Cerbos PDP v0.51.0: Policy lifecycle management, audit enhancements, and scopes

The Cerbos PDP v0.51.0 release introduces new Admin API capabilities for policy lifecycle management, enhanced audit logging with request context, and several important updates to scope handling that improve consistency across the evaluation engine.

Policy lifecycle management

DeletePolicies RPC

Managing policy lifecycles in production environments just got easier. The new DeletePolicies RPC enables secure removal of policies from database-backed stores through the Admin API. Critically, the endpoint includes integrity validation; any deletion request that would compromise policy store integrity is automatically rejected.

This feature is particularly useful for teams managing large policy repositories who need to clean up deprecated or superseded policies without risking broken authorization.

PurgeStoreRevisions RPC

Database stores accumulate backup copies of policies with each add or update operation. Over time, this can consume significant storage. The new PurgeStoreRevisions RPC allows administrators to reclaim this space by removing historical policy revisions.

Note: Database users will require DELETE privileges on the policy_revision table to use this feature.

Enhancements

Request context for audit logs

A new optional requestContext field is now available in CheckResources and PlanResources requests. This field allows applications to attach arbitrary metadata, such as correlation IDs, user session identifiers, or trace context, that flows through to audit logs.

This enhancement significantly improves the ability to correlate authorization decisions with broader application activity during debugging and compliance audits.

Explicit versioning for role policies

Role policies now support optional explicit version declarations rather than assuming "default." While currently optional for backward compatibility, explicit versioning will become mandatory in a future release. Teams using role policies should begin adding explicit version fields to prepare for this change.

Improved test filtering

The cerbos compile command introduces a new --test-filter flag, replacing the now-deprecated --run flag. The new flag offers filtering across five dimensions:

• Suite name
• Test name
• Principal
• Resource
• Action

This provides much finer control when running specific subsets of policy tests during development and CI pipelines.

Scope updates

This release includes several important updates to scope handling:

• Blob storage reliability: Fixed an issue where failed blob store downloads could leave empty files, potentially causing unexpected policy behavior
• Lenient scope search consistency: Corrected lenient scope search activation in both CheckResources and PlanResources evaluations
• Scope chain traversal: Principal and resource policies now traverse their scope chains independently, fixing edge cases where coupled traversal produced incorrect results
• Role policy inheritance: Fixed an issue with permission inheritance on unspecified resources in role policies

For the complete list of changes, see the full changelog.