I am building a small scale Learning management system which will have stuff like organizations, courses, assignments, etc... I was thinking about authz for the app with an action and data access scope model. Eg for various endpoints I'd check if the user has permission to perform certain actions and for data fetching, based on the data access scopes I'd put additional clauses in the queries to only fetch data that is allowed for the user. I came across this zanzibar concept for authz, watched a few of your videos and I think I understand on a high level how this works. I however feel at this point it'd be overkill for my app, as a matter of fact even this action based approach feels overkill but I wanted to avoid putting a lot of if else code in the service layer. Using this method I can kind of put all the permission based code in a seperate modul at least. I came here to seek some guidance. 1.) Would it be possible to move to spiceDB at a later point if the app becomes more complex? How would the tuples get created for the existing data? 2.) what do you think about this actions and access scopes approach? Please do suggest if there are other ways that would work better. I'm looking for something opensource. 3.) I'll use JWT for authentication, should I be fetching permissions for every request, I've read overloading JWT with permissions is not recommended

Hi, I understand the overkill concern. I would also say that's also how every application that succeeded invariably ended up with a messy authorization implementation because it quickly gets complex. But I get that as you are starting to build a product and quickly iterating and focusing on finding market fit, investing in an authorization service can could be perceived as getting in the way of shipping. In that sense, I'd like to understand in what ways you think this is overkill and how could we simplify it to better adjust to this point in time of the development of your product. To you actual questions > 1.) Would it be possible to move to spiceDB at a later point if the app becomes more complex? How would the tuples get created for the existing data? Yes, but it's a migration project, which follows the classic patterns for this. It's similar to a database migration. You'd need to put in place the logic to write to SpiceDB (whether that is dual writing, outbox pattern, event sourcing, durable workflows...) and then run a backfill migration that goes over all your data. > 2.) what do you think about this actions and access scopes approach? Please do suggest if there are other ways that would work better. I'm looking for something opensource. Could you perhaps give me an example? I think what you are suggesting is similar to model that SpiceDB encourages, and the scope I assume being stuff that comes in your JWT to make an authorization decisions. I think there is a lot of literature online on how to use JWTs with scopes for authorization, but also its limitations. We wrote about this in https://authzed.com/blog/pitfalls-of-jwt-authorization > 3.) I'll use JWT for authentication, should I be fetching permissions for every request, I've read overloading JWT with permissions is not recommended I can't comment much on this the answer is it depends. Scopes can be anything, you need to define their semantics from an authz pov

if i'm reading your third question correctly, the way that authz works in a system that uses both JWTs and something like SpiceDB is that the JWT is used only for authentication (identifying the user) and then you use SpiceDB to figure out authorization (what the user can do). you don't use the JWT scopes for authorization at all.