Call for Insights: Fine-Grained Authorization Needs
Hello everyone,
We're currently focusing on the growing need for fine-grained authorization among our customers. We've observed an increasing demand for more granular control over access to avoid potential security risks associated with providing users with overly broad permissions.
To better understand your specific use cases and needs in this area, and to explore how Zitadel can best address them, we'd love to hear from you. We are particularly interested in learning about:
- Specific scenarios where fine-grained authorization is critical for your organization.
- The challenges you currently face with managing access control.
- Your ideal requirements and expectations for a fine-grained authorization solution.
- Any existing tools or methods you are currently using or evaluating.
- Any regulations or compliance requirements that influence your authorization needs.
If you're interested in discussing your experiences and providing valuable feedback on fine-grained authorization, please book a call with me using the following link, or share your insights below in this thread: https://calendar.app.google/5aF3BSXLDZY1udoE7
When booking, please specify that you'd like to discuss Fine-Grained Authorization. Your input is greatly appreciated and will be instrumental in shaping how Zitadel can empower you with more precise and secure access control.
Thank you!
7 Replies
Not got time to book a call but I can throw a vote behind the fact we had to use openFGA for authz because of the need to do hierarchical relationship based authorization decisions.
It’s worked well so far but having to run openFGA ourselves and having zitadel cloud running happily for us has been a pain point from an ops overhead perspective.
Hi @spicypixel Thanks for your input. Could elaborate a bit more on the specific use cases in regards of hierarchical relationship based authorization decisions?
Also, if Zitadel would eventually offer native support for this hierarchical approach, would you consider switching from openFGA to potentially reduce operational overhead. Or, given that you've already implemented your current solution with openFGA, would you likely stick with it?
Any insights you could share would be greatly appreciated!
Sure
So in our system we have clients (orgs in zitadel land), teams and users.
Documents can be uploaded to our software with a various matrix of permissions like google docs, either read/write for the user only, add additional write for the team and additional the org always has read but no write options on documents - so if a member of staff leaves the org still owns this document in our system
Very simplified view of course but it wouldn’t be possible as far as I can tell to have the granular control over which documents in our system are editable and which aren’t on a per document basis.
We do utilise role based access control from zitadel to give people the documents role as a sort of global access point into the system but from their it’s handed off into openfga for the granular read, write and delete access controls on entities in the system.
As to your question about migration, would need the ReBAC model openfga supports to be able to migrate.
But since the system is just an auth model for the rules and a lot of tuples in a database for the state, depending on how it’s implemented it wouldn’t be too hard to migrate fully.
Obviously it would be basically trivial if you operated your own openfga instance embedded in zitadel else it would take careful consideration to map any auth models we already have into any new system.
https://openfga.dev/docs/authorization-concepts#what-is-relationship-based-access-control
basically the Google Zanzibar model
Authorization Concepts | OpenFGA
Introduction to Authorization
Unknown User•4w ago
Message Not Public
Sign In & Join Server To View
Thanks for all the insights, this is really helpful. 😃
Thanks for your input, do you already use one of those tools in combination with Zitadel?
One thing I’ll point out though is we’d be dead in the water with zitadel clouds API usage limits, just glancing at my openfga istio stats, we’re hammering our install with hundreds of requests of second as a soft baseline and thousands in peak times since by the nature of fine grained authz you do lots of checks, some multiple checks per endpoint, on nearly all our authorised endpoints.
So I’d be mindful of the traffic pattern side of this debate, any of the Zanzibar inspired solutions sounds good to me (with a soft preference for the one I’m using) on a technical level but it’ll be all for nought if the usage limits are not usable.
Unknown User•3w ago
Message Not Public
Sign In & Join Server To View