authz-as-a-service
# spicedbk
kameshraj
01/03/2023, 4:40 PMauthz-as-a-service
kameshraj
01/03/2023, 4:40 PMMy company has multiple products, and we are using Auth0 for authentication (CIAM). I want to use SpiceDB and provide authorization-as-a-service for all products in the company. I want to define policies to avoid products (teams) stepping on each other.
* Each team defines its authorization models and manages them.
* To enforce policy-as-code, I want teams to define their authorization models in GitHub and have a GitHubAction lint, test, and sync with SpiceDB.
* Restrict team-B updating team-A's authorization model (maybe through GitHub owners).
Allow products to cross-check relationships (product-A can check permission on product-B)
* Restrict who can query for permission or relationships
Are these possible? Any recommendations/suggestions?
Thanks
j
Joey
01/03/2023, 4:45 PMCurrently possible:
1) you can have each team define their model as a schema file, but you'll need to have a custom process for combining them (for now; we have a proposal to provide tooling for this)
2) https://github.com/authzed/action-spicedb-validate can be used to validate the combined schema in GitHub Action
3) restriction you can do via OWNERS
4) Once they are all combined, everyone will be able to access all the permissions
5) Restrict who can query is coming as a paid feature this year on SpiceDB Dedicated and SpiceDB Enterprise
k
kameshraj
01/03/2023, 4:49 PMThanks for the fast response. Any pointer for #1 tool to merge schema files?
j
Joey
01/03/2023, 5:07 PMnothing concrete as of yet; there is an issue for it: https://github.com/authzed/spicedb/issues/497
Joey
01/03/2023, 5:07 PMbut for now, you could just append the schemas together