All integrations
SQLAlchemy
Data filtering

Authorization-aware data filtering for SQLAlchemy

Convert Cerbos query plans into native SQLAlchemy filters, return only the data your users are authorized to see.

Extend user roles

Extend user roles

Fine-grained access controls extending the roles defined in SQLAlchemy models

Enrich with context

Enrich with context

Request-time attribute-based authorization enables more contextual access controls

Avoid token bloat

Avoid token bloat

Independent authorization logic avoids bloated tokens and workarounds

How Cerbos works with SQLAlchemy

When users should only see a subset of data, traditional approaches filter results in application code, leading to duplicated logic, inconsistencies, and performance problems at scale.

Cerbos query plan evaluation converts your authorization policies into native SQLAlchemy filters. Instead of fetching all data and filtering after the fact, your database only returns rows the user is authorized to see.

The same YAML policies that control API-level access now drive data-level filtering, one source of truth for who can see what, managed by product and security teams without touching application code.

Policy-as-codeHuman-readable YAML policies managed like source codeScalable PDPStateless policy decision point with sub-millisecond latencyCentralized managementManage, test, and deploy policies from a single control plane

How Cerbos filters data in SQLAlchemy

  1. Define authorization policies in YAML, Write resource policies that describe who can see which records, using roles and attributes.
  2. Request a query plan from Cerbos, Your application calls the PlanResources API, and Cerbos returns an abstract query plan.
  3. Convert the plan to a native SQLAlchemy filter, Map the Cerbos query plan to a SQLAlchemy query predicate so filtering happens at the data layer.
  4. Database returns only authorized rows, The query executes with the authorization filter baked in, no post-fetch filtering required.

FAQ

How does Cerbos filter data in SQLAlchemy?

Cerbos evaluates your authorization policies and produces a query plan. The SQLAlchemy adapter converts that plan into a native query filter, so your database only returns rows the user is authorized to see.

Does this replace application-level authorization checks?

Data filtering complements API-level checks. Cerbos handles both, the same policies that control who can access an endpoint also determine which rows are visible at the data layer.

Learn more about Cerbos

How Cerbos worksCerbos PDPCerbos HubWebinars and ebooksFeatures & use casesSuccess stories

Related integrations

View all integrations →
Kafka
Apache KafkaPluggable authorizer for Kafka topic, consumer group, and cluster ops
Authorization extensionsData filtering
Mongoose
MongooseApply Cerbos query plans as MongoDB filter predicates via Mongoose
Data filtering
Prisma
PrismaInject Cerbos query plans as Prisma where-clause filters on any model
Data filtering
ChromaDB
ChromaDBTranslate Cerbos query plans into ChromaDB metadata filters
Data filteringAI
Convex
ConvexConvert Cerbos query plans into native Convex filter expressions
Data filtering
Drizzle ORM
Drizzle ORMMap Cerbos query plans to Drizzle ORM where-clause conditions
Data filtering

Cerbos + SQLAlchemy

  • Cerbos policies converted to native SQLAlchemy query filters
  • Database returns only rows the principal is authorized to see
  • One source of truth for API and data-level access control
  • Filtering happens at the query level, not post-fetch
Book a free policy workshopTry the Playground