Embedded Policy Decision Point

Exclusive to Cerbos Hub is the ability to generate self-contained policy bundles that can be embedded into any system that supports WebAssembly modules. This is a powerful solution for cases where authorization decisions have to be made locally on device or at the edge without access to a full-fledged Cerbos policy decision point. A common use case for embedded policies is to enable web applications to make decisions about which UI elements to render without making calls to a backend service.

Using an embedded policy decision point

The Cerbos Embedded Javascript SDK is designed to work with the embedded PDPs generated by Cerbos Hub and exposes the same simple API interface for checking permissions.

To get started, install the package:

npm install @cerbos/embedded

import { Embedded as Cerbos } from "@cerbos/embedded";

// Obtain the URL to use from the Cerbos Hub decision points screen.
const cerbos = new Cerbos(fetch("https://lite.cerbos.cloud/bundle?workspace=...&label=..."));

// The cerbos.checkResource() method can now be used to check permissions locally
await cerbos.isAllowed({
  principal: {
    id: "user@example.com",
    roles: ["USER"],
    attr: { tier: "PREMIUM" },
  },
  resource: {
    kind: "document",
    id: "1",
    attr: { owner: "user@example.com" },
  },
  action: "view",
}); // => true