Permify 1.0 Is Now Available: Build Fine-Grained Authorization With Ease
We have released the first major version (v1.0.0) of our open-source. This is an important milestone for us and would love to spread the mission we are on!
Building And Scaling Authorization Is Tough
Restricting who can access what under which conditions in your applications, also known as authorization, is a critical part of every software system.
Yet building and managing a stable and secure authorization system is hard in today's SaaS landspace.
Broken Access Control is the No. 1 common web application security risk, according to OWASP1.
Which is no big suprise when thinking the immense resource explosion in cloud-native environments, along with the ever-changing user and business requirements which affects shared data between applications.
Unfortunately, legacy and homegrown authorization systems fall short of meeting authorization requirements as the company grows.
Ad-hoc authorization systems scattered throughout your app's codebase are hard to manage, challenging to reason about, and difficult to iterate on.
Traditional authorization approaches like RBAC is not granular, not secure, and inefficient for creating resource-specific, hierarchical, and dynamic permissions.
Moreover, not only is the logic scattered, but the permission data is too.
Authorization data needed to determine whether a user has access can be stored in multiple services, making it hard to scale and lead to latency and performance issues.
Permify Makes It Easy for You to Build Authorization
We've created an open-source authorization service, Permify, helps engineering teams to build and manage authorization in a scalable, secure, and extendable manner.
For those new to the concept, Authorization-as-a-Service is a model that outsources your applications permission management to streamline authorization in a single place.
Here is the high-level design showing how the Permify service positions itself:
Beyond the clear advantage of saving extra development time, it also significantly enhances visibility, scalability, and flexibility within your authorization journey.
And today, we've released the first major version (v1.0.0) of Permify2.
With Permify, you can:
🧪 Centralize & Standardize Your Authorization: Abstract your authorization logic from your codebase and application logic to easily reason, test, and debug your authorization. Behave your authorization as a sole entity and move faster with in your core development.
Permify enables us to implement fine-grained access controls in our system and centrally understand and govern the authorization. Permify team listens to feedback and acts on it quickly. Interacting directly with the designers and engineers of the service helps us strengthen our understanding of the concept and refine our usage of the product" - Hongxiang Liu, Staff Software Engineer at sennder.
🔮 Build Granular Permissions For Any Case You Have: You can create granular (resource-specific, hierarchical, context aware, etc) permissions and policies using Permify's domain specific language that is compatible with RBAC, ReBAC and ABAC.
🔐 Set Authorization For Your Tenants By Default: Set up isolated authorization logic and custom permissions for your vendors/organizations (tenants) and manage them in a single place.
Permify has empowered our team at Dynamic Yield to implement precise access control and streamline our authorization processes. The team at Permify is incredibly responsive, taking our feedback seriously and helping us maximize the platform's potential." - Erez Weiss, Development Team Lead at Dynamic Yield.
🚀 Scale Your Authorization As You Wish: Achieve lightning-fast response times down to 10ms for access checks with a proven infrastructure inspired by Google Zanzibar, Google’s Consistent, Global Authorization System.
No doubt that centralized authorization service, Permify needs to be highly available and provide low latency.
We've giving consistent efforts improve our performance metrics.
Let me share some test results with you.
Access Checks: As Fast as Tens of Milliseconds
We're using following infrastructure for our tests, since our cloud operate on AWS its make sense to reflect.
- AWS general purpose class for Permify cluster
- AWS general purpose class for Postgres
- Grafana k6 for monitoring
Here is a sneak peak result from one of our tests, where we run 10 million relationships and over 10,000 requests per second (RPS).
Test Setup
| ID | RPS | Data | Server Instance | RDS |
|---|---|---|---|---|
| 3 | 10,000 | 10,000,000 | 2x c6a.2xlarge | Aurora serverless v2 8 vcpu x3 |
Results
| ID | Authorization Data | Cache Hit | STDDEV | P95 | P99 |
|---|---|---|---|---|---|
| 3 | 10,000,000 | 60% | 9.3ms | 10ms | 53ms |
The above image is from our Grafana dashboard showcasing the result of above test we ran.
Whats Next ?
Our journey begans roughly 2 years from now, we are so grateful to help engineering teams from startups to the Fortune 500 to fix their authorizations.
Here are things we plan to ship in near future,
- Self-service Permify Cloud: We offer a cloud product to our customers with private, hands-on assistance to meet their specific regulatory requirements and higher performance needs. We are continuing to work on our cloud product to launch it in a self-serve model in this quarter of 2024.
- Integration with Application Monitoring Tools: Understanding your authorization are among the main reasons to adopt the authorization-as-a-service model that we provide. Alongside our metrics and activity log dashboard in our cloud and on-prem products, we're improving our integrations with application monitoring tools such as Datadog and Prometheus to give more advanced view of how your authorization system perfom.
- New SDKs and tooling on the way: We're planning to add new Ruby, Rust, and C# SDKs alongside the current Permify SDKs, which include Java, Golang, Python, Node.js, and Typescript.
Additional Resources:
References
[1]: OWASP Top 10 Web Application Security Risks - 2021