Authorization, Continued: Experimenting with OpenFGA, Topaz, and Permify
As I mentioned in my previous post, “Devs, Let’s Talk Authorization!”, I’m working on a new, exploratory work project related to authorization. Specifically, we’re gathering authorization requirements from various orgs across our company and building 1-3 proofs-of-concept of a centralized, fine-grained approach to authorization. Right now, each org handles authorization in its own, usually coarse-grained and role-based way. Clarify Current Requirements The first thing I did was gather and clarify my org’s current authorization model/requirements. We’re heavily role-and-permission-based when it comes to authorization, with a touch of attribute-based access control mixed-in (to make sure that, for example, a user can only view resources related to their company, and not other companies). So, RBAC (role-based access control) with a bit of ABAC (attribute-based access control). ...