Authorization-aware data filtering for UCAST (Universal Conditions AST)
Convert Cerbos query plans into native UCAST (Universal Conditions AST) filters, return only the data your users are authorized to see.
Extend UCAST roles
Fine grained access controls extending the roles defined in UCAST
Enrich with context
Request time attribute based authorization enables more contextual access controls
Avoid token bloat
Independent authorization logic avoids bloated tokens and workarounds
How Cerbos works with UCAST (Universal Conditions AST)
When users should only see a subset of data, traditional approaches filter results in application code, leading to duplicated logic, inconsistencies, and performance problems at scale.
Cerbos query plan evaluation converts your authorization policies into native UCAST (Universal Conditions AST) filters. Instead of fetching all data and filtering after the fact, your database only returns rows the user is authorized to see.
The same YAML policies that control API-level access now drive data-level filtering, one source of truth for who can see what, managed by product and security teams without touching application code.
How Cerbos filters data in UCAST (Universal Conditions AST)
- Define authorization policies in YAML, Write resource policies that describe who can see which records, using roles and attributes.
- Request a query plan from Cerbos, Your application calls the PlanResources API, and Cerbos returns an abstract query plan.
- Convert the plan to a native UCAST (Universal Conditions AST) filter, Map the Cerbos query plan to a UCAST (Universal Conditions AST) query predicate so filtering happens at the data layer.
- Database returns only authorized rows, The query executes with the authorization filter baked in, no post-fetch filtering required.
FAQ
How does Cerbos filter data in UCAST (Universal Conditions AST)?
Cerbos evaluates your authorization policies and produces a query plan. The UCAST (Universal Conditions AST) adapter converts that plan into a native query filter, so your database only returns rows the user is authorized to see.
Does this replace application-level authorization checks?
Data filtering complements API-level checks. Cerbos handles both, the same policies that control who can access an endpoint also determine which rows are visible at the data layer.
Learn more about Cerbos
Related integrations
View all integrations →
Cerbos + UCAST (Universal Conditions AST)
- Cerbos policies converted to native UCAST (Universal Conditions AST) query filters
- Database returns only rows the principal is authorized to see
- One source of truth for API and data-level access control
- Filtering happens at the query level, not post-fetch
Authorization for AI systems
By industry
By business requirement
Useful links
What is Cerbos?
Cerbos is an end-to-end enterprise authorization software for Zero Trust environments and AI-powered systems. It enforces fine-grained, contextual, and continuous authorization across apps, APIs, AI agents, MCP servers, services, and workloads.
Cerbos consists of an open-source Policy Decision Point, Enforcement Point integrations, and a centrally managed Policy Administration Plane (Cerbos Hub) that coordinates unified policy-based authorization across your architecture. Enforce least privilege & maintain full visibility into access decisions with Cerbos authorization.