diff --git a/coderd/rbac/partial.go b/coderd/rbac/partial.go
index 637440e121..7fea09d374 100644
--- a/coderd/rbac/partial.go
+++ b/coderd/rbac/partial.go
@@ -5,6 +5,7 @@ import (
 
 	"golang.org/x/xerrors"
 
+	"github.com/open-policy-agent/opa/ast"
 	"github.com/open-policy-agent/opa/rego"
 
 	"github.com/coder/coder/coderd/tracing"
@@ -32,6 +33,18 @@ func (pa *PartialAuthorizer) Authorize(ctx context.Context, object Object) error
 		return nil
 	}
 
+	// No queries means always false
+	if len(pa.preparedQueries) == 0 {
+		return ForbiddenWithInternal(xerrors.Errorf("policy disallows request"), pa.input, nil)
+	}
+
+	parsed, err := ast.InterfaceToValue(map[string]interface{}{
+		"object": object,
+	})
+	if err != nil {
+		return xerrors.Errorf("parse object: %w", err)
+	}
+
 	// How to interpret the results of the partial queries.
 	// We have a list of queries that are along the lines of:
 	// 	`input.object.org_owner = ""; "me" = input.object.owner`
@@ -45,9 +58,7 @@ func (pa *PartialAuthorizer) Authorize(ctx context.Context, object Object) error
 EachQueryLoop:
 	for _, q := range pa.preparedQueries {
 		// We need to eval each query with the newly known fields.
-		results, err := q.Eval(ctx, rego.EvalInput(map[string]interface{}{
-			"object": object,
-		}))
+		results, err := q.Eval(ctx, rego.EvalParsedInput(parsed))
 		if err != nil {
 			continue EachQueryLoop
 		}