Cerbos is the open core, language-agnostic, scalable authorization solution that makes user permissions and authorization simple to implement and manage.

Cerbos Community

Hey all,
We're using Cerbos in my company and I just got asked a question that I hadn't thought about before.
&gt; if a user action request matches an ALLOW and a DENY, what is the resolution strategy?
My initial thought was that its unlikely to happen but I guess if a user is added to multiple Roles and the resource policy grants access to one of those roles and explicitly denies access to a second role containing the user then it could be a thing. My assumption is that Cerbos is deny by default and the response will be `DENY` but I haven't tested this yet. Does anyone have any experience of a scenario like this?

Hi Joe,
In Cerbos, policies are evaluated sequentially. Deny policies have priority over allow policies in cases where both policies are applicable to a specific request. This means that if a deny policy matches the request conditions, the access will be denied, regardless of any other allow policies that might also match. This ensures that explicitly disallowed actions are always enforced.

Thanks so much for the quick and clear response.