Office Hours: ACL-aware filtering in your own database with SpiceDB and AuthZed Materialize

Introducing: Fine-Grained Access Management

/assets/team/victor-roldan-betancort.jpg
April 27, 2023|4 min read

The systems we build at AuthZed are the direct result of feedback from our community and customers. Because security is the core of our flagship product, SpiceDB, we take feedback on this topic very seriously. We’ve heard you, and today we’re proud to introduce a better way to secure AuthZed customers’ client applications accessing the SpiceDB API: Fine-Grained Access Management (FGAM).

It’s part art and part science when deciding to stamp a commercial product as ready for production. We initially launched our commercial products with very basic API key management to gather market feedback and prioritize future development. Thanks to our customers’ input ❤️, it became clear that they needed far more control over what exactly API keys could access in SpiceDB. FGAM is available now for SpiceDB Dedicated and SpiceDB Self-Hosted customers creating Permissions Systems with SpiceDB 1.19.0 or newer. 🚀

A screenshot of the Authzed Console showing the SpiceDB Permissions System creation page with Fine-Grained Access Management enabled

Why Fine-Grained Access Management is Important

Mature engineering organizations typically enforce the principle of least privilege: each client will have access to the minimum set of APIs needed for it to perform its operations. For example, a client updating a SpiceDB Schema as part of a continuous integration and delivery pipeline would have the minimum required permission of WriteSchema while other production services are restricted to common read-only APIs such as CheckPermission, LookupResources, and LookupSubjects.

The benefit here is huge for security: in the event that a bad actor gains access to one of your systems, Fine-Grained Access Management to the SpiceDB API will limit their capabilities.

FGAM for your FGAM—SpiceDB! 😎

Because SpiceDB itself is designed to provide Fine-Grained Access Management, it was our first choice for securing the SpiceDB API. That’s right, we eat our own dog food: SpiceDB powers Fine-Grained Access Management (FGAM) for our customers’ SpiceDB Permissions Systems! 🤯

Using SpiceDB lets us take the principle of least privilege a step further. Fine-Grained Access Management protecting the SpiceDB API would've been enough for most users, but that alone is insufficient for scenarios where users want to also enforce policy based on runtime context. For example, allow API calls only during specific time-frames or from specific IP ranges. You can further limit access by pairing permissions with context. Here are some examples:

  • Only allow CheckPermission API calls for a specific subject and/or resource type
  • Only allow WriteRelationship permissions over a subset of Schema relations
  • Filter certain elements from a streaming API
  • Only allow changes to a restricted subset of a SpiceDB Schema
  • Only allow an API call if a CheckPermission for a SpiceDB instance returns allowed (API meta-permissions! 🤯)

Our solution offers a familiar RBAC-like paradigm seen in cloud providers' IAM products. You can create Service Accounts to represent your workloads, Roles with permission and conditions to access one or more API methods, and the Policy that binds a role to a principal.

An animation showing the process of creating a Service Account through the AuthZed Console

The star of the show is SpiceDB, which allowed us to create a schema that captures all those IAM concepts seamlessly and supports policy conditions with SpiceDB Caveats. Caveats are type-safe and compiled at runtime for blazing-fast dynamic enforcement! ⚡

A screenshot of the AuthZed Console showing the creation of a new Role with permissions and conditions

Try out FGAM today! ⭐

You can enable FGAM today for new SpiceDB Permissions Systems using SpiceDB v1.19.0 and up. For help getting started, check out the Fine-Grained Access Management Documentation. For support, reach out to us on the AuthZed Discord, via a shared Slack channel, or support@authzed.com.

Additional Reading

Get started for free

Join 1000s of companies doing authorization the right way.