All integrations
UCAST
Data filtering

Authorization-aware data filtering for UCAST (Universal Conditions AST)

Convert Cerbos query plans into native UCAST (Universal Conditions AST) filters, return only the data your users are authorized to see.

Extend UCAST roles

Extend UCAST roles

Fine grained access controls extending the roles defined in UCAST

Enrich with context

Enrich with context

Request time attribute based authorization enables more contextual access controls

Avoid token bloat

Avoid token bloat

Independent authorization logic avoids bloated tokens and workarounds

How Cerbos works with UCAST (Universal Conditions AST)

When users should only see a subset of data, traditional approaches filter results in application code, leading to duplicated logic, inconsistencies, and performance problems at scale.

Cerbos query plan evaluation converts your authorization policies into native UCAST (Universal Conditions AST) filters. Instead of fetching all data and filtering after the fact, your database only returns rows the user is authorized to see.

The same YAML policies that control API-level access now drive data-level filtering, one source of truth for who can see what, managed by product and security teams without touching application code.

Policy-as-codeHuman-readable YAML policies managed like source codeScalable PDPStateless policy decision point with sub-millisecond latencyCentralized managementManage, test, and deploy policies from a single control plane

How Cerbos filters data in UCAST (Universal Conditions AST)

  1. Define authorization policies in YAML, Write resource policies that describe who can see which records, using roles and attributes.
  2. Request a query plan from Cerbos, Your application calls the PlanResources API, and Cerbos returns an abstract query plan.
  3. Convert the plan to a native UCAST (Universal Conditions AST) filter, Map the Cerbos query plan to a UCAST (Universal Conditions AST) query predicate so filtering happens at the data layer.
  4. Database returns only authorized rows, The query executes with the authorization filter baked in, no post-fetch filtering required.

FAQ

How does Cerbos filter data in UCAST (Universal Conditions AST)?

Cerbos evaluates your authorization policies and produces a query plan. The UCAST (Universal Conditions AST) adapter converts that plan into a native query filter, so your database only returns rows the user is authorized to see.

Does this replace application-level authorization checks?

Data filtering complements API-level checks. Cerbos handles both, the same policies that control who can access an endpoint also determine which rows are visible at the data layer.

Learn more about Cerbos

How Cerbos worksCerbos PDPCerbos HubWebinars and ebooksFeatures & use casesSuccess stories

Related integrations

View all integrations →
Kafka
Apache KafkaPluggable authorizer for Kafka topic, consumer group, and cluster ops
Authorization extensionsData filtering
Mongoose
MongooseApply Cerbos query plans as MongoDB filter predicates via Mongoose
Data filtering
Prisma
PrismaInject Cerbos query plans as Prisma where-clause filters on any model
Data filtering
SQLAlchemy
SQLAlchemyAppend Cerbos query plans to SQLAlchemy select statements as filters
Data filtering
ChromaDB
ChromaDBTranslate Cerbos query plans into ChromaDB metadata filters
Data filteringAI
Convex
ConvexConvert Cerbos query plans into native Convex filter expressions
Data filtering

Cerbos + UCAST (Universal Conditions AST)

  • Cerbos policies converted to native UCAST (Universal Conditions AST) query filters
  • Database returns only rows the principal is authorized to see
  • One source of truth for API and data-level access control
  • Filtering happens at the query level, not post-fetch
Book a free policy workshopTry the Playground