Cerbos PDP v0.41.0: Scope permissions and role policies

The Cerbos v0.41.0 release enhances support for scope permissions and role policies.

Scope permissions allow you to control how scoped policies are evaluated, ensuring that child scopes cannot be more permissive than their parent scopes when the scopePermissions field is set to SCOPE_PERMISSIONS_REQUIRE_PARENTAL_CONSENT_FOR_ALLOWS. Role policies provide an additional layer of restriction on resource policies, requiring explicit permission for actions while still adhering to resource policies. This allows applications to implement custom role-based access controls with greater precision.

Additional improvements include defaulting time-based functions to UTC unless a specific time zone is provided, stricter policy test validation, improved query planner handling for scope-based expressions, and better CPU detection in Amazon ECS deployments to minimize throttling. It is encouraged to review policies before upgrading to ensure correct time zone calculations.

For full details, refer to the v0.41.0 release notes or join the Cerbos Slack community for discussions.

Stay tuned for an upcoming in-depth tutorial on effectively leveraging scope permissions and role policies to enhance access control in your applications!