|This documentation is for a previous version of Cerbos. Choose 0.34.0 from the version picker at the top right or navigate to https://docs.cerbos.dev for the latest version.
Cerbos policies have a
version field to support use cases such as having different policies for different environments (production, staging etc.) or for gradual rollout of a new version of an application. By default, when a request does not explicitly specify the policy version, the Cerbos engine attempts to find a matching policy that has its version set to
default. You can change this fallback value by setting the
defaultPolicyVersion. For example, if you have a Cerbos deployment for your staging environment, you may want to set
defaultPolicyVersion: staging to ensure that the default policies in effect are the ones versioned as
Global variables are a way to pass environment-specific information to policy conditions. For example, you might want to grant additional permissions to a role in your staging environment, without creating separate policy versions for different environments.
Values set in
globals can then be referenced in policy conditions:
expr: globals.environment != "production"
As with other configuration settings, environment variables can be used to set global values.
When working with scopes, the default behaviour of the Cerbos engine is to expect that a policy file exists for the requested scope. For example, if the API request defines
a.b.c as the
scope, a policy file must exist in the policy repository with the
a.b.c scope. This behaviour can be overridden by setting
lenientScopeSearch configuration to
true. When lenient scope search is enabled, if a policy with scope
a.b.c does not exist in the store, Cerbos will attempt to find scopes
a and `` in that order.
This setting only affects how Cerbos treats missing leaf scopes when searching for policies. The policies stored in your policy store must have unbroken scope chains (for example, if you have a scoped policy
a.b.c in the store, the policy files for scopes
a and `` must also exist).