Deployments

A deployment is a specific configuration of policy stores (such as 'production' or 'staging') that can be connected to a set of PDPs. Each new change to the underlying store(s) results in a new policy build that’s automatically delivered to the policy decision points (PDPs) if the tests are successful.

Source agnostic inputs

Populate a policy store from any Git provider, CI system, API, CLI, or direct upload, so your existing workflows remain intact.

Multi-store composition

Reference multiple stores in a deployment to separate ownership, for example security team versus product team, or to blend static Git-managed policies with dynamic API-driven rules.

End-to-end automation

Building, testing, and distribution of policies is fully managed by Cerbos Hub, giving you a consistent CI/CD style pipeline for authorization without the need for extra infrastructure.

Strong versioning

Every deployment attempt is attached to a set of immutable policy store versions, making it easy to audit exactly which policies were in effect at any given point in time and to revert any changes if needed.

Deployment overview

Each deployment page provides several tabs to manage and monitor your policy pipeline:

Builds

View the history of deployed versions, showing which policy bundles have been active and when. Each build shows the contributing policy stores and their versions.

Policies

Browse the current policies included in this deployment and view their contents.

Decision points

See the PDPs currently connected to this deployment. Each PDP shows its ID, the build it’s running, active sessions, Cerbos version, when it was last seen, and a link to its audit logs.

Embedded PDP rules

Configure embedded policy decision points for this deployment. Each rule defines policy filtering criteria (resources, actions, scopes, roles, versions), authentication requirements, and IP allowlists. Multiple rules can serve different clients or environments from the same deployment.

Client credentials

Manage API credentials scoped to this deployment for PDP connections, audit log collection, and authenticated ePDP bundle access.

Settings

Configure deployment options including which policy stores contribute to builds.

Deployed versions

The Builds tab displays the history of policy bundles that have been deployed. Each row in the table shows:

Build reference

A unique identifier for the build. Click to view detailed information about the build including test results and bundle contents.

Active from

The timestamp when this build was activated and pushed to connected PDPs.

Active to

The timestamp when this build was replaced by a newer version, or a dash if it is the currently active build.

Included policies

The policy stores and specific versions that contributed to this build. This makes it easy to trace exactly which policies were in effect at any point in time.

Build life cycle

Whenever Cerbos Hub detects a change in any policy store connected to a deployment, it launches a new policy build.

  1. In progress: The policy build is queued and begins processing.

  2. Compilation: Policies from all contributing stores are compiled together. If compilation fails, the error is surfaced so you can diagnose it quickly.

  3. Test execution: After successful compilation, Cerbos Hub runs all policy tests found across the contributing stores. Failures are displayed with full logs for debugging.

  4. Bundle generation: When compilation and tests pass, the bundle is generated and all PDPs assigned to this deployment receive a push notification to download and activate the new bundle immediately.

Build details

Click on any build reference to view detailed information about that specific build.

Build summary

The top of the page displays key metrics at a glance:

  • Status: Whether the build succeeded or failed

  • Build completed: When the build finished

  • Build time: How long the build took to complete

  • Test results: Total tests run, passed, skipped, and failed

Compile and test stages

Expandable sections show the results of each build stage:

  • Compile: Shows whether policy compilation succeeded. Expand to see any compilation errors or warnings.

  • Test: Shows whether all policy tests passed. Expand to see detailed test results, including any failures with full output for debugging.

Bundle file explorer

The file explorer displays the contents of the generated policy bundle. Browse the directory structure organized by contributing policy store, and click any file to view its contents. This lets you verify exactly which policies were included in the bundle and inspect their contents without leaving Cerbos Hub.

Use the file explorer to:

  • Confirm the correct policy versions were bundled

  • Debug unexpected authorization behavior by examining the active policies

  • Audit which policies contributed to a specific deployment

For details on creating policy stores and connecting PDPs to receive bundles, see the related guides:

Best practices

Use meaningful names

Name deployments after their purpose such as application, environment, or team, for example payments-service-production.

Automate testing

Include comprehensive test cases with each policy store to catch regressions before they reach production PDPs.

Validate in staging

Use staging deployments to verify policy changes in a pre-production environment before promoting to production.