OPA to Cerbos migration: what changes for application access control?

TL;DR: Application-specific authorization is presented as a shift from general-purpose policy evaluation to clearer policy locality, schema validation, derived roles, and structured outputs to reduce brittle rules and simplify migration, according to Cerbos. The governance lesson is that app authorization breaks down when policy logic is too general, too distributed, or too hard for teams to test consistently.

NHIMG editorial — based on content published by Cerbos: migrating application authorization from OPA and Rego to Cerbos

Questions worth separating out

Q: How should teams migrate application authorization from OPA without breaking access decisions?

A: Use shadow mode first.

Q: Why do resource-centric authorization policies improve governance?

A: Resource-centric policies make access rules easier to find, review, and audit because the logic for one protected object lives in one place.

Q: What breaks when authorization rules depend on inconsistent input data?

A: Rules become unreliable because the engine may evaluate missing, malformed, or differently named attributes in different ways across applications.

Practitioner guidance

• Standardise authorization around resources Group rules by protected resource, then define the small set of actions and conditions that apply to each one.
• Introduce schema validation for policy inputs Define principal and resource schemas before migration so inconsistent attributes are caught before evaluation.
• Run parallel decision testing before cutover Execute OPA and the new authorization engine side by side, log allow and deny outcomes, and reconcile mismatches before enforcing the new path.

What's in the full article

Cerbos' full guide covers the operational detail this post intentionally leaves for the source:

• Step-by-step Rego-to-Cerbos translation patterns for role-based, attribute-based, and contextual access rules.
• SDK-level integration examples showing how the decision call is constructed in an application.
• A phased migration sequence with shadow mode, audit mode, feature flags, and progressive cutover.
• Practical handling of complex Rego logic, inconsistent inputs, and embedded business rules that must be refactored.

👉 Read Cerbos' guide to migrating application authorization from OPA to Cerbos →

OPA to Cerbos migration: what changes for application access control?

Explore further

View Full Forum →  |  NHI Foundation Course →