Cerbos

Cerbos is an open source, decoupled Access Control Platform (ACP), that applies Policies (an access ruleset) to Resources (a data model) for a Principal (an actor).

Official Cerbos Docs

Checking Access

A "check" will return an "ALLOW" or "DENY" decision for an explicitly provided principal and resource. Cerbos provides an API to check against a resource know to the platform:

Check API Documentation

Planning Access

Cerbos can produce a policy "plan" for any given Resource and Principal, returning an Abstract Syntax Tree (AST) of Common Expression Language (CEL) conditions, that our services can apply to data-layer queries.

Plan API Documentation

Principal Structure

Our Principals follow the structure defined here for consistency across all services.

{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "type": "object",
  "properties": {
    "realm": {
      "type": "string"
    },
    "tenant": {
      "type": "string"
    }
  },
  "required": ["realm", "tenant"]
}

Anonymous users

In cerbos, all requests require a Principal, whether they are authenticated or not. To support this, an anonymous user can be used with the role anon:

{
  "id": "anon",
  "roles": ["anon"],
  "realm": "anon",
  "tenant": "anon"
}

Tests

Cerbos will run tests against policies when at compile time. See the Cerbos testing documentation for testing docs, and JustPet for examples.

Within any app, you can run the nx target to run the tests:

nx run <app-name>:cerbos <cerbos-options>

cerbos-options can be any of the cerbos compile options or parameters.

Checking Access​

Planning Access​

Principal Structure​

Anonymous users​

Tests​

Checking Access

Planning Access

Principal Structure

Anonymous users

Tests