Release - v0.41.0 New release published by github-actions[bot] Cerbos 0.41.0 View the full release notes at https://docs.cerbos.dev/cerbos/latest/releases/v0.41.0.html Changelog Features • bfef008 feat(plan): Use scope value in the query plan (#2485) • 9bec734 feat: Replace labels with deployments in bundle API v2 (#2483) Enhancements • 71682d6 enhancement!: Switch to ContextEval to evaluate CEL expressions (#2495) • 538ab24 enhancement: Correctly set GOMAXPROCS on ECS (#2459) • 41787ba enhancement: Fail tests with unreachable output expectations (#2418) • c2f16ff enhancement: Lazy rule table (#2460) • 131bf5f enhancement: Rule table engine (#2442) • ecf08cc enhancement: Support bundlev2 (#2395) Bug fixes • 038719b fix: Add missing policy required for mutable e2e tests (#2502) • bd3222d fix: Correctly handle defaultPolicyVersion engine config (#2449) • 8983b99 fix: Correctly handle partial rule table and event subscription (#2455) • a676fd1 fix: Fall back to default policy version sooner in query planner (#2450) • 0b80bcb fix: Reload rule table when store contents change (#2452) • f611ff2 fix: Return validation errors and effective policies in query planner responses (#2447) • a12fd5c fix: Rule table reload should only purge (#2467) • 3596a31 fix: Use correct filterDebug type in e2e query planner test (#2448) Documentation • 73b40e4 docs: Correct examples for math functions (#2445) • 9096ecb docs: Scope permissions (#2487) • 1fd792d docs: Update 03_calling-cerbos.adoc of tutorial to use the updated

/api/check/resources

endpoint (#2429) • 4eb7b26 docs: Update what-is-cerbos.adoc tenant ->tenet (#2406) Chores • 282fe32 chore!: REQUIRE_PARENTAL_CONSENT refinements for resource and principal policies (#2484) • 31e635e chore!: Role policy deny rows (#2475) • 24551ba chore(deps): Bump filippo.io/age from 1.2.0 to 1.2.1 (#2423) • 7a81126 chore(deps): Bump github.com/go-jose/go-jose/v4 from 4.0.4 to 4.0.5 in /tools (#2491) • 39242a6 chore(deps): Bump github.com/quic-go/quic-go from 0.48.1 to 0.48.2 in /tools (#2405) • 3792699 chore(deps): Bump golang.org/x/crypto from 0.29.0 to 0.31.0 in /tools (#2414) • c03afd6 chore(deps): Remove SQL Server dependencies (#2394) • 09806c6 chore(deps): Update alecthomas/kong to v1.5.1 (#2404) • e11f815 chore(deps): Update dawidd6/action-download-artifact action to v7 (#2417) • 5571a2c chore(deps): Update dependency node to v22.13.0 (#2444) • 4eda1c7 chore(deps): Update github actions deps (#2427) • 55dc0c8 chore(deps): Update github actions deps (#2464) • d6818fa chore(deps): Update github.com/bufbuild/protovalidate-go to 0.8.0 (#2428) • d0c26dd chore(deps): Update github.com/go-git/go-git/v5 (#2437) • aa9a573 chore(deps): Update go deps (#2397) • 915609b chore(deps): Update go deps (#2407) • 8b6d25e chore(deps): Update go deps (#2415) • 2660e5e chore(deps): Update go deps (#2431) • <https://github.com/cerbos/cerbos/c… cerbos/cerbos

Hey, <!channel>, happy Monday! 🚀 We wanted to share about our latest update - Cerbos Prisma Integration v2.0 With our latest update to the reference Prisma Query Plan Adapter, we’ve significantly expanded its capabilities, making it even easier to enforce fine-grained access control within applications using Prisma ORM. Updates include: • Expanded operator support • Deep nested relations • Automatic field inference and type-safe mapping • Improved collection handling • Performance optimizations 👉Check out the full blog post for more details &amp; info on how to get started 👈

Hey <!channel> ! 👋 🎥 We will be hosting a webinar “Cloud, SaaS, or self-hosted? Which authentication & authorization deployment model is right for you?” Join to learn about: • Security & compliance trade-offs across deployment models • Engineering implications from performance to integration complexity • Hidden costs & operational risks you might not expect • How to future-proof your auth stack for scalability & reliability 📅 April 17, 2025 | 5pm CET / 9am PST (recording will be available to all registrants) 🎙️ Speakers: Dan Moore, Principal Product Engineer at FusionAuth & Alex Olivier, CPO at Cerbos 👉 register here 👈 see you there! ☺️

Hey everyone! 😊 Non-human identities now outnumber human users by 17:1, yet they are one of the most overlooked attack vectors in today’s systems. Which is why we published a new blog post breaking down the OWASP Top 10 threats to non-human identities (NHIs). We explain what each threat is, real-world examples of breaches, and practical steps to mitigate them. Plus, we show how Cerbos helps enforce least privilege and context-aware access control for NHIs. Feel free to check it out here

Hey <!channel>! We’ve published a blog post where we examine the key elements of compliance that should be prioritized, from data quality and change management to audit logs and access control. We also explore how picking the right authorization system can strengthen your compliance efforts. Feel free to check it out here 💡 A study by the Ponemon Institute found that, on average, non-compliance costs companies about 2.7 times more than meeting compliance requirements in the first place.

Release - v0.42.0 New release published by github-actions[bot] ## Cerbos 0.42.0 View the full release notes at https://docs.cerbos.dev/cerbos/latest/releases/v0.42.0.html ## Changelog ### Features • e3aef93 feat: SPIFFE functions (#2524) ### Enhancements • 36c7625 enhancement: Stop logging attribute values as JSON-encoded strings in decision logs (#2516) ### Bug fixes • 8cbeca7 fix: Ensure derived role updates purge rule table caches (#2523) • 4449609 fix: Evaluate condition blocks correctly in REPL (#2513) • f1fc31d fix: Purge schema cache on store reload (#2522) • e4da017 fix: Tidy up rule table trace outputs (#2531) ### Documentation • 970f7fd docs: Remove symlink to SQL Server schema (#2505) ### Chores • b7fa780 chore(deps): Bump github.com/containerd/containerd from 1.7.25 to 1.7.27 in /tools (#2520) • 2658904 chore(deps): Bump github.com/golang-jwt/jwt/v4 from 4.5.1 to 4.5.2 in /tools (#2527) • ed471a3 chore(deps): Bump github.com/golang-jwt/jwt/v5 from 5.2.1 to 5.2.2 in /tools (#2526) • 92b5da4 chore(deps): Bump github.com/redis/go-redis/v9 from 9.7.0 to 9.7.3 (#2525) • b89d3c4 chore(deps): Bump golang.org/x/net from 0.35.0 to 0.36.0 in /api/genpb (#2514) • 9bff439 chore(deps): Bump golang.org/x/net from 0.35.0 to 0.36.0 in /tools (#2509) • fc62644 chore(deps): Update go deps (#2507) • 5c2b5bd chore(deps): Update golangci/golangci-lint-action action to v6.5.1 (#2517) • e682aeb chore(deps): Update golangci/golangci-lint-action action to v6.5.2 (#2528) • 0276262 chore(deps): Update node.js deps (#2508) • 25b8f18 chore(deps): Update pnpm to v10.6.3 (#2518) • ed90ba0 chore(deps): Update pnpm to v10.6.5 (#2529) • 5d3167a chore(planner): Switch from CEL protobuf to native types (#2492) • 4e6d19b chore(release): Add 0.42.0 release notes (#2532) • 1a5b7c2 chore(release): Prepare release 0.42.0 • bd70cea chore(version): Bump version to 0.42.0 • fa4ac36 chore: Add gopls's modernizer to linters (#2515) • ba15837 chore: Handle empty policies in the parser (#2530) • 8247248 chore: Handle kind ROLE in trace printer (#2511) cerbos/cerbos

Happy Monday, community! 😊 We’re heading KubeCon 2025 in London! If you will be there - come meet the Cerbos team at 🔺Booth S632🔺 Daniel Maher, Emre Baran, Alex Olivier, and Andrew Haines are looking forward to chatting with you about all things authorization! 📢 Don’t miss Dan’s talk “AuthZ as a Dev Workflow: Architecting Better Cloud Native Apps” Friday April 4, 2025 15:15 - 15:45 BST Level 1 | Hall Entrance S10 | Room C 🎁 And while you’re at it, feel free to participate in our collab raffle with FusionAuth for a chance to win a TIE Interceptor or X-Wing Starfighter. See you there!

hey <!channel>! 🚀 We’re happy to share that Cerbos PDP now supports native parsing of SPIFFE identities in authorization policies! This unlocks precise access control for authorizing calls based on non-human identities using the framework be it services, workloads, or any other compute job. This feature introduces a set of Cerbos-specific extensions to the Common Expression Language (CEL) used in policy conditions which understand the structure of a SPIFFE ID such as trust domains, path components, or target the full identity string.

Release - v0.43.0 New release published by github-actions[bot] ## Cerbos 0.43.0 View the full release notes at https://docs.cerbos.dev/cerbos/latest/releases/v0.43.0.html ## Changelog ### Bug fixes • ff7c199 fix: Maintain derived role mappings during policy updates (#2536) • 03982ea fix: Purge rule table on index build failure (#2538) ### Chores • dba785d chore(ci): Make Coveralls upload optional (#2541) • c1238e0 chore(deps): Update go deps (#2534) • b0c542e chore(deps): Update go deps (#2540) • b074c8f chore(deps): update node.js deps (#2535) • 170a7e8 chore(release): Add 0.43.0 release notes (#2542) • 69f4f15 chore(release): Prepare release 0.43.0 • c56621c chore(version): Bump version to 0.43.0 • 4ae6dac chore: Change logger keys based on bundle version (#2533) cerbos/cerbos

Hey community! 😊 As you might have already seen - we’ve introduced several updates that bring new capabilities and improvements to Cerbos 🙌 With v0.42 and v0.43, we’ve added support for SPIFFE identities in policies, improved the structure of audit logs, and tightened the reliability of policy updates in live environments. Details can be found here

Thanks to everyone who joined our webinar on “Choosing the Right Authentication & Authorization Deployment Model” 🥳 📩 If you missed the live session, you can get the full recording by submitting the form here. The recording will be sent directly to your email. During the webinar: 👉 Dan Moore FusionAuth and Alex Olivier Cerbos compared self-hosted, cloud-hosted, and SaaS authentication solutions, examining their impact on security, compliance, and operational control 👉 Explored how to align deployment choices with your regulatory requirements and data governance needs 👉 Examined performance implications, integration challenges, and compatibility with teams’ technical roadmaps 👉 Covered operational risks including reliability, disaster recovery, and vendor lock-in—plus how to mitigate them 👉 Broke down the total cost of ownership, CapEx vs. OpEx considerations, and potential hidden costs More webinars coming very soon!

Hey everyone! Happy Friday! 😊 🎉 We’re excited to share some big news: Cerbos has been named Startup of the Year 2024 in Access Control by HackerNoon. This recognition comes after a competitive vote involving 32 companies in our category and nearly 700 community votes. This isn’t just a win for Cerbos—it’s a signal that the tech community is paying serious attention to the problem of authorization. We wouldn’t be here without your support ☺️_. Whether you voted, contributed to the open-source project, deployed Cerbos in production, or just explored what we’re doing—thank you._ This win is a shared one. Onward 🚀

Hey <!channel>! 👋 We would like to invite you to join our upcoming webinar on “Mastering authorization in Fintech” 💻 Edgar Rivera and Daniel "phrawzty" Maher will walk through how to map business requirements of fintech products to authorization logic, accounting for dynamic trading rules, global market windows, and real-time risk assessment. Then they’ll show how to manage that complexity without cluttering your codebase or making things harder to maintain. ⏰ May 6, 2025 at 5pm CEST / 8am PDT 🔗 👉 Register for the webinar here 📩 Recording available for all registrants

Hey, community! 😊 Multi-tenancy in SaaS applications presents a critical challenge: ensuring robust access control that isolates tenant data and operations while maintaining flexibility and scalability. 🚀 We’ve released some new features, which provide a powerful toolkit to define and enforce multi-tenant security effectively. Feel free to check out our blog post on the topic for more details. In it, we: • Go through key Cerbos concepts: Scopes, role policies, and scoped resource policies with scope permission modes. • Demonstrate how these features combine to address the multi-tenant access control problem. • Provide practical policy examples for a hypothetical SaaS HR platform.

Hey everyone, happy Friday! ☺️ We’re excited to share our latest success story with you all: “How Cerbos gave Utility Warehouse control over 4,500 services and millions of NHIs” Utility Warehouse, a FTSE 250 company, faced a growing challenge common in modern infrastructures: managing and securing Non-Human Identities across a vast network of over 4,500 services. As systems scale, NHIs like service accounts and workloads identities can proliferate, leading to overprivileged access and reduced visibility if not properly controlled. By implementing Cerbos, Utility Warehouse transitioned to a true Zero Trust architecture, achieving: 🔹 𝐆𝐫𝐚𝐧𝐮𝐥𝐚𝐫 𝐍𝐇𝐈 𝐚𝐜𝐜𝐞𝐬𝐬 𝐜𝐨𝐧𝐭𝐫𝐨𝐥. Securing access at every hop within their service mesh, moving beyond perimeter-only trust. 🔹 𝐄𝐧𝐝-𝐭𝐨-𝐞𝐧𝐝 𝐢𝐝𝐞𝐧𝐭𝐢𝐭𝐲 𝐩𝐫𝐨𝐩𝐚𝐠𝐚𝐭𝐢𝐨𝐧. Ensuring user identity and intent are maintained throughout the service chain for full-context authorization. 🔹 𝐒𝐜𝐚𝐥𝐚𝐛𝐥𝐞 & 𝐬𝐭𝐚𝐭𝐞𝐥𝐞𝐬𝐬 𝐩𝐨𝐥𝐢𝐜𝐢𝐞𝐬. Efficiently managing millions of authorization decisions daily across their extensive service landscape. 🔹 𝐂𝐨𝐦𝐩𝐫𝐞𝐡𝐞𝐧𝐬𝐢𝐯𝐞 𝐚𝐮𝐝𝐢𝐭 & 𝐨𝐛𝐬𝐞𝐫𝐯𝐚𝐛𝐢𝐥𝐢𝐭𝐲. Leveraging integrated audit logging for enhanced threat detection and compliance. This strategic implementation not only bolstered their security posture but also streamlined operations, reclaiming significant development time. Kudos Rob Crowe and the Utility Warehouse team for their forward-thinking approach to securing NHIs at scale!

Release - v0.44.0 New release published by github-actions[bot] ## Cerbos 0.44.0 View the full release notes at https://docs.cerbos.dev/cerbos/latest/releases/v0.44.0.html ## Changelog ### Features • b383622 feat(audit): Add size-based batch limiting to audit log hub (#2558) • 350d52c feat(plan): Add support for multiple actions (#2543) • ff44bd4 feat: Add principal policy support to rule table (#2544) • 44e21fb feat: Cerbosctl commands to interact with Hub store (#2569) ### Enhancements • 666976c enhancement!: Remove bundle version configuration parameter (#2583) • 386230a enhancement(helm): Update helm charts to support bundle v2 (#2580) • a2b376b enhancement: Simplify plan with exists operation (#2570) ### Bug fixes • 42fd48b fix(helm): Set correct environment variable to configure traces sampler (#2551) • 86428c7 fix(plan): Preserve action field for auditing (#2564) • 861bb1d fix: Return appropriate backoff in logcap ingest error path (#2549) ### Documentation • 314535a docs: Add talk to engineer link (#2573) ### Chores • 380d8f6 chore(ci): Don't bother caching dependencies for

upload-test-times

job (#2557) • d4e6db6 chore(ci): Upgrade Helm and Helmfile (#2586) • 73d0e25 chore(deps)!: Update module github.com/cenkalti/backoff/v4 to v5 (#2555) • db07dcb chore(deps): Bump github.com/go-jose/go-jose/v4 from 4.0.4 to 4.0.5 (#2563) • aedf313 chore(deps): Bump golang.org/x/net from 0.37.0 to 0.38.0 in /api/genpb (#2559) • e5ad74e chore(deps): Bump helm.sh/helm/v3 from 3.16.4 to 3.17.3 in /tools (#2545) • 1e6d83c chore(deps): Update dawidd6/action-download-artifact action to v10 (#2585) • 61ba507 chore(deps): Update dawidd6/action-download-artifact action to v9 (#2548) • 39c082b chore(deps): Update extractions/setup-just action to v3 (#2552) • 44b2b26 chore(deps): Update go deps (#2547) • 97f9326 chore(deps): Update go deps (#2565) • b04997c chore(deps): Update go deps (#2571) • e7cbf2d chore(deps): Update go deps (#2576) • 1fa3df6 chore(deps): Update go deps (#2581) • 672f97e chore(deps): Update go deps (#2584) • 53314ec chore(deps): Update golangci/golangci-lint-action action to v7.0.1 (#2566) • efca0ba chore(deps): Update module helm.sh/helm/v3 to v3.17.3 [security] (#2546) • 537dc04 chore(deps): Update modules github.com/lestrrat-go/jwx and github.com/vektra/mockery to v3 (major) (#2553) • 0e39c79 chore(deps): Update node.js deps (#2562) • 5e2be4d chore(deps): Update node.js deps (#2575) • d89540e chore(deps): Update node.js deps (#2582) • 293307a chore(deps): Update pnpm to v10.10.0 (#2572) • e657267 chore(deps): Update sigstore/cosign-installer action to v3.8.2 (#2561) • 4b7b60c chore(deps): update go deps (#2560) • ccf551a chore(deps): update module github.com/golangci/golangci-lint to v2 (#2556) • c35ae86 chore(deps): update node.js deps (#2539) • 9508a38 chore(docs): Fix how less than or equal operator is displayed (<https://github.com/cerbos… cerbos/cerbos

Hey, <!channel>! 🎉 📖 We’re excited to share our new ebook “Securing Non-Human Identities in enterprise systems” This ebook breaks down: • NHI taxonomy • 20 NHI and AI agent risk vectors you need to know • 12 security principles and 35 actionable steps for NHI governance • Insights from NHI breaches (Okta, GitHub, and Microsoft) • Expert opinions from CISOs, security architects, and EMs working on IAM programs that include NHI security • A vendor landscape and evaluation checklist to guide your implementation strategy It’s actionable and built from real-world experience, designed to help IAM teams address the blind spots, over-permissioning, and security gaps that often come with AI agents, microservices, and automated workloads. Feel free to read the ebook and let us know what you think!

Happy Friday, community 😊 We wanted to share our case study with BarrierSystems with you! “BarrierSystems integrates Cerbos into smart vehicle access gates, cutting internal costs by 15%” The company used Cerbos to externalize authorization for easier policy management. As a result, they were able to: • Improve user experience, with a 15% decrease in customer issues • Simplify their own policy management workflows to enable consistent and reliable access control for their customers • Decrease associated internal costs by 15% as a result • Ship new features faster

Release - v0.45.0 New release published by github-actions[bot] ## Cerbos 0.45.0 View the full release notes at https://docs.cerbos.dev/cerbos/latest/releases/v0.45.0.html ## Changelog ### Bug fixes • 07adb2b fix: Handle multi-role planner precedence correctly (#2592) • adf9207 fix: Honour compile cache duration in rule table (#2602) • 1fd9668 fix: Protect against wildcards in policy names (#2593) ### Chores • 7fa8846 chore(ci): Remove deprecated

buf

actions (#2604) • 201601e chore(deps): Bump brace-expansion from 2.0.1 to 2.0.2 in /npm/test/registry (#2597) • abd1192 chore(deps): Update cerbos-sdk-go to 0.3.4 (#2606) • cbd9efd chore(deps): Update cerbos-sdk-go to v0.3.2 (#2589) • f5d113e chore(docs): Fix mistake related to compile.cacheSize configuration parameter (#2598) • 2a65d5b chore(release): Add 0.45.0 release notes (#2605) • eb97869 chore(release): Prepare release 0.45.0 • 6af3f42 chore(tracing): Fix names of tracing spans in engine (#2603) • ee97a59 chore(version): Bump version to 0.45.0 • 9e24d95 chore: More ASCII character class replacements (#2596) • 70c77ab chore: Replace ASCII character classes in validation regexes (#2595) cerbos/cerbos

Hey <!channel>! We wanted to share our latest blog with you, in which we explore two approaches to implementing 💡 hierarchy-based permissions in Cerbos, inspired by a real-world use case for a data analytics platform. Both methods leverage ABAC, but differ in their implementation strategy: 1️⃣ Policy-defined roles with attribute-based conditions. Defining explicit role policies for each tenant where hierarchical logic is hardcoded inside the policy. 2️⃣ Dynamic, attribute-driven generic policies. Shifting the hierarchical conditions entirely to the principal’s attributes and using a single, generic policy for interpretation. Feel free to check out the details here

Release - v0.45.1 New release published by github-actions[bot] ## Cerbos 0.45.1 View the full release notes at https://docs.cerbos.dev/cerbos/latest/releases/v0.45.1.html ## Changelog ### Bug fixes • 6808dae fix: Don't set bundleVersion when auto-configuring hub (#2608) ### Documentation • a4f2eea docs: Generate llm.txt and llm-full.txt (#2609) ### Chores • b0cc825 chore(ci): Fix

buf push

step (#2610) • 70766ee chore(deps): Bump github.com/go-chi/chi/v5 from 5.2.1 to 5.2.2 in /tools (#2611) • 549e877 chore(deps): Bump github.com/go-viper/mapstructure/v2 from 2.1.0 to 2.3.0 (#2618) • 7893eaf chore(deps): Update go deps (#2612) • 46458b5 chore(deps): Update go deps (#2619) • 3de8602 chore(deps): Update node.js deps (#2613) • 05e9783 chore(deps): Update node.js deps (#2620) • 6194038 chore(release): Add 0.45.1 release notes (#2621) • 47732be chore(release): Prepare release 0.45.1 • d9f01f8 chore(version): Bump version to 0.46.0 • 98d3145 chore: Pluggable schema resolver (#2614) cerbos/cerbos

hey <!channel>! 🙂 MCP servers are reshaping how AI agents interact with external tools and APIs. They unlock speed and flexibility, but can also punch holes in your security model if every agent can call every tool by default. Which why we are excited to share our guide on implementing dynamic authorization for AI agents and fine-grained permissions in MCP servers (and it doesn’t require a backend rewrite 😊).

Hello, <!channel> ! We’re excited to share our latest ebook with you: 📘 The “How to adopt externalized authorization: Planning your path”! Over the years, we’ve worked with hundreds of engineering, IAM, and security teams - helping everyone from early-stage startups to global enterprises navigate the process of adopting externalized authorization. That experience became the foundation for our new ebook. It’s a hands-on, 10-chapter guide that walks through every stage of the journey, from foundational planning to externalized authorization rollout and long-term governance. If you’re interested, feel free to download it here. Let us know what you think once you have a chance to read it! 🙌

Hey, <!channel> 👋 Exciting news - Cerbos documentation is now LLM optimized! Use your favorite AI assistant to help build Cerbos policies and integrations. Check out the details here.

Hey <!channel>! We have a really big update today 😊 We’re very excited to share that we have 🚀🎉 just released the updated Cerbos Hub! Cerbos Hub is now the centralized control plane for every authorization decision across applications, AI agents, services, and workloads. All identities. Any architecture at any scale. All in one place. This update is the result of your feedback. Over the past year, hundreds of engineering and security teams shared their challenges, and this input shaped four powerful new use cases: 1. Fine-grained, tenant specific authorization 2. Dynamic policy management at scale 3. Scalable NHI permission management 4. Secure authorization for MCP servers This latest update brings new features across the entire authorization lifecycle. So now you can: • Create, update, and deploy policies programmatically • Scale your policies by tenant, team, environment, or use case with the new Policy Stores • Push and deploy policy updates from any Git provider, CI tool, or API, with real-time distribution and built-in testing • Get a complete audit trail of every access decision across all identities, tenants, and apps • And much more! If you haven’t tried Cerbos Hub yet, and you’re looking to manage authorization for every identity in your system with full visibility, consistent policy enforcement, and Zero Trust alignment - this is the time to check it out 🙂 We’re happy to walk you through the new features and explore how they can meet your requirements. Our engineer and Head of Product are happy to talk with you!

Happy Friday, community! We’re back with some more fun news! 😊 We are excited to share that Cerbos Hub has been named Best in Microservices Infrastructure at the 2025 API Awards! 🥇 Thank you for your continued support, and for being on this journey with us!

Hello, our awesome community! Do you want to learn best practices for multi-tenant authorization? Join our spotlight webinar on Jul 29 to see how to model and manage per-tenant access policies. Together with our CPO, @Alex Olivier (Cerbos), we’ll cover: • Real-world implementation examples • How to build tenant-specific Policy Stores with isolation and traceability • The architecture needed to scale per-tenant authorization • Supporting enterprise customers with custom roles and dynamic logic • Live demo of policy creation, deployment, and updates via API and Git Register here → https://zoom.us/webinar/register/WN_-U732lkoQLOdaCCyasJ_ag%20#/registration

Hey everyone 👋 We wanted to let you know about our next upcoming webinar, where we will dive into programmatic policy management for complex systems. We’ve heard from a number of you about issues with scaling manual permission updates. As your system grows with more tenants, services, and agents, keeping access control up to date gets messy. If you’d like to learn how to manage permission updates with code, join us on August 6. We’ll go through: • When to use programmatic updates (and when not to) • Static vs. dynamic policy models • Managing policies via CLI, API, and SDKs • Deploying from Git, CI, or external systems • Architectures for scaling real-time policy updates • Live demo: building dynamic policies and integrating with your systems You can register here ➡️ https://zoom.us/webinar/register/5317539696581/WN_SOGae5oqTSaJu28uiogCqA

Release - v0.46.0 New release published by github-actions[bot] ## Cerbos 0.46.0 View the full release notes at https://docs.cerbos.dev/cerbos/latest/releases/v0.46.0.html ## Changelog ### Features • 6cff78d feat: Include policy source in audit logs (#2624) ### Enhancements • e73ec4c enhancement: Add embedded PDP metadata to audit logs (#2625) • 8b4cbe3 enhancement: Stickier PDP IDs (#2641) ### Bug fixes • 8184fdf fix: Handle const false DENY nodes in role-level query planning (#2644) • 3b2f73c fix: Handle rule-less policies for multi-tenant fallthrough (#2649) ### Documentation • ede245a docs: Fix css for logo on hover (#2628) ### Chores • 3531121 chore(ci): Set MySQL tag (#2647) • 084ad71 chore(ci): Temporarily disable MySQL E2E tests (#2650) • 445ca4e chore(ci): Use official MySQL image in E2E tests (#2646) • 616d48d chore(deps): Bump form-data from 4.0.2 to 4.0.4 in /npm/test/registry (#2654) • e12847a chore(deps): Bump github.com/docker/docker from 28.2.2+incompatible to 28.3.3+incompatible in /tools (#2655) • 15b5edf chore(deps): Bump helm.sh/helm/v3 from 3.17.3 to 3.18.4 in /tools (#2632) • 664315c chore(deps): Update github actions deps (#2642) • 149a57d chore(deps): Update go deps (#2626) • 4abe304 chore(deps): Update go deps (#2635) • 4803489 chore(deps): Update go deps (#2643) • ded17ae chore(deps): Update go deps (#2651) • 8629867 chore(deps): Update node.js deps (#2652) • 3b6b8d3 chore(deps): Update pnpm to v10.13.1 (#2636) • 1b3690b chore(deps): Update sigstore/cosign-installer action to v3.9.1 (#2627) • 1a130aa chore(deps): update module helm.sh/helm/v3 to v3.18.4 [security] (#2633) • 031a3c5 chore(release): Add 0.46.0 release notes (#2657) • 2e55b6b chore(release): Prepare release 0.46.0 • 17d8000 chore(version): Bump version to 0.46.0 • 17e74dc chore: Enable gzip and increase response size limit for cerbosctl (#2631) • 4b09afc chore: Rename cerbosctl hub

like

filter to

contains

(#2623) • e8e7a86 chore: Use new Bitnami repository (#2640) cerbos/cerbos

hey <!channel>! 👋 We have launched the new Usage Dashboard in Cerbos Hub! 🙌 This new feature provides a comprehensive, real-time view of your authorization service, allowing you to monitor key metrics, analyze trends, and gain valuable insights into your policies and their consumers. The new usage insights, available on both the workspace homepage and its own dedicated “Usage” section, surface these key metrics into a quick reference dashboard. It provides a detailed breakdown of your Monthly Active Principals (MAPs), decisions, query plans, and more, allowing you to see exactly how your authorization policies are being used. Details can be found here.