There are different types of access control approaches:

• ABAC - Attribute based access control.
• DAC - Discretionary access control.
• GBAC - Graph based access control.
• MAC - Mandatory access control.
• OrBAC - Organization based access control.
• ReBAC - Relationship based access control.
• RBAC - Role based access control.
• RLS - Row level security PostgreSQL security feature

Origins of permissions DAC/MAC/ACL: https://tailscale.com/blog/rbac-like-it-was-meant-to-be#getting-more-concrete-rbac-and-abac

We built own ABAC solution with Nodejs for current CRUD tables for restricting users and create a team of teams. But faced with a inability to manage access for other microservices so we are looking for a solution that will not trap us on a monolithic architecture. So we can develop our value proposition for end-user with different programming languages.

It's very handy to deploy an additional microservices and add custom action at frontend. But it required to split this resource for each user.

Current monolithic solution uses 4 tables to store each rule and gives a conviniet dropdowns, parsing table of picked resource and dropdowns to select required column of a resource table while creating an if statement.

GUI builder with dropdowns for resources, actions, table's columns and etc.

Since monolith is started to decentralize own backend we are looking for permission contorol solution to limit reseources per each user.

Too bad that we wasted time for developing own ABAC solution that could not be refactored into separate standalone service that could play a gatekeeper role. So I made some research to find best practices and ended with a list of an access control management frameworks.

Requirements

• Policy should be written as a code for easy cope, paste and deploy
• Centralized allow/deny/transform service for any backend or message broker
• Open-source and self hosted
• ?

Solutions

OpenFGA

https://openfga.dev/

https://openfga.dev/docs/

https://github.com/openfga/openfga

A high performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar

Topaz

https://www.topaz.sh/

https://github.com/aserto-dev/topaz

Product of Aserto company: https://www.aserto.com/

Topaz is an open-source authorization service providing fine-grained, real-time, policy-based access control for applications and APIs.

It uses the Open Policy Agent (OPA) as its decision engine, and provides a built-in directory that is inspired by the Google Zanzibar data model.

Ory Keto

Cloud based - https://www.ory.sh

Open Source - https://github.com/ory/keto

Cloud based solution Ory appears to offer a complete stack for the entire AuthN/AuthZ space

Open Source (Go) implementation of "Zanzibar: Google's Consistent, Global Authorization System". Ships gRPC, REST APIs, newSQL, and an easy and granular permission language. Supports ACL, RBAC, and other access models

RBAC with Ory Keto - https://gruchalski.com/posts/2021-05-15-rbac-with-ory-keto/

Permify

https://github.com/Permify/permify

https://docs.permify.co/

Permify is a open-source authorization service for creating and managing fine-grained permissions in your applications and services. Inspired by Google’s consistent, global authorization system, Google Zanzibar

Our goal is to make Google's Zanzibar available to everyone and help them build robust, flexible, and easily auditable authorization systems that perform well in scaled environments.

Pros:

• Testing: https://play.permify.co/
• Multi-tenancy https://docs.permify.co/use-cases/multi-tenancy

Cerbos

https://www.cerbos.dev/

https://github.com/cerbos/cerbos

Cerbos is the open core, language-agnostic, scalable authorization solution that makes user permissions and authorization simple to implement and manage by writing context-aware access control policies for your application resources.

Zenstack

https://zenstack.dev/

https://github.com/zenstackhq/zenstack

Typescript toolkit on top of Prisma ORM, offering flexible and declarative Access Control Policy(Authorization/Permission) for RBAC/ABAC/PBAC/ReBAC with auto-generated type-safe APIs and frontend hooks.

ZenStack OSS project is built above the Prisma ORM, and one of its focuses is to add access control capability.

References

• Building an Admin Console With Minimum Code Using React-Admin, Prisma, and Zenstack https://dev.to/zenstack/building-an-admin-console-with-minimum-code-using-react-admin-prisma-and-zenstack-pkl
• RLS of Supabase(PostgreSQL) Is Good, But - https://dev.to/zenstack/rls-of-supabasepostgresql-is-good-but--1394

Casbin

https://casbin.org/uk/

https://github.com/casbin/casbin

An authorization library that supports access control models like ACL, RBAC, ABAC for any popular language

Supabase

Supabase RLS Rules based on a PostgreSQL RLS.

SpiceDB

https://github.com/authzed/spicedb

SpiceDB is an open source authorization system originally inspired by Google's Zanzibar paper -

OSO

https://github.com/osohq/oso

Deprecated their open-source project, supporting only cloud solution for now.

Reference

• Curated list of information and resources about authorization - https://github.com/warrant-dev/awesome-authorization
• Cloud-native authorization standards - https://www.youtube.com/watch?v=VPi-VZvJ_d8
• Community discussion about different policy approach - https://news.ycombinator.com/item?id=33317597
• https://news.ycombinator.com/item?id=35556463