Why You Need To Outsource Authorization

In this article, we will take a closer look at Zanzibar by implementing some of its fundamentals.


Outsourcing micro-services is not the simplest decision to make for product teams. Especially when it comes to outsourcing a key piece of the product which software engineers built once but needed an improvement.

Founders and dev teams generally prefer to build these structures from scratch instead of outsourcing them.

But they usually end up with high development efforts with complex solutions that aren’t related to the core product.

And this means more “detour” that will take precious time away from building your core product features.

Although not every product is designed equal, and has different business needs. There are some parts which almost all B2B SaaS apps defacto offers; payments, authentication, access control…

And we’re living in a new era where status quo is changing. We are building more powerful software than ever before with more capabilities that brings more complexity. Thus focusing on the core product is a must.

But how do you focus on your core product, when there are dozens of side requirements. That’s where micro-services comes in. We’re more and more adopting the “focus on what you do best, and out source the rest.” mantra.

You need authentication? Great, setup Auth0, Magic etc… So, you need payments? Then you have Stripe. Or even for the search; integrate Algolia, and you have bullet-proof search.

But what about authorization? And that’s where I came into tell you, why you should outsource the access control just like other non-core parts of your business.

Because it wasn’t even clear for us how difficult and time consuming to solve this problem, until we tried to implementing role-based and attribute-based access control to dozens of projects we build.

And it’s evident for us now that it should be decoupled from your code. Let’s dive in!

Focus on your core product

For most of the businesses, authorization is not a core part of your product. But it’s the part which you need to consider in every step and iteration of product development. Especially, if you’re building a multi-tenant B2B SaaS app.

And you might think access control isn’t an important layer when it comes to building MVP. And probably you’re not wrong.

At that level, it's quite normal to build a simple authorization system which satisfies your MVP’s access control needs with a couple of roles.

However your product will eventually change, and further development needs to be done on your bare minimum authorization system because of different user needs and access management requirements.

That’s when the suffer comes in.

As more users and tenants are comes into your product, the simple role management solution which probably structured with a couple roles and simple permission table will fall short.

This will start to disturb your product development process. As your product scales, you’ll face the problem of not adding a simple feature to your product without considering the authorization mechanism.

Why? Because it's heavily dependent on the infrastructure of your core product. And you’ll end up creating patched solution which will mess up your code to only save the day.

Or you’ll spend serious time of the development effort will go to refactoring, testing, and changing the access control mechanism which will take away your attention from your core product.

Apart from which stage of your product is if you feel that current version of your authorization is inadequate and ou need a fine-grained access control mechanism.

So, simply don’t build it from starch, don’t try to reinvent the wheel, that’s not your core business and it probably slows down your whole product development process.

Instead just out-source your authorizations, just like your payment gateway. And How can you outsource it ? Actually it’s super simple.

We build a Plug-and-Play Authorization API called Permify which is a full stack solution that exactly solves this scalability problem and reduces unnecessary developer effort when implementing or maintaining access control.

Why do we build it ?

We have been building things for quite a while with my co-founders, and we have experienced this pain many times when our products needed to be scale up.

On early stage development of any product, we generally created a bare minimum system for authorization which satisfies our needs.

But we have seen that; as our products evolve, even adding a feature has become much more difficult because of the broken authorization mechanism.

Eventually we needed a new authorization mechanism and were starting to develop it.

And building a future proof and flexible access control is always seem to us overwhelming and tedious.

As a result, we created Permify and it gave us so much relief in the next product. We don't have to think about Authorization, it was an abstract entity. So, we can focus more on building the core product.

And it only took minutes to connect it to the whole application. Permify helps to implement authorization once and for all, instead of building it through weeks/months and maintaining the system on the way.

How it Works?

I want to show a simple before after code example to emphasize how Permify simplify things when checking authorization in anywhere:

Let's say you need to check the access for an action “show contact details”. Without Permify your if check would be something like below:

if (
   // if user is admin or super admin
   user.role === 'super_admin' ||
   user.role === 'admin' ||
   // if user is the contact itself
   user.id === contact.id ||
   // if user is HR department Manager
   user.role === 'manager' && user.department.id === hrDepartmant.id
) {
   //allow user to see contact details
}

If we would check same action with Permify, instead of the heavy loaded if statement we can replace it with a single call:

if (await isAuthorized(contact-show', '91', contact)) {
   //allow user to see contact details
}

Check out our solution. We are helping developers all-around the world from growing startups to large tech companies. You will be surprised at how easy it is to implement and use.

If you have any questions or doubts, feel free to ask them, you can find my email below.

ege@permify.co