Ory Keto VS permify

One of Ory’s core competencies is permissions. We built the first Google Zanzibar implementation in the world and it’s part of Ory Network‘s global multi-region platform (https://github.com/ory/keto)

A push model is also valid if you’re heavy on policies and can accept eventual consistency. We will investigate how to generally push things to the edge (like we did with Ory Edge Sessions) or to cryptographic verification wherever staleness is acceptable.

By solving the primitives correctly in the beginning (with a multi region architecture) that job does become a lot easier, which is what we decided doing at Ory :)

slightly off-topic, but related to what ory is doing in general. How do you usually do authorization-aware search?

Imagine, I have a bunch of Google docs and using https://github.com/ory/keto for authorization. I can quickly answer the question "does user X have access to document Y", but it is not easy to do "search all documents with word Hello in it, for which I have access" because access can be granted through nested groups (give read access to everyone in DepartmentA, and I am part of child department)

if you want to integrate an existing framework see if https://github.com/ory/keto solves your problems, there are similiar frameworks that support ABAC

Shameless plug for Ory Keto, probably the best reference implementation IMO https://github.com/ory/keto

Looks cool, wonder how it compares to Keto and Casbin.

How does Warrant compare to other Zanzibar based solutions like Ory Keto ?https://github.com/ory/keto

Interesting to see another project open sourced around Google Zanzibar. On a timeline for context:

- Ory came out first with Ory Keto ( https://github.com/ory/keto ) which is trying to be a close adaptation of the paper. Initially, many concepts were missing but they are making a lot of progress with the DSL and it interfaces with the rest of Ory (OAuth2, User Mangement)

- Authzed came out as a SaaS only, open sorucing the code base later on at https://github.com/authzed/spicedb

- Auth0 has been playing around with Zanzibar concepts in various forms and published a beta service at https://dashboard.fga.dev - apparently now also open source parts of it similar to what Authzed did: https://github.com/openfga

- Permify - who on a side note spammed me quite a lot with outreach because I was active in these communities - joins as well https://github.com/Permify/permify

It's exciting to see so much movement, yet also sad that so many companies are brewing their own beer instead of working collaborative on the more succesful projects. Feels like we'll just end up with one or two successful projects (looking at Ory / Auth0 here) with the rest perishing. I'm wondering if there truly is a business model for just this permission system as a saas service (looks like this is what everyone is going with). Here I'm giving Auth0 probably the biggest plus as they have an established identity service. Then again, Okta (parent of Auth0) and Auth0 themselves are not particularly known for good business practices that we usually expect from developer tooling.

What's refreshing though with Permify is that they are trying a bit of a different approach to Zanzibar!

Er, Ory Keto is written in Go.

However, in this piece we're focusing on the PBAC model also known as Policy-Based Access Control and how it differentiates itself these from traditional access control models in terms of scalability, flexibility and security.

Hi I'm Karan, one of the maintainers of Permify (https://github.com/Permify/permify), an open source authorization service to build scalable authorization systems.

I want to share with you that we've built an AI assistant to help modeling your desired authorization logic! You can basically describe your authorization logic in Permify AI and it will generate the respective model and semantics accordingly. Think of it like ChatGPT for authorization modeling/policy generation.

Here's the project if you would like to play with it: https://ai.permify.co/.

Brief backstory:

Since authorization is generally a domain specific issue use cases vary widely - roles, relationships, attributes, hierarchies between business units, contextual permissions, etc.

To address this, we're offering a domain specific language that we built purely using golang to help model authorization logic programmatically. You can see what it looks like with sample examples in our playground: https://play.permify.co/

Although our domain specific language helps our users significantly, the general idea of policy generation is hard challenging if you have complex authorization logic and versatile permission requirements. Additionally, the flexibility of our modeling language allows for achieving the same policy/permissions through various approaches. But creating the best possible policy is crucial for several reasons including the performance of access checks, the readability of the authorization logic, visibility, and achieving least privilege, etc.

When we tallied up all those reasons, it hit us: using AI could really smooth out the policy generation process. It could not only reduce the engineering effort but also yield the best possible results. That's why we integrated Groq to make to create Permify AI!

Would love to get your feedback on this!

At that point consider exploring our solution, Permify. It's a Google Zanzibar-based open-source authorization service that helps to build scalable authorization systems.

Additional to shifts from large tech companies, ReBAC based solutions increased over the time. We're also one of them, building an open source authorization service that builds its core on top of ReBAC and Google Zanzibar.

Permify is an open-source service for creating and managing complex permissions in applications, inspired by Google Zanzibar. It offers a flexible authorization language compatible with various models like RBAC, ReBAC, and ABAC, and allows for efficient authorization data management in preferred databases. Permify's API facilitates access checks, resource filtering, and bulk permission analyses. It also includes comprehensive testing tools for authorization logic, including scenario-based testing and policy coverage analysis. Additionally, Permify supports multi-tenancy, enabling distinct authorization models for different applications within a single instance.

As Permify we're building open source authorization infrastructure to build fine grained authorization systems at scale. Would love to learn your use case and help you to build robust authorization systems. Don't hesitate to reach us from our Discord Channel!

I’m one of the maintainers of the OSS project Permify (https://github.com/Permify/permify), an open-source authorization service inspired by Google Zanzibar, which is the global authorization system used at Google to handle authorization for hundreds of its services and products, including YouTube, Drive, Calendar, Cloud, and Maps.

Hi folks,

I’m one of the maintainers and co-founder of the Go OSS project Permify (https://github.com/Permify/permify), an open-source authorization infrastructure inspired by Google Zanzibar.

I would like to share a post where we aimed to provide a brief overview of how we integrated WASM with Golang to provide a richer user experience in our open-source playground. You can use the playground to create and test any authorization logic in a browser.

The playground has three main sections:

Schema: to model your authorization logic through our domanin specific language we built.

Data: to create sample authorization data according to the model for use in tests.

Enforcement: to test your authorization structure bt access check scenarios.

Here's the post if you're interested: https://www.permify.co/post/wasm-go/

And here's the playground: https://play.permify.co/

Appreciate your time!