Deployments

A deployment is a specific configuration of policy stores (such as 'production' or 'staging') that can be connected to a set of PDPs. Each new change to the underlying store(s) results in a new policy build that’s automatically delivered to the policy decision points (PDPs) if the tests are successful.

Source agnostic inputs

Populate a policy store from any Git provider, CI system, API, CLI, or direct upload, so your existing workflows remain intact.

Multi-store composition

Reference multiple stores in a deployment to separate ownership, for example security team versus product team, or to blend static Git-managed policies with dynamic API-driven rules.

End-to-end automation

Building, testing, and distribution of policies is fully managed by Cerbos Hub, giving you a consistent CI/CD style pipeline for authorization without the need for extra infrastructure.

Strong versioning

Every deployment attempt is attached to a set of immutable policy store versions, making it easy to audit exactly which policies were in effect at any given point in time and to revert any changes if needed.

Deployment overview

Each deployment page provides several tabs to manage and monitor your policy pipeline:

Builds

View the history of deployed versions, showing which policy bundles have been active and when. Each build shows the contributing policy stores and their versions.

Policies

Browse the current policies included in this deployment and view their contents.

Decision points

See the PDPs currently connected to this deployment. Each PDP shows its ID, the build it’s running, active sessions, Cerbos version, when it was last seen, and a link to its audit logs.

Embedded PDP rules

Configure embedded policy decision points for this deployment. Each rule defines policy filtering criteria (resources, actions, scopes, roles, versions), authentication requirements, and IP allowlists. Multiple rules can serve different clients or environments from the same deployment.

Client credentials

Manage API credentials scoped to this deployment for PDP connections, audit log collection, and authenticated ePDP bundle access.

Settings

Configure deployment options including which policy stores contribute to builds.

Deployed versions

The Builds tab displays the history of policy bundles that have been deployed. Each row in the table shows:

Build reference

A unique identifier for the build. Click to view detailed information about the build including test results and bundle contents.

Active from

The timestamp when this build was activated and pushed to connected PDPs.

Active to

The timestamp when this build was replaced by a newer version, or a dash if it is the currently active build.

Included policies

The policy stores and specific versions that contributed to this build. This makes it easy to trace exactly which policies were in effect at any point in time.

Browsing policies

The Policies tab shows the policies included in the deployment’s current build. A Source / Effect matrix toggle at the top of the tab switches between two ways of viewing them.

Source view

The source view lists the policy files in the bundle and lets you open any file to read its contents exactly as it was compiled. Use the bundle selector to switch between builds when you need to inspect an earlier version.

Effect matrix view

The effect matrix presents a resource’s permissions as a grid instead of as policy source. You choose the resource, policy version, and scope to view, and roles and actions are laid out on the axes, with each cell showing the effect that applies to that role-and-action combination in the compiled bundle:

Allow

The action is permitted for the role.

Deny

The action is denied for the role.

Conditional

The effect depends on a condition that is evaluated at request time against the principal and resource attributes.

This gives you an at-a-glance view of a resource’s effective permissions without reading through every policy file, which is useful for reviewing changes and explaining access to others.

Cells also indicate where a wildcard rule widens a match. A rule written against * or a pattern such as foo:* can apply to more specific actions or roles, and the matrix flags the cells that are influenced by such a rule so the broader grant is visible rather than hidden. This is an indication of which rules match a cell, not a full partial evaluation of the policy.

Derived roles and the custom roles defined by role policies each appear as their own rows rather than being folded into the roles they build on. A role policy narrows access rather than granting it, allowing an action only when it is permitted by both the role policy and a matching resource policy rule.

To focus on part of a large matrix, filter by role or action, and select a cell to drill into the underlying rules — including any conditions — that produce its effect.

Limitations

The matrix highlights the rules that match each cell rather than fully evaluating the policy, so keep these limitations in mind when reading it:

Scope

Effects reflect the selected scope only. Because scoped policies can override the effects defined higher in the scope hierarchy, switch scopes to review each one in turn.

Derived roles

Derived role rules are shown only in their own cells. They are not reflected in the cells of the parent roles they extend.

Custom roles

Role policy rules are shown only in their own cells. They are not reflected in the other cells whose effects they restrict.

Build life cycle

Whenever Cerbos Hub detects a change in any policy store connected to a deployment, it launches a new policy build.

  1. In progress: The policy build is queued and begins processing.

  2. Compilation: Policies from all contributing stores are compiled together. If compilation fails, the error is surfaced so you can diagnose it quickly.

  3. Test execution: After successful compilation, Cerbos Hub runs all policy tests found across the contributing stores. Failures are displayed with full logs for debugging.

  4. Bundle generation: When compilation and tests pass, the bundle is generated and all PDPs assigned to this deployment receive a push notification to download and activate the new bundle immediately.

Build details

Click on any build reference to view detailed information about that specific build.

Build summary

The top of the page displays key metrics at a glance:

  • Status: Whether the build succeeded or failed

  • Build completed: When the build finished

  • Build time: How long the build took to complete

  • Test results: Total tests run, passed, skipped, and failed

Compile and test stages

Expandable sections show the results of each build stage:

  • Compile: Shows whether policy compilation succeeded. Expand to see any compilation errors or warnings.

  • Test: Shows whether all policy tests passed. Expand to see detailed test results, including any failures with full output for debugging.

Bundle file explorer

The file explorer displays the contents of the generated policy bundle. Browse the directory structure organized by contributing policy store, and click any file to view its contents. This lets you verify exactly which policies were included in the bundle and inspect their contents without leaving Cerbos Hub.

Use the file explorer to:

  • Confirm the correct policy versions were bundled

  • Debug unexpected authorization behavior by examining the active policies

  • Audit which policies contributed to a specific deployment

For details on creating policy stores and connecting PDPs to receive bundles, see the related guides:

Best practices

Use meaningful names

Name deployments after their purpose such as application, environment, or team, for example payments-service-production.

Automate testing

Include comprehensive test cases with each policy store to catch regressions before they reach production PDPs.

Validate in staging

Use staging deployments to verify policy changes in a pre-production environment before promoting to production.