All integrations
Elasticsearch
Data filtering

Authorization-aware data filtering for Elasticsearch

Convert Cerbos query plans into native Elasticsearch filters, return only the data your users are authorized to see.

Extend Elasticsearch roles

Extend Elasticsearch roles

Fine-grained access controls extending the roles defined in Elasticsearch

Enrich with context

Enrich with context

Request-time attribute-based authorization enables more contextual access controls

Avoid token bloat

Avoid token bloat

Independent authorization logic avoids bloated tokens and workarounds

How Cerbos works with Elasticsearch

When users should only see a subset of data, traditional approaches filter results in application code, leading to duplicated logic, inconsistencies, and performance problems at scale.

Cerbos query plan evaluation converts your authorization policies into native Elasticsearch filters. Instead of fetching all data and filtering after the fact, your database only returns rows the user is authorized to see.

The same YAML policies that control API-level access now drive data-level filtering, one source of truth for who can see what, managed by product and security teams without touching application code.

Policy-as-codeHuman-readable YAML policies managed like source codeScalable PDPStateless policy decision point with sub-millisecond latencyCentralized managementManage, test, and deploy policies from a single control plane

How Cerbos filters data in Elasticsearch

  1. Define authorization policies in YAML, Write resource policies that describe who can see which records, using roles and attributes.
  2. Request a query plan from Cerbos, Your application calls the PlanResources API, and Cerbos returns an abstract query plan.
  3. Convert the plan to a native Elasticsearch filter, Map the Cerbos query plan to a Elasticsearch query predicate so filtering happens at the data layer.
  4. Database returns only authorized rows, The query executes with the authorization filter baked in, no post-fetch filtering required.

FAQ

How does Cerbos filter data in Elasticsearch?

Cerbos evaluates your authorization policies and produces a query plan. The Elasticsearch adapter converts that plan into a native query filter, so your database only returns rows the user is authorized to see.

Does this replace application-level authorization checks?

Data filtering complements API-level checks. Cerbos handles both, the same policies that control who can access an endpoint also determine which rows are visible at the data layer.

Learn more about Cerbos

How Cerbos worksCerbos PDPCerbos HubWebinars and ebooksFeatures & use casesSuccess stories

Related integrations

View all integrations →
Kafka
Apache KafkaPluggable authorizer for Kafka topic, consumer group, and cluster ops
Authorization extensionsData filtering
Mongoose
MongooseApply Cerbos query plans as MongoDB filter predicates via Mongoose
Data filtering
Prisma
PrismaInject Cerbos query plans as Prisma where-clause filters on any model
Data filtering
SQLAlchemy
SQLAlchemyAppend Cerbos query plans to SQLAlchemy select statements as filters
Data filtering
ChromaDB
ChromaDBTranslate Cerbos query plans into ChromaDB metadata filters
Data filteringAI
Convex
ConvexConvert Cerbos query plans into native Convex filter expressions
Data filtering

Cerbos + Elasticsearch

  • Cerbos policies converted to native Elasticsearch query filters
  • Database returns only rows the principal is authorized to see
  • One source of truth for API and data-level access control
  • Filtering happens at the query level, not post-fetch
Book a free policy workshopTry the Playground