Audit logs for Cerbos Hub Embedded PDPs

We are happy to share that we’ve introduced support for capturing audit decision logs from the Cerbos Hub Embedded Policy Decision Points (ePDP) using the latest version of the Cerbos Javascript SDK. This feature enables organizations to track and analyze authorization decisions made locally in embedded environments, ensuring complete visibility and auditability, without relying on a centralized PDP or Cerbos Hub.

Bringing audit logs to Embedded PDP

Embedded PDPs allow applications to evaluate policies locally, making instant authorization decisions without network latency. This is particularly valuable for applications running in offline mode, edge computing environments, or serverless architectures. Until now, organizations leveraging Embedded PDPs lacked a built-in way to capture and review these decisions.

With this latest update, audit decision logs from Embedded PDPs can now be recorded locally and processed in real-time using the onDecision hook in the Cerbos Javascript SDK, providing:

• Complete audit trails of local authorization decisions
• Enhanced security and compliance by recording every access decision
• Simplified debugging for embedded authorization policies

How decision logs work in Embedded PDP

Every time the Embedded PDP evaluates a policy, it records key details such as:

• Who made the request? (User identity and roles)
• What action was attempted? (Requested resource and action)
• Was access granted or denied? (ALLOW/DENY decision)
• Which policy was applied? (Evaluated Cerbos policy and derived roles)

These logs can be captured using the onDecision callback, which provides a structured DecisionLogEntry that can be processed locally, stored, or analyzed in real-time.

onDecision hook

The onDecision property in the Javascript SDK allows developers to specify a callback function that gets invoked whenever a decision is made. This makes it easy to store or process logs as needed.

Example decision log entry

Here's a sample log entry showing that user sally was allowed to view expense1.

{
  "timestamp": "2023-01-05T15:51:13.150Z",
  "requestId": "01GP1A25FW6BVX9JWYM9M6T0Z0",
  "principal": {
    "id": "sally",
    "roles": ["USER"],
    "attr": {
      "region": "EMEA",
      "department": "SALES"
    }
  },
  "resource": {
    "kind": "expense",
    "id": "expense1",
    "attr": {
      "status": "PENDING",
      "amount": "40",
      "region": "EMEA",
      "vendor": "Expense 1",
      "approvedBy": "frank",
      "createdAt": "2023-01-03T15:45:55.461Z",
      "ownerId": "sally"
    }
  },
  "action": "view",
  "effect": "EFFECT_ALLOW",
  "policy": "resource.expense.vdefault",
  "effectiveDerivedRoles": ["OWNER"]
}

Implementing the Javascript SDK with Embedded PDP

Below is an example of how to use the Cerbos Javascript SDK with Embedded PDP and capture audit decision logs using the onDecision hook.

import { Embedded as Cerbos } from "@cerbos/embedded";

async function run() {
  const cerbos = new Cerbos({
    policy: "https://lite.cerbos.cloud/bundle?workspace=",
    onDecision: (entry) => {
      console.log("Audit log entry:", JSON.stringify(entry, null, 2));
      // Optionally store the log entry in a database or file
    }
  });

  const decision = await cerbos.isAllowed({
    principal: {
      id: "sally",
      roles: ["USER"],
      attr: { region: "EMEA", department: "SALES" }
    },
    resource: {
      kind: "expense",
      id: "expense1",
      attr: { status: "PENDING", amount: "40", region: "EMEA" }
    },
    action: "view"
  });

  console.log("Authorization decision:", decision);
}

run();

Why this matters

Bringing audit logs to Embedded PDPs ensures that teams have full control over their authorization decisions, even in environments where traditional logging was previously challenging. Security engineers, product managers, and developers now have the same level of visibility and traceability as with centrally managed PDPs.

• Security & compliance → Track and audit every access decision for regulatory adherence.
• Faster debugging → Quickly diagnose and resolve access control issues.
• Operational insights → Understand user behavior and access patterns.

Get started today

This feature is available in the latest version of the Cerbos Javascript SDK. To start using audit decision logs for Embedded PDPs, update your SDK and implement the onDecision hook to capture logs locally.

Check out the documentation to get started. Feel free to book a call with a Cerbos engineer to see how our solution can help streamline access control in your applications.