openfga VS permify

It’s 2025 y’all, time to retire that ancient, one-size-fits-all approach. OpenFGA gives you the flexibility to handle complex user relationships with elegance. Whether you’re cooking up the next Slack, managing external contractors, or just tired of editing roles for your friends named Bob, ReBAC can save you from permissions purgatory.

External Authorization System Using Policy engines like SpiceDB, OpenFGA, ORY Keto, OpenPolicy Agent (OPA), let you put your ReBAC rules in an external system and reference them from your queries. The main benefit you get from the centralized relationships model is it makes it possible to manage authorization centrally. This means that development teams can create new applications and add new relationships without needing to update any application code.

How does this compare to auth0's OpenFGA (based on Zanzibar)?

https://openfga.dev

This feels very much like OpenFGA[0]. I've been evaluating authorization tool for one of my side projects and honestly most tools feels like creating relationships in a graph-like database and querying to see if there is/isn't relationship between two entities. Is there more to this (besides the implementation details) or am I missing something from these tools?

[0] https://openfga.dev/

OpenFGA

OpenFGA is CNCF Sandbox authorization service inspired by Google Zanzibar

- https://authzed.com/spicedb/ - https://cerbos.dev/ - https://openfga.dev/ - https://www.permify.co/

Thanks for the answer. I played around with Keycloak for a bit and I saw that roles could be mapped as token claims, however for systems where you need fine grained access control (where roles are not enough) you need some other solution. One option could be to use an external authorization system. One such system could be OpenFGA https://openfga.dev/ that is based on Google Zanzibar https://research.google/pubs/pub48190/ research paper. This answer on SO is also helpful https://stackoverflow.com/a/75047064/10781180

For implementation we'll use Permify, an open source authorization service that enables developers to implement fine-grained access control scenarios easily.

┌────────────────────────────────────────────────────────┐ │ Permify v0.8.5 │ │ Fine-grained Authorization Service │ │ │ │ docs: ............... https://docs.permify.co │ │ github: .. https://github.com/Permify/permify │ │ blog: ............... https://permify.co/blog │ │ │ └────────────────────────────────────────────────────────┘ time=2024-03-22T14:59:09.851Z level=INFO msg="🚀 starting permify service..." time=2024-03-22T14:59:09.851Z level=ERROR msg="Account ID is not set. Please fill in the Account ID for better support. Get your Account ID from https://permify.co/account" time=2024-03-22T14:59:09.859Z level=INFO msg="🚀 grpc server successfully started: 3478" time=2024-03-22T14:59:09.859Z level=INFO msg="🚀 invoker grpc server successfully started: 5000" time=2024-03-22T14:59:09.867Z level=INFO msg="🚀 http server successfully started: 3476"

However, in this piece we're focusing on the PBAC model also known as Policy-Based Access Control and how it differentiates itself these from traditional access control models in terms of scalability, flexibility and security.

Hi I'm Karan, one of the maintainers of Permify (https://github.com/Permify/permify), an open source authorization service to build scalable authorization systems.

I want to share with you that we've built an AI assistant to help modeling your desired authorization logic! You can basically describe your authorization logic in Permify AI and it will generate the respective model and semantics accordingly. Think of it like ChatGPT for authorization modeling/policy generation.

Here's the project if you would like to play with it: https://ai.permify.co/.

Brief backstory:

Since authorization is generally a domain specific issue use cases vary widely - roles, relationships, attributes, hierarchies between business units, contextual permissions, etc.

To address this, we're offering a domain specific language that we built purely using golang to help model authorization logic programmatically. You can see what it looks like with sample examples in our playground: https://play.permify.co/

Although our domain specific language helps our users significantly, the general idea of policy generation is hard challenging if you have complex authorization logic and versatile permission requirements. Additionally, the flexibility of our modeling language allows for achieving the same policy/permissions through various approaches. But creating the best possible policy is crucial for several reasons including the performance of access checks, the readability of the authorization logic, visibility, and achieving least privilege, etc.

When we tallied up all those reasons, it hit us: using AI could really smooth out the policy generation process. It could not only reduce the engineering effort but also yield the best possible results. That's why we integrated Groq to make to create Permify AI!

Would love to get your feedback on this!

At that point consider exploring our solution, Permify. It's a Google Zanzibar-based open-source authorization service that helps to build scalable authorization systems.