Easy setup of policy testing and distribution with Cerbos CloudSign up to our beta
Platform
Cerbos helps users separate their authorization process from their core application code, making their authorization system more scalable, more secure and easier to change as the application evolves.
- Implement access policies for your software
- Fine-grained access control that grows with your business
- An order of magnitude faster than Open Policy Agent based alternatives
What is Cerbos?
It's an access control decision engine for your software that is:
- Driven by simple API which makes every decision feel like a database call
- Policy-driven and attribute based for maximum flexibility and scale
- Decoupled, stateless and runs inside your stack
Why Cerbos?
- World class, open-source, off-the-shelf authorization layer, up and running in minutes, that can prevent over-provisioning of application and data privileges
- Collaborate easily with product management and security teams. Evolve authorization policies without having to make changes to the core application code
- Keep track of every access decision request, result and the reason for the decision for your audit process
Where and how does Cerbos run?
- Self-hosted: Cerbos lives in your environment where-ever it is, cloud or on-premise: VM, Kubernetes, or serverless
- Infinite scalability via serverless functions or a sidecar deployment model
- GitOps enabled policy development and deployment via a full testing suite for CI/CD pipelines
What does Cerbos integrate with?
- It integrates with your application via its REST and gRPC APIs. JavaScript, Python, Java, .NET, Rust, Ruby, Go and PHP SDKs are available for convenience
- Bring your own identity provider, e.g. Auth0, Okta, FusionAuth, Magic, WorkOS, Clerk.dev, AWS Cognito, Azure AD or your custom system
- Natively supports JWT for integration with many authentication providers (with out of the box examples)
Features
APIs, SDKs and latency
Full audit logs
Cerbos generates audit logs of every request and action for compliance requirements.
- Capture and log all incoming requests and responses consistently
- Full trace of every decision made and why it was allowed or denied
- Debug access requests with detailed information about the roles and attributes
- Integrate into your existing audit process
Policy flexibility, storage, and version control
Flexible, developer-friendly, YAML based policy authoring to model any business requirement:
- Policy authoring help with both sandboxed playground and IDE integrations
- Resource policies: define access control rules for all your objects
- Principal policies: not "everyone first" in a role so as to handle exceptions elegantly
- Derived roles: Design new roles on the fly based on the request context
- Scoped policies: policy inheritance for hierarchical policies
- Conditions: use Google's Common Expression Language, (CEL), to handle programming logic within policies
- Schemas: enforce API calls' integrity and security
- Full stack trace of every decision made and why they were allowed or denied
- Validation and testing framework for full CI/CD pipeline compatibility
Flexible policy storage options:
- Git based: Use any Git repository and its tooling for storing and updating policies
- Disk based: on disk with the deployment or GCS or S3 API compatible cloud storage
- Database backed: SQLite, MySQL, Microsoft SQL Server, PostgreSQL
Policy versioning that allows:
- Canary deployments
- Multiple run environments: dev, test, QA, prod, etc.
Deployment and configuration
Runs anywhere.
Meets your infrastructure requirements and business compliance policies wherever they are: Public or private cloud, or on premise.
Deploy and host based on your architecture.
Container orchestration:
Serverless: let your cloud provider manage it
- AWS lambda
- Google Cloud Run
Anywhere a binary can be run:
