Access Control Provider

Resource-based authorization using Cerbos policies. Batches multiple useCan calls into a single API request using DataLoader.

Setup

<Refine
  authProvider={authProvider(client)}
  accessControlProvider={accessControlProvider(client)}
/>

Options

accessControlProvider(client, {
  batchDelayMs: 50, // ms to wait before batching permission checks (default: 50)
});

Check Permissions

const { data } = useCan({
  resource: "posts",
  action: "edit",
  params: { id: 1 },
});

if (data?.can) {
  // User can edit this post
}

CanAccess Component

<CanAccess resource="posts" action="delete" params={{ id: 1 }}>
  <DeleteButton />
</CanAccess>

Entity Type Resolution

Cerbos policies use entity types. Resolution priority:

params.entityType — direct override in useCan
resource.meta.entityType — from Refine resource config
Resource name — fallback

// Set in resource config
<Refine resources={[{ name: "posts", meta: { entityType: "blog" } }]} />

// Or override per-check
useCan({
  resource: "posts",
  action: "edit",
  params: { id: 1, entityType: "article" },
});

Caching

Uses Refine's built-in TanStack Query caching:

staleTime: 5 minutes
gcTime: 10 minutes

DataLoader handles request batching only (its cache is disabled).

Setup​

Options​

Check Permissions​

CanAccess Component​

Entity Type Resolution​

Caching​