# Confluent Cloud RBAC, policy migration, and rule diagnostics ## Create Confluent Cloud RBAC bindings through self-service Self-service applications targeting Confluent Cloud now create native RBAC role bindings instead of Kafka ACLs. Permissions appear directly in Confluent Cloud without manual role assignments. [Learn about self-service →](https://docs.conduktor.io/guide/conduktor-concepts/self-service) ![Confluent Cloud RBAC](https://www.conduktor.io/assets/images/releases/sep-2025-1.png) ## Migrate legacy topic policies to CEL Convert legacy topic policies to CEL-based resource policies. Migration creates new policies with descriptions of their origin. [Learn about Gateway policies →](https://docs.conduktor.io/guide/conduktor-in-production/admin/gw-policies) ## See exactly where and why rules fail Rule testing now highlights errors directly in the editor with the error path and reason. Hover over the icon to see what went wrong. ![Rule validation](https://www.conduktor.io/assets/images/releases/sep-2025-2.png) ## Add custom violation messages to rules Attach custom messages to rules so violations explain themselves. When a message fails, users see why in plain language. Example: Instead of "Schema validation failed," show "This event is missing the required `user_id` field." [Learn about data quality policies →](https://docs.conduktor.io/guide/conduktor-concepts/data-quality-policies) ## Handle different decryption failure types Conduktor Gateway now distinguishes between decryption error types: - **Retryable errors** (temporary KMS or Schema Registry outage): throttled rather than failing fast - **Fatal errors** (misconfiguration): flagged clearly, not lost in retries - **Key not found** (crypto-shredding): surfaced explicitly to distinguish recoverable vs permanent inaccessibility ## Download Partner Zone CA certificates directly Download the CA certificate directly from the Partner Zone page instead of navigating multiple screens to gather connection details. [Learn about Partner Zones →](https://docs.conduktor.io/guide/conduktor-concepts/partner-zones) --- For a full list of changes, read the [complete release notes](https://docs.conduktor.io/changelog/#console-1380).