The latest release of Cerbos adds a new major capability with scoped policies, a streamlined way to get started with the run command and support for SQL Server as a storage engine.

Scoped Policies

This release introduces the concept of scoped policies to address the common use case of modelling hierarchical relationships. The new scope field of resource and principal policies allows you to define a dot-separated string describing their position in the hierarchy.

At runtime, based on the scope defined by the API request, the Cerbos engine moves upwards through the set of policies in the hierarchy until one of them produces a decision. With this feature you can define a base set of access policies that can then be overridden for particular departments, tenants or any other unit of access control that makes sense for your application.

You can find the full documentation here.

Streamlined Run Command

$ cerbos run -- ./your-app

Another new feature in this release is the introduction of the cerbos run command. This command can be used as a test runner or even as a quick way to try out Cerbos. It launches a Cerbos instance in the background (loading any policies found in the policies directory) and then runs the user-provided command.

Two environment variables named CERBOS_HTTP and CERBOS_GRPC are injected to the environment of the child process so that it can discover the Cerbos PDP. When the child process exits, the Cerbos instance is automatically shutdown as well.

For more information, see the cerbos run documentation.

Microsoft SQL Server Support

In addition to MySQL, Postgres and SQLite, this release also adds support for using Microsoft SQL Server as a storage backend. These database backends enable use of the Admin API to manage policies dynamically from your application rather than using static policy files.

You can find the full release notes here and if you have any questions join our Slack community.