Authorization for Ruby on Rails applications with Cerbos
Add policy-based authorization to Rails controllers and actions using the Cerbos Ruby SDK. Enforce fine-grained access control via before-action callbacks or controller concerns.
Guard controllers and actions
Add Cerbos checks as before_action callbacks or controller concerns to enforce permissions before actions execute
Attribute-based decisions
Pass user identity, request parameters, and model attributes from Rails to Cerbos for context-aware authorization decisions
Decouple policy from code
Move authorization rules out of Ruby policy classes into versioned YAML policies that can be updated without redeploying your Rails application
How Cerbos works with Ruby on Rails
Building authorization logic inside Ruby on Rails quickly becomes a maintenance burden. Hard-coded role checks scatter across controllers and middleware, and every permission change requires a code deploy.
Cerbos replaces scattered authorization logic with a single API call. You define fine-grained policies in YAML, and the Cerbos PDP evaluates them at request time using roles, attributes, and any context you provide.
With Cerbos your Ruby on Rails application stays focused on business logic while authorization policies evolve independently, managed by product or security teams without touching code.
How Cerbos works with Ruby on Rails
- Add the Cerbos Ruby SDK to your Rails project. Install the gem and configure a Cerbos client, typically initialized in an initializer or base controller.
- Call Cerbos from controllers or concerns. Extract the authenticated user from your authentication layer, build a Cerbos check request with the target resource and action, and allow or deny access based on the PDP response.
- Define authorization policies in YAML. Write resource and principal policies that capture your access control rules, including roles, attributes, and conditions. Store them alongside your code and version them in git.
- Cerbos evaluates policies at request time. Every authorization check is evaluated against the latest policies with sub-millisecond latency. Update rules without redeploying your Rails application.
FAQ
How do I integrate Cerbos with Rails?
Use the Cerbos Ruby SDK to create a client and call the Cerbos PDP from your Rails controllers. Extract the authenticated user from the session or authentication layer, build a Cerbos check request with the resource and action, and gate access based on the PDP response.
Can I use Cerbos in Rails controller callbacks?
Yes. Create a before_action callback or controller concern that extracts principal and resource information from the request, calls the Cerbos PDP, and either allows the action to proceed or returns a 403. Apply it to specific controllers or actions.
Does Cerbos replace Pundit or CanCanCan?
Cerbos can replace gems like Pundit or CanCanCan. Instead of defining policy classes in Ruby, you define authorization policies in YAML and evaluate them at request time through the Cerbos PDP, decoupling policy from application code.
Learn more about Cerbos
Related integrations
View all integrations →
Cerbos + Ruby on Rails
- Single API call replaces hard-coded permission checks in Ruby on Rails
- Policies updated independently of application deploys
- Authorization policies versioned and tested like source code
- Stateless PDP scales independently of the application
Authorization for AI systems
By industry
By business requirement
Useful links
What is Cerbos?
Cerbos is an end-to-end enterprise authorization software for Zero Trust environments and AI-powered systems. It enforces fine-grained, contextual, and continuous authorization across apps, APIs, AI agents, MCP servers, services, and workloads.
Cerbos consists of an open-source Policy Decision Point, Enforcement Point integrations, and a centrally managed Policy Administration Plane (Cerbos Hub) that coordinates unified policy-based authorization across your architecture. Enforce least privilege & maintain full visibility into access decisions with Cerbos authorization.