Cerbos PDP v0.44 & v0.45: Multi-action query plans, smarter role prioritization, and more

We’re back with another combined update covering two recent releases of the Cerbos Policy Decision Point: v0.44.0 and v0.45.0. These versions bring a powerful new capability to the PlanResources API, address some important bugs, and continue our work on improving the core engine.

Let’s dive into the details.

Streamline your UI with multi-action query plans

A common pattern we see is checking a user's permissions for multiple actions on a resource to correctly render a user interface. For example, on a single "expense report" page, you might need to know if the current user can view, edit, approve, and delete the report to decide which buttons to show.

Previously, this required either multiple PlanResources calls or complex client-side logic to merge the results. With v0.44.0, we’ve made this much simpler. The PlanResources API now supports checking multiple actions in a single request!

You can now provide an actions array in your request, and Cerbos will return a single, unified query plan. This plan contains the set of constraints that must be satisfied for all of the requested actions to be allowed.

Here’s a look at the before and after:

Before (Singular action):

// One API call per action was needed
{
  "requestId": "req123",
  "principal": {
    "id": "alice",
    "roles": ["employee"]
  },
  "resource": {
    "kind": "expense_report"
  },
  "action": "view" // Deprecated
}

After (Plural actions):

// A single API call for all actions
{
  "requestId": "req123",
  "principal": {
    "id": "alice",
    "roles": ["employee"]
  },
  "resource": {
    "kind": "expense_report"
  },
  "actions": ["view", "edit", "approve", "delete"] // New!
}

This change significantly reduces API chatter and simplifies your client-side implementation. As part of this, the singular action field is now deprecated and will be removed in a future release. We encourage you to update your integrations to use the new actions array.

Important bug fixes in v0.45.0

This release addresses a couple of recently discovered bugs to improve the reliability and correctness of the Cerbos PDP.

Policy cache now reloads correctly

We identified an issue where the policy evaluation engine was not correctly respecting the compile.cacheDuration setting. This meant that compiled policies were stored in memory indefinitely, and changes to your policy files would not be picked up without a manual reload (via the Admin API) or a full process restart. This bug has been fixed, and the PDP will now automatically clear the compilation cache and pick up policy changes as expected.

Smarter role prioritization in query plans

The query plan output was incorrectly prioritizing roles with deny rules when a principal had multiple roles. This could lead to overly restrictive query plans.

Consider a principal who is both an admin (with broad allow rules) and a viewer (with more specific deny rules). The admin role's permissions should take precedence. The query planner now correctly prioritizes the role(s) that grant access, ensuring the generated plan is not unnecessarily constrained by lower-privileged roles.

Other improvements and noteworthy changes

Across both releases, we’ve included several other valuable updates:

• Policy naming restriction (v0.45.0): To prevent ambiguity and improve readability, policy names can no longer contain wildcard characters (*). Policy names should be descriptive identifiers that can also serve as file names, and this change helps enforce that best practice.
• Heads-up, configuration change for connRetry.maxAttempts (v0.44.0): We’ve slightly adjusted the meaning of storage.<driver>.connRetry.maxAttempts. It now represents the total number of connection attempts, including the initial one (previously, it was the number of retries). For most users, this won't have a noticeable impact. However, if you have this configured, you should increment your current value by one when upgrading to ensure the same behavior.
• Under-the-hood improvements (v0.44.0): We've continued our major engine overhaul to improve performance and maintainability. We also shipped improvements to generate more succinct and efficient query plans, and added new utilities and fixes for Cerbos Hub integrations.

As always, you can find the complete list of changes in the release notes on GitHub.

We welcome your feedback on these new features and improvements. Feel free to join the conversation in our Slack community or start a discussion on GitHub.