Office Hours: ACL-aware filtering in your own database with SpiceDB and AuthZed Materialize

ABAC on SpiceDB: Enabling Netflix’s Complex Identity Types

Netflix sponsored the design and development of the first-ever attribute-based access control (ABAC) model in an open source Zanzibar-inspired permissions system: SpiceDB Caveats.
Join companies like Netflix in our community

Netflix Engineering is always looking for security, ergonomic, and efficiency improvements; and this extends to authorization tools. While experimenting with Zanzibar approaches to authorization, Netflix found SpiceDB and used it to build a prototype for experimentation. The prototype uncovered trade-offs required to implement Attribute-Based Access Control (ABAC) in SpiceDB, which made it poorly suited for Netflix’s core requirements for application identities. To address the shortcomings, the authorization team at Netflix sponsored work to add ABAC support to SpiceDB.

For a technical overview of the Caveats feature design process, read the blog post announcing the collaboration.

Sponsored Open Source Feature Development

With Netflix’s support, the AuthZed team pondered a Zanzibar-native approach to Attribute-Based Access Control. The requirements were captured and published as the caveated relationships proposal on GitHub for feedback from the SpiceDB community. The community’s excitement and interest became apparent through comments, reactions, and conversations on the AuthZed Discord server. Clearly, Netflix wasn’t the only one facing challenges when reconciling SpiceDB with policy-based approaches, so Netflix decided to help! By sponsoring the project, Netflix was able to help AuthZed prioritize engineering effort and accelerate adding the Caveats feature to SpiceDB.

SpiceDB Caveats

SpiceDB Caveats allows Netflix to specify authorization policy to include system attributes. Instead of requiring the entire state of the authorization world to be persisted as relations, a system can have both relations and identity attributes used at authorization check time.

Outcome

Netflix and AuthZed are both excited about the collaboration’s outcome. Netflix can employ another authorization tool and SpiceDB users have another option to perform rich authorization checks. Bridging the gap between policy based authorization and ReBAC is a powerful paradigm that is already benefiting companies looking to Zanzibar-based implementations for modernizing their authorization stack.

Get started for free

Join 1000s of companies doing authorization the right way.