Hi Stephan!
Since typically a cerbos PDP work as an isolated service, the end user doesn’t have direct access to a instance.
This use case is handled by designing an application which basically calls the cerbos
Admin API to create or manipulate the policies in
a mutable store behind the scenes. The application also must maintain the lifetime of the policy. (Ex: The application needs to disable the policies no longer required by the end-user etc.)
Here you can see an example utilizing the admin API (written in golang):
https://github.com/cerbos/demo-admin-api