Our great sponsors
-
spicedb
Open Source, Google Zanzibar-inspired permissions database to enable fine-grained access control for customer applications
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
As someone working on the most popular Zanzibar implementation[0], I think this article is a pretty good introduction to the idea that both policy engines and ReBAC databases have their use cases, but it doesn't offer great recommendations for what those use cases are. The example in this article used to recommend policy engines where you'd want to apply global roles is a common pattern we've seen for schemas in SpiceDB.
I use the following as my "rule of thumb": ReBAC databases want to have deterministic computation for your permissions. In the default case, this should be your ideal as well as it is the most understandable/testable/auditable/debuggable. But reality is that there will be places where you'll want _some_ non-determinism and in those scenarios have policy engines.
The SpiceDB community is exploring what it might take to support adding lightweight policies to the Zanzibar-like model to have the best of both worlds. If that sounds interesting, you can participate in the proposal[1].
[0]: https://github.com/authzed/spicedb
[1]: https://github.com/authzed/spicedb/issues/386
Related posts
- OPA vs. Google Zanzibar: A Brief Comparison
- OpenFGA: A high performance and flexible authorization/permission engine
-
warrant VS openfga - a user suggested alternative
2 projects | 15 Aug 2023
-
OPA (Open Policy Agent) VS topaz - a user suggested alternative
2 projects | 25 Jul 2023
- Feature flags and authorization abstract the same concept