Notifications
Clear all
Topic starter
09/06/2026 11:04 pm
TL;DR: The manual work of writing and testing authorization policies is being reduced by a new RBAC policy generator, an API request simulator, and live local PDP connectivity in Cerbos Hub Playground, according to Cerbos. The practical shift is faster iteration, but also a sharper need to separate development convenience from production governance.
NHIMG editorial — what this means for NHI practitioners
Questions worth separating out
Q: How should security teams test RBAC policies before production rollout?
A: Security teams should test RBAC policies by generating a draft policy, simulating realistic requests, and verifying both allow and deny outcomes before promotion.
Q: What breaks when authorization policy testing is too manual?
A: Manual policy testing usually breaks when teams cannot keep pace with policy edits, environment changes, and edge-case requests.
Q: How do you know if policy simulation is actually improving governance?
A: Policy simulation is working if teams can reproduce expected decisions quickly, explain why an access request was allowed or denied, and catch policy errors before deployment.
Practitioner guidance
- Treat playground policy generation as a draft state Use the RBAC wizard to create the first policy shape, then run a human review on role naming, action scope, and resource boundaries before the YAML enters any shared repository.
- Simulate edge-case requests before policy promotion Test principals with partial permissions, unusual resource combinations, and deny-by-default paths in the API request simulator so you can catch unexpected allow decisions early.
- Keep live PDP connectivity inside development controls Restrict connected PDP use to testing environments and pair it with managed CI/CD and audit logging when policies move toward production enforcement.
What's in the full announcement
Cerbos's full announcement covers the operational detail this post intentionally leaves for the source:
- Step-by-step usage flow for the RBAC policy generator, including the wizard inputs that populate YAML output.
- Interface guidance for the API request simulator, including how Check Resources and Query Plan Resources responses are displayed.
- The exact workflow for connecting a local PDP to the playground and validating changes in real time.
- The production boundary Cerbos draws between playground testing, managed CI/CD, and audit logging.
👉 Read Cerbos's announcement on Hub Playground policy testing features →
RBAC policy testing in Cerbos Hub Playground: what changes now?
Explore further
10/06/2026 1:16 am
Policy experimentation is becoming a governance control surface, not just a developer convenience. When teams can generate, simulate, and test authorization logic in one place, they are really compressing the time between access design and access validation. That compression matters across human IAM and machine access alike, because policy defects can now be found earlier, but also propagated faster if review discipline is weak. Practitioners should treat the playground as part of the governance workflow, not a side tool.
A few things that frame the scale:
- Organisations maintain an average of 6 distinct secrets manager instances, creating fragmentation that undermines centralised control, according to The State of Secrets in AppSec.
- 44% of developers are reported to follow security best practices for secrets management, which leaves a persistent behaviour gap between policy intent and operational practice.
A question worth separating out:
Q: What is the difference between a playground PDP and production enforcement?
A: A playground PDP is for development feedback and policy validation, while production enforcement is the live decision layer that governs real access. The first helps teams experiment and debug. The second must be versioned, audited, and controlled through formal change management so access decisions remain traceable and defensible.
👉 Read our full editorial: Cerbos Hub Playground reduces policy testing friction for RBAC teams
