Policy Decision Points
Cerbos Hub supports two types of policy decision points for making authorization decisions.
- Service
-
The open source Cerbos server running as a service or sidecar within your infrastructure and connected to Cerbos Hub to automatically receive bundle updates. This is the most suitable option for majority of authorization requirements and has benefits such as query planner, full audit logging, centralised management and horizontal scalability.
- Embedded
-
A self-contained snapshot of a policy set that can be embedded into any WebAssembly framework. Suitable for use cases where authorization decisions cannot be made over the network due to deployment constraints.
| Service | Embedded | |
|---|---|---|
Check permissions Evaluate whether a given principal, can perform a given action on resource. |
Yes |
Yes |
Query plan Perform a partial evaluation of policy to return a the conditions to apply to a query to return just the instances of a resource a principal has access to. |
Yes |
No |
Audit logs Audit logs capture access records and decisions made by the engine along with the associated context data. |
Yes |
No |