Cerbos

Overview:

Cerbos is an open-source authorization layer that enables application teams to define and manage access control policies as YAML files. It provides a self-hosted Policy Decision Point (PDP) that evaluates these policies and returns dynamic access decisions via API calls. Designed for developers and DevOps teams, Cerbos supports deployment as a Kubernetes service, sidecar, systemd service, or AWS Lambda function. It integrates with Git-ops workflows for policy management and offers SDKs for multiple programming languages to simplify integration into existing applications.

Core Features:

• Policy Decision Point (PDP): A stateless service that executes YAML-based access policies and provides two core APIs: CheckResources to verify if a principal can perform an action on a resource, and PlanResources to determine which resources a principal can access.

• YAML-based Policies: Access rules are defined in simple, structured YAML files that can be stored on disk, in cloud object stores, git repositories, or supported databases.

• Context-aware Access Control: Supports both Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC) by allowing dynamic conditions in resource policies, derived roles, and principal policies.

• Client SDKs: Provides official SDKs for Go, Java, JavaScript, .NET, PHP, Python, Ruby, and Rust to call PDP APIs from application code.

• Query Plan Adapters: Includes adapters to convert PlanResources responses into query objects for Prisma and SQLAlchemy.

• CI/CD Integration: Supports Git-ops deployment workflows and offers Cerbos Hub, a cloud control plane for collaborative policy authoring, testing, and distribution.

Use Cases:

• Application authorization: Developers can offload access control logic from application code to an external PDP, making authorization decisions consistent and auditable.

• Multi-tenant SaaS platforms: Teams can define resource-specific policies for different tenants, using derived roles or conditions to adjust permissions per principal.

• DevOps-driven policy management: Operations teams can manage authorization policies alongside infrastructure code using Git repos and CI pipelines.

• Serverless and edge deployments: Organizations can deploy Cerbos as an AWS Lambda function or use Cerbos Hub’s Embedded PDP for browser and serverless environments.

Why It Matters:

Cerbos provides a self-hosted, API-driven approach to authorization that separates policy logic from application code. Its YAML-based policy format and Git-ops integration allow teams to manage access rules the same way they manage infrastructure. With support for both RBAC and ABAC via runtime conditions, it can handle granular, context-aware permissions without requiring a centralized identity provider. The availability of SDKs and query plan adapters makes integration practical for developers building custom access control into existing applications.