Skip to main content

Cedar

Cedar is a policy language and authorization framework (identity and access management) for expressing and evaluating fine-grained access control decisions in applications and systems.

  • JSON-based policy language for fine-grained authorization (identity and access management)
  • Logical model of principals, actions, resources, and context attributes for access decisions (policy-based access control)
  • Policy evaluation engine for determining allow/deny decisions at runtime (authorization engine)
  • Formal semantics and security-focused design with support for verification and analysis (security and compliance)
  • Embeddable libraries and tooling for integrating authorization into services and applications (application security)

More About Cedar

Cedar is a domain-specific policy language and authorization framework (identity and access management) designed to express fine-grained access control decisions in software systems. It defines a structured way to describe which principals can perform which actions on which resources under which contextual conditions, enabling application developers and platform teams to externalize authorization logic from business code.

At the core of Cedar is its policy model (policy-based access control) that operates on four main concepts: principals, actions, resources, and context. Principals represent users, services, or other actors; actions represent operations such as read, write, or custom business operations; resources represent protected entities such as records, documents, or domain objects; and context captures additional attributes such as time, environment, or request metadata. Policies are written as JSON-like structured documents that reference these entities and their attributes, and express conditions under which access is allowed or denied.

The Cedar authorization engine (authorization runtime) evaluates policies against incoming authorization requests. A request typically includes the principal, action, resource, and contextual attributes, and the engine computes an allow or deny decision based on the loaded policies. The language supports Attribute-Based Access Control (ABAC) and role- or group-like patterns through attributes, without being tied to any specific Identity Provider (IdP) or storage model. Cedar’s design focuses on deterministic evaluation and a clear semantics, which supports reasoning about policy behavior.

Cedar provides embeddable libraries and tooling (application security) intended to be integrated into services, APIs, and backend systems. Engineering teams can centralize authorization logic using Cedar policies while still deploying evaluators close to the workloads that need them. The language structure and data model are intended to work with modern cloud-native and microservices architectures, where services often need consistent, auditable access-control rules.

The project documentation describes a formal semantics for the language (formal methods) and emphasizes properties such as safety and analyzability. This allows use cases where policies may be statically analyzed, tested, or reviewed for correctness and least-privilege design. Cedar fits into broader enterprise security architectures as an authorization layer that can be composed with authentication providers, secrets management, and audit logging solutions, and it can be categorized in directories under identity and access management, policy-based access control, and application security tooling.

Mentions

BAE Systems in production for NavGuide™ GPS receiver

April 28, 2026

BAE Systems says it has entered production and begun initial deliveries of NavGuide™, a drop-in M-Code GPS receiver designed as a backward-compatible upgrade to the legacy DAGR system. The receiver is positioned for vehicle, handheld, and sensor use, with claims of anti-jamming and anti-spoofing performance and rapid installation on existing platforms.