Authorization-aware data filtering for Elasticsearch
Convert Cerbos query plans into native Elasticsearch filters, return only the data your users are authorized to see.
Extend Elasticsearch roles
Fine-grained access controls extending the roles defined in Elasticsearch
Enrich with context
Request-time attribute-based authorization enables more contextual access controls
Avoid token bloat
Independent authorization logic avoids bloated tokens and workarounds
How Cerbos works with Elasticsearch
When users should only see a subset of data, traditional approaches filter results in application code, leading to duplicated logic, inconsistencies, and performance problems at scale.
Cerbos query plan evaluation converts your authorization policies into native Elasticsearch filters. Instead of fetching all data and filtering after the fact, your database only returns rows the user is authorized to see.
The same YAML policies that control API-level access now drive data-level filtering, one source of truth for who can see what, managed by product and security teams without touching application code.
How Cerbos filters data in Elasticsearch
- Define authorization policies in YAML, Write resource policies that describe who can see which records, using roles and attributes.
- Request a query plan from Cerbos, Your application calls the PlanResources API, and Cerbos returns an abstract query plan.
- Convert the plan to a native Elasticsearch filter, Map the Cerbos query plan to a Elasticsearch query predicate so filtering happens at the data layer.
- Database returns only authorized rows, The query executes with the authorization filter baked in, no post-fetch filtering required.
FAQ
How does Cerbos filter data in Elasticsearch?
Cerbos evaluates your authorization policies and produces a query plan. The Elasticsearch adapter converts that plan into a native query filter, so your database only returns rows the user is authorized to see.
Does this replace application-level authorization checks?
Data filtering complements API-level checks. Cerbos handles both, the same policies that control who can access an endpoint also determine which rows are visible at the data layer.
Learn more about Cerbos
Related integrations
View all integrations →
Cerbos + Elasticsearch
- Cerbos policies converted to native Elasticsearch query filters
- Database returns only rows the principal is authorized to see
- One source of truth for API and data-level access control
- Filtering happens at the query level, not post-fetch
Authorization for AI systems
By industry
By business requirement
Useful links
What is Cerbos?
Cerbos is an end-to-end enterprise authorization software for Zero Trust environments and AI-powered systems. It enforces fine-grained, contextual, and continuous authorization across apps, APIs, AI agents, MCP servers, services, and workloads.
Cerbos consists of an open-source Policy Decision Point, Enforcement Point integrations, and a centrally managed Policy Administration Plane (Cerbos Hub) that coordinates unified policy-based authorization across your architecture. Enforce least privilege & maintain full visibility into access decisions with Cerbos authorization.