hi, so I'm currently doing evaluation of authz frameworks at the moment and quite like the look of Cerbos so far but I do have a edge case I wonder if it would be solvable. As part of our product we have an offline (mostly) first react native mobile app. I would really like to solve our AuthZ problems across all our products using the same tech if possible. Would the web assembly PDP work in this case or it really needs to be online? (or is there another option) Some points to consider: • the app can be online most of the time but our use base runs in pretty bad/no connection zone so it needs to be always workable offline. • we are a multi tenant product so need to support that kind of thing (customers creating their own policies and taking it offline)

Hi Nathan, Wasm PDPs (embedded PDPs) can work offline. A Wasm runtime is the only requirement.

we are a multi tenant product so need to support that kind of thing

Currently, ePDPs have the following limitations relevant to this use use. • We build one Wasm module for the entire policy set. If two customers have their policies in the same set, their policies will be combined and shipped in the same Wasm module. • ePDPs don’t support role policies. We are working to address these limitations, but I can’t comment on the timeline.

"We build one Wasm module for the entire policy set. If two customers have their policies in the same set, their policies will be combined and shipped in the same Wasm module" Could I get an example of this result? Does using scope work here to keep them different or that won't help here?

Scopes alone won’t help with splitting a Wasm module. Embedded PDPs are part of Cerbos Hub, which works with Git policy repositories. To produce another Wasm module, one needs to create another workspace. https://docs.cerbos.dev/cerbos-hub/concepts

Right ok thanks. So if we don't plan on using git repos for our policies (we going to use admin API against postgres so tenants can adjust their own policies based on our starting ones) we are out of luck in this case. I wanted to use it in my UI React layer so this will change how I tackle that as well

Yes, sorry. Currently, Cerbos Hub doesn’t support writable storage, and ePDP is part of the Cerbos Hub.

No problem. I'm currently in the research stage and looking at what options I have. The combination of multi tenant + offline app brings me all kinds of fun. But I might be able to use Curbos for all my API layer and for offline switch the problem around a bit and simplify that model I use there as I'm limited in options on that front anyway due to it being offline so the gates really need to be the API layer as the strongest point