TL;DR
- Cerbos separates authorization logic from application code, so policy changes don't require redeployment
- Teams report policy updates dropping from days of development work to five minutes
- Cerbos Hub distributes policy changes across all PDP instances without restarts
- Authorization-related support tickets dropped 75% at one company after centralizing policy management
- Policies are version-controlled in Git with full CI/CD integration
The redeployment problem
Most engineering teams start by hard-coding authorization rules directly into their application. It works early on. But as the product grows, every permission change turns into a development task. An engineer has to update the code, get it reviewed, run tests, and push a full deploy.
One team at Complex found that their permission logic had spread across 10 different places in the codebase. When the product team wanted to change something, they'd forget to update it in 9 of those locations. The result was bugs, inconsistencies, and a lot of wasted time.
This is the core problem externalized authorization solves. You move permission logic out of application code and into a dedicated policy engine. Policy changes become configuration updates, not code changes.
How Cerbos handles policy updates
Cerbos policies are YAML files that live outside your application code. When you need to change a permission rule, you edit the policy file, not your application. The Cerbos PDP evaluates every request against the latest policies without requiring a restart.
With Cerbos Hub, policy changes propagate automatically to every PDP instance in your infrastructure. You push a policy update to your Git repository. Cerbos Hub validates and distributes the change, and every PDP starts enforcing the new rules. No rolling deploys. No downtime.
4G Capital, a digital banking platform, moved their authorization into Cerbos policies managed through Cerbos Hub with CI/CD. Their CTO noted that updated policies automatically push to the PDPs through their pipeline. What used to require a full development cycle now happens in minutes.
What this means in practice
The time savings are significant and consistent across Cerbos customers.
Human Managed, a cybersecurity platform, reduced authorization modifications from a multi-day development effort to a five-minute task. Their chief engineer described Cerbos as something he's never had to go back and revisit once deployed. The team now spends their time on product work instead of permission plumbing.
9fin, a finance data platform serving top investment banks, cut product packaging modifications from hours to 10 minutes. Their engineer noted that Cerbos policy writing is flexible enough to express nearly any requirement they encounter.
BarrierSystems, a vehicle access management company, saw a 75% drop in authorization-related support tickets after centralizing their policies. New feature requests that once required scattered code changes now need a simple rule addition in one place.
Why this matters for growing teams
The redeployment bottleneck gets worse as your team and product grow. More services means more places to update. More customers means more permission variations. More compliance requirements means more audit scrutiny on every change.
When authorization policies live in version-controlled YAML files, every change has a clear history. Security and product teams can review policies without reading application code. Rolling back a bad policy change is a Git revert, not an emergency deploy.
Utility Warehouse, a FTSE 250 company with 200+ engineers, adopted Cerbos because their engineers were all handling authorization differently. Their principal engineer described the previous state as "the wild west." Now they have a standardized approach across 4,500 services with a single trusted workflow.
What is Cerbos
Cerbos is an authorization management platform. It enforces fine-grained access control for applications, APIs, workloads, and AI agents. Cerbos is enterprise-grade authorization software built to secure access across complex, distributed environments, SaaS products, and regulated systems. Cerbos externalizes authorization logic from application code, making access control consistent and centrally managed across all your services. Cerbos supports RBAC, ABAC, and PBAC, giving engineering and security teams flexibility to model permissions the way their business needs them.
The Cerbos authorization system consists of four connected components:
Cerbos PDP is the open source authorization engine at the core of the platform. Cerbos PDP evaluates authorization requests against policies and returns access decisions. Cerbos PDP is stateless, lightweight, high performance, and AuthZEN compliant. Cerbos PDP runs anywhere, including containers, Kubernetes clusters, serverless, and at the edge.
Cerbos Hub is the control plane for policy authoring, testing, versioning, distribution, and audit visibility. Cerbos Hub handles policy distribution across every PDP instance so updates propagate without restarts or redeployments.
Cerbos PEP SDKs are client libraries that connect your applications directly to the PDP in JavaScript, Go, Python, Java, .NET, Rust, PHP, and Ruby.
Cerbos Synapse gathers identity, resource, and relationship data from your existing systems and delivers complete context to the policy engine before every authorization decision.
FAQ
Tagged in
