When Cerbos starts, after reading its configuration file, it finds its policies and loads them into memory. It uses these policies to make its decisions.
The access rules for each resource and action are stored in the policy files. In addition to the resource policies, these files can also include derived role definitions, individual principal policies, and request attribute requirements.
Cerbos does not have to reload or look up the policies every time it gets a new request. However, on a periodic basis it can monitor the storage for updates and automatically hot-reload the latest policy. Alternatively one can always use an admin end point to force a refresh of policies on an instance..
The policies can be stored in three different main storage types: git, disk, or database.