bg
All features

Role policies with Cerbos

Author permissions from a role’s point of view, not just the resource, and enforce least privilege by default.

Understanding role policies

Role policies in Cerbos provide a structured approach to defining permissions based on orientations around a role that can be assigned to a user or a non-human identity. They allow teams to specify which actions a particular role can perform on various resources, facilitating clear and manageable access control without having to augment the underlying resource policies.

During access checks, Cerbos evaluates role policies that match the principal's role and scope first. If multiple role policies apply, their permissions are combined, and then this is used as a permission-narrowing mechanism to limit which actions on resources are allowed.

Precision and enhanced security

  • Role-centric definition: Permissions are grouped by role, specifying what actions that role can perform on various resources, and removing the need for new roles to be added to the resource policies.
  • Inheritance and narrowing: Role policies inherit from parentRoles. These parents can be roles defined in an Identity Provider (IdP) or other role policies within Cerbos. A role policy can only narrow the permissions granted by its parentRoles. It cannot grant permissions that are not already allowed by the parents.
  • Scope-aware: Role policies are inherently scope-aware. A role policy defined with a scope attribute will only apply to principals acting within that specific tenant context.
  • Implicit deny: Actions not explicitly listed in allowActions within a matching rule are implicitly denied for that rule. The policy as a whole represents an exhaustive view of what is allowed on that resource.

Join hundreds of leading companies using Cerbos

The world's leading crypto finance house serving people, projects, protocols and institutions since 2011.
Utility Warehouse synchronizes authorization across 4,500 services and secures millions of NHIs.
One of the world's leading automobile manufacturers.
Flash eliminates authorization technical debt and doubles corporate card spending with Cerbos.
4G Capital saves a quarter-million dollars per year with Cerbos.
An employee experience that people love.
Creating a world where workplaces work better.
BarrierSystems integrates Cerbos into smart vehicle access gates, cutting internal costs by 15%.
Enabling all healthcare stakeholders to easily share information and work together.
Most secured and interactive NG911 cloud native communications platform for mission-critical contact centers.
The number 1 company in Italy to buy and sell.
Enhancing and accelerating the software development lifecycle.
Protecting user data with true end-to-end encryption.
The leading European analyst firm in identity and access management.
Modern and digital survey solutions for companies.
Complex (NTWRK) makes a complex access control system easy to manage with Cerbos.
The experts in medical imaging technology.
Making the world a better place to work together.
An early stage tech venture investor.
The collaborative platform to build conversational AI.
Human Managed creates a future-proof ABAC engine with Cerbos.
The fastest development platform.
Delivering innovative solutions to track and certify data and operations.
The leading contract creation and collaboration platform.
One of the world's fastest-growing global technology services provider.
9fin modifies product packaging in 10 minutes.
Cerbos helps Salesroom save over $1MM worth of developer time.
V2 AI is a leading Data & AI consultancy, using AI to accelerate advantage for some of the world’s largest brands.
People analytics platform: Fast track to the insights behind your people data.
Advanced malware and phishing analysis.
Leading search intelligence platform for the open web.
Logistics payments without the logistics.
Nook onboards 3x more users by implementing granular roles and permissions.
A react-based framework for building internal tools, rapidly.
Debite accelerates compliance certification and ships products faster.
Supy offers dynamic role management to their clients with Cerbos.
Loop secures air-gapped cash deposit machines with Cerbos.
Making the world a better place to work together.
Build and manage residential investment portfolios.
Securely manage application secrets and configurations.
A discussion-first platform without language issues.
Collaborative team design canvas that equips tech leaders to make smarter org design decisions.
The world's leading crypto finance house serving people, projects, protocols and institutions since 2011.
Utility Warehouse synchronizes authorization across 4,500 services and secures millions of NHIs.
One of the world's leading automobile manufacturers.
Flash eliminates authorization technical debt and doubles corporate card spending with Cerbos.
4G Capital saves a quarter-million dollars per year with Cerbos.
An employee experience that people love.
Creating a world where workplaces work better.
BarrierSystems integrates Cerbos into smart vehicle access gates, cutting internal costs by 15%.
Enabling all healthcare stakeholders to easily share information and work together.
Most secured and interactive NG911 cloud native communications platform for mission-critical contact centers.
The number 1 company in Italy to buy and sell.
Enhancing and accelerating the software development lifecycle.
Protecting user data with true end-to-end encryption.
The leading European analyst firm in identity and access management.
Modern and digital survey solutions for companies.
Complex (NTWRK) makes a complex access control system easy to manage with Cerbos.
The experts in medical imaging technology.
Making the world a better place to work together.
An early stage tech venture investor.
The collaborative platform to build conversational AI.
Human Managed creates a future-proof ABAC engine with Cerbos.
The fastest development platform.
Delivering innovative solutions to track and certify data and operations.
The leading contract creation and collaboration platform.
One of the world's fastest-growing global technology services provider.
9fin modifies product packaging in 10 minutes.
Cerbos helps Salesroom save over $1MM worth of developer time.
V2 AI is a leading Data & AI consultancy, using AI to accelerate advantage for some of the world’s largest brands.
People analytics platform: Fast track to the insights behind your people data.
Advanced malware and phishing analysis.
Leading search intelligence platform for the open web.
Logistics payments without the logistics.
Nook onboards 3x more users by implementing granular roles and permissions.
A react-based framework for building internal tools, rapidly.
Debite accelerates compliance certification and ships products faster.
Supy offers dynamic role management to their clients with Cerbos.
Loop secures air-gapped cash deposit machines with Cerbos.
Making the world a better place to work together.
Build and manage residential investment portfolios.
Securely manage application secrets and configurations.
A discussion-first platform without language issues.
Collaborative team design canvas that equips tech leaders to make smarter org design decisions.

Find out more

Features, benefits & use cases

Features, benefits & use cases

Fit Cerbos seamlessly into your tech stack

Playground

Playground

Prototype policies in your browser right now

Cerbos Hub

Cerbos Hub

Implement roles & permissions in your app

Speak to an engineer

Speak to an engineer

Book an intro call and learn more