Hey <!channel>! Feel free to check out our latest blog post, it’s about implementing authorization and access control in Flask 👉https://www.cerbos.dev/blog/authorization-in-flask👈

Happy Friday, community 👋 😊 We just published a deep dive into externalized authorization management (EAM). In the blog, we cover: • what EAM is; • when you might need it; • the associated technical benefits; • along with how to implement it. 👉 Feel free to check out the blog on EAM here 👈 Have a great weekend!

hey everyone! :) We just published a blog post, where we explore different approaches to enforcing RBAC and ABAC in an enterprise context. As well as what drives the business need to choose between RBAC and ABAC, the various architectural deployments of these access control methods, and the implications of their selection. If you’re interested, you can find the blog with all the details here

Hey community! We have some exciting news! Cerbos PDP - our open-source authorization solution, just hit 3.6k stars on GitHub! 🚀 🎉 https://github.com/cerbos/cerbos Thank you all for your support ☺️💪

Hey, <!channel>! 👋 We have a new blog out, where we discuss our journey from using OPA to building our own engine. If you’re interested in the details (as well as understanding why we decided to make that transition, and what benefits we have seen since then) - feel free to check out the piece here

Hey <!channel>! We’ve gotten many questions from our community and customers about securing non-human identities. So we wanted to get into this topic in more detail 😊⬇️ Securing applications is not just about authorizing users based on their identity. Service-to-service calls, external API clients, AI agents, bots, and background jobs all act as independent workloads with their own identities, all requiring access to data and resources. NHIs need to be authorized just like human users. Otherwise, these workloads can become security risks, leading to over-privileged services, unauthorized data exposure, and compliance violations. Here you can learn how Cerbos can be used to secure NHIs 👉 https://www.cerbos.dev/features-benefits-and-use-cases/authorization-non-human-identities

happy Friday, community! 🙂 We wanted to share our latest blog post with you. We dove into the various certifications for enterprise architects, domain solutions architects, and software engineers, detailing their formats, prerequisites, and associated costs. Although certification doesn’t replace experience - it can be a valuable addition to professional experience for architects. So if you’re interested - feel free to check out the blog post here. Some certifications we cover include: TOGAF 9, ITIL Master, Zachman Framework, AWS Certified Solutions Architect, Google Professional Cloud Architect, and others.

Hey <!channel>! In our latest blog, we dove into the topic of translating business requirements to authorization policy for HR 💡 Check it out if you’d like to understand the process of reviewing business requirements, analyzing them, defining policies, and ultimately deploying them to production systems as efficiently as possible 👉 https://www.cerbos.dev/blog/business-requirements-to-authorization-policy-in-hr-systems

hey <!channel> 👋 We are happy to share that we’ve introduced support for capturing audit decision logs from the Cerbos Hub Embedded Policy Decision Points (ePDP) using the latest version of the Cerbos Javascript SDK 🌟 🎉 This feature enables organizations to track and analyze authorization decisions made locally in embedded environments, ensuring complete visibility and auditability, without relying on a centralized PDP or Cerbos Hub. Discover the details here

Hey community! We’ve just published a blog post about authorization at the edge and it’s benefits • ✅ Faster response times • ✅ More reliable access control • ✅ Reduced load on central servers 👉 Feel free to check it out here 👈

Release - v0.41.0 New release published by github-actions[bot] Cerbos 0.41.0 View the full release notes at https://docs.cerbos.dev/cerbos/latest/releases/v0.41.0.html Changelog Features • bfef008 feat(plan): Use scope value in the query plan (#2485) • 9bec734 feat: Replace labels with deployments in bundle API v2 (#2483) Enhancements • 71682d6 enhancement!: Switch to ContextEval to evaluate CEL expressions (#2495) • 538ab24 enhancement: Correctly set GOMAXPROCS on ECS (#2459) • 41787ba enhancement: Fail tests with unreachable output expectations (#2418) • c2f16ff enhancement: Lazy rule table (#2460) • 131bf5f enhancement: Rule table engine (#2442) • ecf08cc enhancement: Support bundlev2 (#2395) Bug fixes • 038719b fix: Add missing policy required for mutable e2e tests (#2502) • bd3222d fix: Correctly handle defaultPolicyVersion engine config (#2449) • 8983b99 fix: Correctly handle partial rule table and event subscription (#2455) • a676fd1 fix: Fall back to default policy version sooner in query planner (#2450) • 0b80bcb fix: Reload rule table when store contents change (#2452) • f611ff2 fix: Return validation errors and effective policies in query planner responses (#2447) • a12fd5c fix: Rule table reload should only purge (#2467) • 3596a31 fix: Use correct filterDebug type in e2e query planner test (#2448) Documentation • 73b40e4 docs: Correct examples for math functions (#2445) • 9096ecb docs: Scope permissions (#2487) • 1fd792d docs: Update 03_calling-cerbos.adoc of tutorial to use the updated

/api/check/resources

endpoint (#2429) • 4eb7b26 docs: Update what-is-cerbos.adoc tenant ->tenet (#2406) Chores • 282fe32 chore!: REQUIRE_PARENTAL_CONSENT refinements for resource and principal policies (#2484) • 31e635e chore!: Role policy deny rows (#2475) • 24551ba chore(deps): Bump filippo.io/age from 1.2.0 to 1.2.1 (#2423) • 7a81126 chore(deps): Bump github.com/go-jose/go-jose/v4 from 4.0.4 to 4.0.5 in /tools (#2491) • 39242a6 chore(deps): Bump github.com/quic-go/quic-go from 0.48.1 to 0.48.2 in /tools (#2405) • 3792699 chore(deps): Bump golang.org/x/crypto from 0.29.0 to 0.31.0 in /tools (#2414) • c03afd6 chore(deps): Remove SQL Server dependencies (#2394) • 09806c6 chore(deps): Update alecthomas/kong to v1.5.1 (#2404) • e11f815 chore(deps): Update dawidd6/action-download-artifact action to v7 (#2417) • 5571a2c chore(deps): Update dependency node to v22.13.0 (#2444) • 4eda1c7 chore(deps): Update github actions deps (#2427) • 55dc0c8 chore(deps): Update github actions deps (#2464) • d6818fa chore(deps): Update github.com/bufbuild/protovalidate-go to 0.8.0 (#2428) • d0c26dd chore(deps): Update github.com/go-git/go-git/v5 (#2437) • aa9a573 chore(deps): Update go deps (#2397) • 915609b chore(deps): Update go deps (#2407) • 8b6d25e chore(deps): Update go deps (#2415) • 2660e5e chore(deps): Update go deps (#2431) • <https://github.com/cerbos/cerbos/c… cerbos/cerbos

Hey, <!channel>, happy Monday! 🚀 We wanted to share about our latest update - Cerbos Prisma Integration v2.0 With our latest update to the reference Prisma Query Plan Adapter, we’ve significantly expanded its capabilities, making it even easier to enforce fine-grained access control within applications using Prisma ORM. Updates include: • Expanded operator support • Deep nested relations • Automatic field inference and type-safe mapping • Improved collection handling • Performance optimizations 👉Check out the full blog post for more details &amp; info on how to get started 👈

Hey <!channel> ! 👋 🎥 We will be hosting a webinar “Cloud, SaaS, or self-hosted? Which authentication & authorization deployment model is right for you?” Join to learn about: • Security & compliance trade-offs across deployment models • Engineering implications from performance to integration complexity • Hidden costs & operational risks you might not expect • How to future-proof your auth stack for scalability & reliability 📅 April 17, 2025 | 5pm CET / 9am PST (recording will be available to all registrants) 🎙️ Speakers: Dan Moore, Principal Product Engineer at FusionAuth & Alex Olivier, CPO at Cerbos 👉 register here 👈 see you there! ☺️

Hey everyone! 😊 Non-human identities now outnumber human users by 17:1, yet they are one of the most overlooked attack vectors in today’s systems. Which is why we published a new blog post breaking down the OWASP Top 10 threats to non-human identities (NHIs). We explain what each threat is, real-world examples of breaches, and practical steps to mitigate them. Plus, we show how Cerbos helps enforce least privilege and context-aware access control for NHIs. Feel free to check it out here

Hey <!channel>! We’ve published a blog post where we examine the key elements of compliance that should be prioritized, from data quality and change management to audit logs and access control. We also explore how picking the right authorization system can strengthen your compliance efforts. Feel free to check it out here 💡 A study by the Ponemon Institute found that, on average, non-compliance costs companies about 2.7 times more than meeting compliance requirements in the first place.

Release - v0.42.0 New release published by github-actions[bot] ## Cerbos 0.42.0 View the full release notes at https://docs.cerbos.dev/cerbos/latest/releases/v0.42.0.html ## Changelog ### Features • e3aef93 feat: SPIFFE functions (#2524) ### Enhancements • 36c7625 enhancement: Stop logging attribute values as JSON-encoded strings in decision logs (#2516) ### Bug fixes • 8cbeca7 fix: Ensure derived role updates purge rule table caches (#2523) • 4449609 fix: Evaluate condition blocks correctly in REPL (#2513) • f1fc31d fix: Purge schema cache on store reload (#2522) • e4da017 fix: Tidy up rule table trace outputs (#2531) ### Documentation • 970f7fd docs: Remove symlink to SQL Server schema (#2505) ### Chores • b7fa780 chore(deps): Bump github.com/containerd/containerd from 1.7.25 to 1.7.27 in /tools (#2520) • 2658904 chore(deps): Bump github.com/golang-jwt/jwt/v4 from 4.5.1 to 4.5.2 in /tools (#2527) • ed471a3 chore(deps): Bump github.com/golang-jwt/jwt/v5 from 5.2.1 to 5.2.2 in /tools (#2526) • 92b5da4 chore(deps): Bump github.com/redis/go-redis/v9 from 9.7.0 to 9.7.3 (#2525) • b89d3c4 chore(deps): Bump golang.org/x/net from 0.35.0 to 0.36.0 in /api/genpb (#2514) • 9bff439 chore(deps): Bump golang.org/x/net from 0.35.0 to 0.36.0 in /tools (#2509) • fc62644 chore(deps): Update go deps (#2507) • 5c2b5bd chore(deps): Update golangci/golangci-lint-action action to v6.5.1 (#2517) • e682aeb chore(deps): Update golangci/golangci-lint-action action to v6.5.2 (#2528) • 0276262 chore(deps): Update node.js deps (#2508) • 25b8f18 chore(deps): Update pnpm to v10.6.3 (#2518) • ed90ba0 chore(deps): Update pnpm to v10.6.5 (#2529) • 5d3167a chore(planner): Switch from CEL protobuf to native types (#2492) • 4e6d19b chore(release): Add 0.42.0 release notes (#2532) • 1a5b7c2 chore(release): Prepare release 0.42.0 • bd70cea chore(version): Bump version to 0.42.0 • fa4ac36 chore: Add gopls's modernizer to linters (#2515) • ba15837 chore: Handle empty policies in the parser (#2530) • 8247248 chore: Handle kind ROLE in trace printer (#2511) cerbos/cerbos

Happy Monday, community! 😊 We’re heading KubeCon 2025 in London! If you will be there - come meet the Cerbos team at 🔺Booth S632🔺 Daniel Maher, Emre Baran, Alex Olivier, and Andrew Haines are looking forward to chatting with you about all things authorization! 📢 Don’t miss Dan’s talk “AuthZ as a Dev Workflow: Architecting Better Cloud Native Apps” Friday April 4, 2025 15:15 - 15:45 BST Level 1 | Hall Entrance S10 | Room C 🎁 And while you’re at it, feel free to participate in our collab raffle with FusionAuth for a chance to win a TIE Interceptor or X-Wing Starfighter. See you there!

hey <!channel>! 🚀 We’re happy to share that Cerbos PDP now supports native parsing of SPIFFE identities in authorization policies! This unlocks precise access control for authorizing calls based on non-human identities using the framework be it services, workloads, or any other compute job. This feature introduces a set of Cerbos-specific extensions to the Common Expression Language (CEL) used in policy conditions which understand the structure of a SPIFFE ID such as trust domains, path components, or target the full identity string.

Release - v0.43.0 New release published by github-actions[bot] ## Cerbos 0.43.0 View the full release notes at https://docs.cerbos.dev/cerbos/latest/releases/v0.43.0.html ## Changelog ### Bug fixes • ff7c199 fix: Maintain derived role mappings during policy updates (#2536) • 03982ea fix: Purge rule table on index build failure (#2538) ### Chores • dba785d chore(ci): Make Coveralls upload optional (#2541) • c1238e0 chore(deps): Update go deps (#2534) • b0c542e chore(deps): Update go deps (#2540) • b074c8f chore(deps): update node.js deps (#2535) • 170a7e8 chore(release): Add 0.43.0 release notes (#2542) • 69f4f15 chore(release): Prepare release 0.43.0 • c56621c chore(version): Bump version to 0.43.0 • 4ae6dac chore: Change logger keys based on bundle version (#2533) cerbos/cerbos

Hey community! 😊 As you might have already seen - we’ve introduced several updates that bring new capabilities and improvements to Cerbos 🙌 With v0.42 and v0.43, we’ve added support for SPIFFE identities in policies, improved the structure of audit logs, and tightened the reliability of policy updates in live environments. Details can be found here

Thanks to everyone who joined our webinar on “Choosing the Right Authentication & Authorization Deployment Model” 🥳 📩 If you missed the live session, you can get the full recording by submitting the form here. The recording will be sent directly to your email. During the webinar: 👉 Dan Moore FusionAuth and Alex Olivier Cerbos compared self-hosted, cloud-hosted, and SaaS authentication solutions, examining their impact on security, compliance, and operational control 👉 Explored how to align deployment choices with your regulatory requirements and data governance needs 👉 Examined performance implications, integration challenges, and compatibility with teams’ technical roadmaps 👉 Covered operational risks including reliability, disaster recovery, and vendor lock-in—plus how to mitigate them 👉 Broke down the total cost of ownership, CapEx vs. OpEx considerations, and potential hidden costs More webinars coming very soon!

Hey everyone! Happy Friday! 😊 🎉 We’re excited to share some big news: Cerbos has been named Startup of the Year 2024 in Access Control by HackerNoon. This recognition comes after a competitive vote involving 32 companies in our category and nearly 700 community votes. This isn’t just a win for Cerbos—it’s a signal that the tech community is paying serious attention to the problem of authorization. We wouldn’t be here without your support ☺️_. Whether you voted, contributed to the open-source project, deployed Cerbos in production, or just explored what we’re doing—thank you._ This win is a shared one. Onward 🚀

Hey <!channel>! 👋 We would like to invite you to join our upcoming webinar on “Mastering authorization in Fintech” 💻 Edgar Rivera and Daniel "phrawzty" Maher will walk through how to map business requirements of fintech products to authorization logic, accounting for dynamic trading rules, global market windows, and real-time risk assessment. Then they’ll show how to manage that complexity without cluttering your codebase or making things harder to maintain. ⏰ May 6, 2025 at 5pm CEST / 8am PDT 🔗 👉 Register for the webinar here 📩 Recording available for all registrants

Hey, community! 😊 Multi-tenancy in SaaS applications presents a critical challenge: ensuring robust access control that isolates tenant data and operations while maintaining flexibility and scalability. 🚀 We’ve released some new features, which provide a powerful toolkit to define and enforce multi-tenant security effectively. Feel free to check out our blog post on the topic for more details. In it, we: • Go through key Cerbos concepts: Scopes, role policies, and scoped resource policies with scope permission modes. • Demonstrate how these features combine to address the multi-tenant access control problem. • Provide practical policy examples for a hypothetical SaaS HR platform.

Hey everyone, happy Friday! ☺️ We’re excited to share our latest success story with you all: “How Cerbos gave Utility Warehouse control over 4,500 services and millions of NHIs” Utility Warehouse, a FTSE 250 company, faced a growing challenge common in modern infrastructures: managing and securing Non-Human Identities across a vast network of over 4,500 services. As systems scale, NHIs like service accounts and workloads identities can proliferate, leading to overprivileged access and reduced visibility if not properly controlled. By implementing Cerbos, Utility Warehouse transitioned to a true Zero Trust architecture, achieving: 🔹 𝐆𝐫𝐚𝐧𝐮𝐥𝐚𝐫 𝐍𝐇𝐈 𝐚𝐜𝐜𝐞𝐬𝐬 𝐜𝐨𝐧𝐭𝐫𝐨𝐥. Securing access at every hop within their service mesh, moving beyond perimeter-only trust. 🔹 𝐄𝐧𝐝-𝐭𝐨-𝐞𝐧𝐝 𝐢𝐝𝐞𝐧𝐭𝐢𝐭𝐲 𝐩𝐫𝐨𝐩𝐚𝐠𝐚𝐭𝐢𝐨𝐧. Ensuring user identity and intent are maintained throughout the service chain for full-context authorization. 🔹 𝐒𝐜𝐚𝐥𝐚𝐛𝐥𝐞 & 𝐬𝐭𝐚𝐭𝐞𝐥𝐞𝐬𝐬 𝐩𝐨𝐥𝐢𝐜𝐢𝐞𝐬. Efficiently managing millions of authorization decisions daily across their extensive service landscape. 🔹 𝐂𝐨𝐦𝐩𝐫𝐞𝐡𝐞𝐧𝐬𝐢𝐯𝐞 𝐚𝐮𝐝𝐢𝐭 & 𝐨𝐛𝐬𝐞𝐫𝐯𝐚𝐛𝐢𝐥𝐢𝐭𝐲. Leveraging integrated audit logging for enhanced threat detection and compliance. This strategic implementation not only bolstered their security posture but also streamlined operations, reclaiming significant development time. Kudos Rob Crowe and the Utility Warehouse team for their forward-thinking approach to securing NHIs at scale!

Release - v0.44.0 New release published by github-actions[bot] ## Cerbos 0.44.0 View the full release notes at https://docs.cerbos.dev/cerbos/latest/releases/v0.44.0.html ## Changelog ### Features • b383622 feat(audit): Add size-based batch limiting to audit log hub (#2558) • 350d52c feat(plan): Add support for multiple actions (#2543) • ff44bd4 feat: Add principal policy support to rule table (#2544) • 44e21fb feat: Cerbosctl commands to interact with Hub store (#2569) ### Enhancements • 666976c enhancement!: Remove bundle version configuration parameter (#2583) • 386230a enhancement(helm): Update helm charts to support bundle v2 (#2580) • a2b376b enhancement: Simplify plan with exists operation (#2570) ### Bug fixes • 42fd48b fix(helm): Set correct environment variable to configure traces sampler (#2551) • 86428c7 fix(plan): Preserve action field for auditing (#2564) • 861bb1d fix: Return appropriate backoff in logcap ingest error path (#2549) ### Documentation • 314535a docs: Add talk to engineer link (#2573) ### Chores • 380d8f6 chore(ci): Don't bother caching dependencies for

upload-test-times

job (#2557) • d4e6db6 chore(ci): Upgrade Helm and Helmfile (#2586) • 73d0e25 chore(deps)!: Update module github.com/cenkalti/backoff/v4 to v5 (#2555) • db07dcb chore(deps): Bump github.com/go-jose/go-jose/v4 from 4.0.4 to 4.0.5 (#2563) • aedf313 chore(deps): Bump golang.org/x/net from 0.37.0 to 0.38.0 in /api/genpb (#2559) • e5ad74e chore(deps): Bump helm.sh/helm/v3 from 3.16.4 to 3.17.3 in /tools (#2545) • 1e6d83c chore(deps): Update dawidd6/action-download-artifact action to v10 (#2585) • 61ba507 chore(deps): Update dawidd6/action-download-artifact action to v9 (#2548) • 39c082b chore(deps): Update extractions/setup-just action to v3 (#2552) • 44b2b26 chore(deps): Update go deps (#2547) • 97f9326 chore(deps): Update go deps (#2565) • b04997c chore(deps): Update go deps (#2571) • e7cbf2d chore(deps): Update go deps (#2576) • 1fa3df6 chore(deps): Update go deps (#2581) • 672f97e chore(deps): Update go deps (#2584) • 53314ec chore(deps): Update golangci/golangci-lint-action action to v7.0.1 (#2566) • efca0ba chore(deps): Update module helm.sh/helm/v3 to v3.17.3 [security] (#2546) • 537dc04 chore(deps): Update modules github.com/lestrrat-go/jwx and github.com/vektra/mockery to v3 (major) (#2553) • 0e39c79 chore(deps): Update node.js deps (#2562) • 5e2be4d chore(deps): Update node.js deps (#2575) • d89540e chore(deps): Update node.js deps (#2582) • 293307a chore(deps): Update pnpm to v10.10.0 (#2572) • e657267 chore(deps): Update sigstore/cosign-installer action to v3.8.2 (#2561) • 4b7b60c chore(deps): update go deps (#2560) • ccf551a chore(deps): update module github.com/golangci/golangci-lint to v2 (#2556) • c35ae86 chore(deps): update node.js deps (#2539) • 9508a38 chore(docs): Fix how less than or equal operator is displayed (<https://github.com/cerbos… cerbos/cerbos

Hey, <!channel>! 🎉 📖 We’re excited to share our new ebook “Securing Non-Human Identities in enterprise systems” This ebook breaks down: • NHI taxonomy • 20 NHI and AI agent risk vectors you need to know • 12 security principles and 35 actionable steps for NHI governance • Insights from NHI breaches (Okta, GitHub, and Microsoft) • Expert opinions from CISOs, security architects, and EMs working on IAM programs that include NHI security • A vendor landscape and evaluation checklist to guide your implementation strategy It’s actionable and built from real-world experience, designed to help IAM teams address the blind spots, over-permissioning, and security gaps that often come with AI agents, microservices, and automated workloads. Feel free to read the ebook and let us know what you think!

Happy Friday, community 😊 We wanted to share our case study with BarrierSystems with you! “BarrierSystems integrates Cerbos into smart vehicle access gates, cutting internal costs by 15%” The company used Cerbos to externalize authorization for easier policy management. As a result, they were able to: • Improve user experience, with a 15% decrease in customer issues • Simplify their own policy management workflows to enable consistent and reliable access control for their customers • Decrease associated internal costs by 15% as a result • Ship new features faster

Release - v0.45.0 New release published by github-actions[bot] ## Cerbos 0.45.0 View the full release notes at https://docs.cerbos.dev/cerbos/latest/releases/v0.45.0.html ## Changelog ### Bug fixes • 07adb2b fix: Handle multi-role planner precedence correctly (#2592) • adf9207 fix: Honour compile cache duration in rule table (#2602) • 1fd9668 fix: Protect against wildcards in policy names (#2593) ### Chores • 7fa8846 chore(ci): Remove deprecated

buf

actions (#2604) • 201601e chore(deps): Bump brace-expansion from 2.0.1 to 2.0.2 in /npm/test/registry (#2597) • abd1192 chore(deps): Update cerbos-sdk-go to 0.3.4 (#2606) • cbd9efd chore(deps): Update cerbos-sdk-go to v0.3.2 (#2589) • f5d113e chore(docs): Fix mistake related to compile.cacheSize configuration parameter (#2598) • 2a65d5b chore(release): Add 0.45.0 release notes (#2605) • eb97869 chore(release): Prepare release 0.45.0 • 6af3f42 chore(tracing): Fix names of tracing spans in engine (#2603) • ee97a59 chore(version): Bump version to 0.45.0 • 9e24d95 chore: More ASCII character class replacements (#2596) • 70c77ab chore: Replace ASCII character classes in validation regexes (#2595) cerbos/cerbos

Hey <!channel>! We wanted to share our latest blog with you, in which we explore two approaches to implementing 💡 hierarchy-based permissions in Cerbos, inspired by a real-world use case for a data analytics platform. Both methods leverage ABAC, but differ in their implementation strategy: 1️⃣ Policy-defined roles with attribute-based conditions. Defining explicit role policies for each tenant where hierarchical logic is hardcoded inside the policy. 2️⃣ Dynamic, attribute-driven generic policies. Shifting the hierarchical conditions entirely to the principal’s attributes and using a single, generic policy for interpretation. Feel free to check out the details here