Batch-authorization API for Cedar

[cdisselkoen]

Category

User level API features/changes

Describe the feature you'd like to request

API that takes a single PolicySet and Entities, a single action, resource, and context, and a batch (list) of principals, and reports whether each of the principals in the list is authorized. Likewise for a batch of actions and a batch of resources.

This can be done more efficiently than calling the normal is_authorized() in a loop, because we can first partial-evaluate with the principal unknown (resp. action or resource), and then evaluate only the residuals N times.

Describe alternatives you've considered

1. Just call is_authorized() in a loop
2. Users can do this by themselves, ie, call partial evaluation and then evaluate the residuals repeatedly, without us providing a wrapper API to do all of this in one call

Additional context

No response

Is this something that you'd be interested in working on?

• 👋 I may be able to implement this feature request
• ⚠️ This feature might incur a breaking change