Authorization

Are you using OpenFGA or another Google Zanzibar-inspired authorization engine in the wild—not just for a side project or proof of concept, but in a production environment with real users and systems? If so, I’d love to learn from your experience. My Interest I’m currently working on a centralized authorization system prototype based on OpenFGA. The design is aiming to support fine-grained, relationship-based access control (ReBAC) for multiple business units—each with its own data domain, developer team, and authorization needs. ...

As I mentioned in my previous post, “Devs, Let’s Talk Authorization!”, I’m working on a new, exploratory work project related to authorization. Specifically, we’re gathering authorization requirements from various orgs across our company and building 1-3 proofs-of-concept of a centralized, fine-grained approach to authorization. Right now, each org handles authorization in its own, usually coarse-grained and role-based way. Clarify Current Requirements The first thing I did was gather and clarify my org’s current authorization model/requirements. We’re heavily role-and-permission-based when it comes to authorization, with a touch of attribute-based access control mixed-in (to make sure that, for example, a user can only view resources related to their company, and not other companies). So, RBAC (role-based access control) with a bit of ABAC (attribute-based access control). ...

Calling all software developers! As I embark on a new, exploratory work project, I’d like to hear your thoughts on authorization. How have you designed and implemented authorization in your applications? To get into the weeds a bit, have you opted for RBAC (Role-Based Access Control), ABAC (Attribute-Based Access Control), ReBAC (Relationship-Based Access Control), or something else entirely? What tools or libraries have you found most useful in your work? Have you built everything from scratch, or have you relied on existing frameworks? Open source or commercial solutions? ...