated with this request.
Example cURL
Response (Always Allowed)
Response (Conditional)
cat << EOF | curl --silent "http://localhost:3592/api/plan/resources?pretty" -d @- { "requestId": "test02", "includeMeta": true, "principal": { "id": "alicia", "roles": ["user"], "attr": { "department": "marketing" } }, "resource": { "kind": "album:object" }, "action": "view" } EOF
Use Cases Filtered List Views The most common use case is implementing filtered list views where you need to show only the resources a user can access:
{ "principal" : { "id" : "user123" , "roles" : [ "user" ] }, "resource" : { "kind" : "document" }, "action" : "view" }
The response can be used with query plan adapters to generate database queries:
KIND_ALWAYS_ALLOWED : Return all documentsKIND_ALWAYS_DENIED : Return no documentsKIND_CONDITIONAL : Use the condition to filter the query (e.g., WHERE owner = 'user123')
Multiple Actions Generate a query plan for multiple actions at once:
{ "principal" : { "id" : "user123" , "roles" : [ "user" ] }, "resource" : { "kind" : "document" }, "actions" : [ "view" , "edit" , "delete" ] }
This returns a single filter that applies to all specified actions.
With Known Resource Attributes If you have some resource attributes known at query time, include them to get more specific query plans:
{ "principal" : { "id" : "user123" , "roles" : [ "user" ] }, "resource" : { "kind" : "document" , "attr" : { "status" : "published" } }, "action" : "view" }
Query Plan Adapters The filter returned by PlanResources can be converted to database-specific queries using query plan adapters:
These adapters automatically translate the filter conditions into the appropriate query format for your database.