Cerbos Prisma integration v2.0: More powerful fine-grained authorization

Authorization is a critical component of modern applications, ensuring users have the right level of access to data without embedding complex rules into application code. Cerbos’ Query Plan API has long been a valuable tool in this space, enabling dynamic filtering of data based on pre-defined policies.

With our latest update to the reference Prisma Query Plan Adapter, we’ve significantly expanded its capabilities, making it even easier to enforce fine-grained access control within applications using Prisma ORM. In this blog post, we’ll explore the new features, use cases enabled, and how you can start using it today.

What’s new in the Prisma Query Plan Adapter?

The new version of the Cerbos Prisma ORM Adapter introduces several powerful enhancements that make it more flexible and robust.

1. Expanded operator support

Previously, the adapter supported basic logical and comparison operators. The new release now adds support for:

• String operations: startsWith, endsWith, contains, isSet
• Advanced relation operators: every, exists, exists_one, all, filter
• Set operations: hasIntersection

This makes it easier to apply more complex conditions directly in your Prisma queries.

2. Deep nested relations support

One of the biggest enhancements is full support for deep nested relations, allowing policies to filter data based on attributes from related models.

Example

Previously, filtering based on a related model required additional logic outside the adapter. Now, you can express such conditions naturally within your policies:

condition:
  match:
    expr: request.resource.attr.nested.aBool == true

With a simple field mapper, this is now seamlessly converted into a Prisma where clause:

const result = queryPlanToPrisma({
  queryPlan,
  mapper: {
    "request.resource.attr.nested.aBool": "nested.aBool",
  },
});

3. Automatic field inference and type-safe mapping

The adapter can now automatically infer field names and relationships based on policy expressions. And stronger TypeScript support ensures mappings are type-safe and easier to maintain.

4. Improved collection handling

With better support for collections, policies can now check for attributes across multiple related records. This enables more granular enforcement of rules such as:

• Ensuring at least one related record meets a condition (some)
• Ensuring all related records meet a condition (every)
• Checking for the existence of related records (exists)

5. Performance optimizations

The internal logic of the adapter has been optimized for efficiency, ensuring that generated Prisma queries remain performant even as complexity increases.

New use cases enabled

These enhancements open up a range of new use cases for Prisma users integrating Cerbos, such as:

• Complex hierarchical permissions – Filter records based on parent-child relationships.
• Multi-tenant applications – Enforce tenant isolation without hardcoded application logic.
• Content moderation systems – Apply rules based on nested user-generated content.
• E-commerce platforms – Implement access control based on product ownership or purchase history.

Getting started with Cerbos and Prisma

If you're already using Cerbos and Prisma, upgrading to the new adapter is straightforward.

Installation

npm install @cerbos/orm-prisma

Usage

Integrate the adapter into your Prisma queries:

import { queryPlanToPrisma, PlanKind } from "@cerbos/orm-prisma";

const result = queryPlanToPrisma({
  queryPlan, // generated by the Cerbos PDP
  mapper: {
    "request.resource.attr.owner": { 
         relation: { 
            name: "owner", 
            type: "one" 
         }
     },
     "request.resource.attr.status": { 
          field: "status"
      },
  },
});

if (result.kind === PlanKind.ALWAYS_DENIED) {
  return [];
}

const records = await prisma.resource.findMany({ 
   where: result.filters 
});

Cerbos Prisma ORM Adapter - Try it now

Upgrade your existing integration or start from scratch with our updated documentation and examples.

For more details, check out the official GitHub repository or join the Cerbos community Slack to discuss best practices and real-world implementations.