Permify — Open Source Fine-Grained Authorization Service

Introduction

Permify centralizes authorization logic into a dedicated service so applications do not need to embed permission checks in business code. Using a Zanzibar-inspired relationship model, it stores who can do what on which resource and answers permission queries via gRPC and REST APIs.

What Permify Does

• Stores authorization relationships as tuples linking subjects to resources
• Evaluates permission checks against a schema that defines relations and actions
• Supports multi-tenancy with isolated schemas and data per tenant
• Provides data filtering to list all resources a user can access
• Offers client SDKs for Go, Node.js, Python, and Java

Architecture Overview

Permify runs as a single Go binary exposing gRPC and HTTP endpoints. Authorization schemas are written in a DSL and stored in the configured database. Relationship tuples are persisted in PostgreSQL. On a check request, Permify traverses the relation graph to resolve permissions, supporting union, intersection, and exclusion operations.

Self-Hosting & Configuration

• Deploy via Docker, docker-compose, Helm chart, or native binary
• Configure PostgreSQL as the datastore with PERMIFY_DATABASE_URI
• Set up multi-tenancy by creating tenants through the management API
• Enable caching with the built-in in-memory or Redis-backed cache
• Monitor with Prometheus metrics exposed on the /metrics endpoint

Key Features

• Schema DSL for defining entities, relations, and computed permissions
• Multi-tenant architecture with per-tenant schema versioning
• Subject filtering to answer "which resources can user X access?"
• Snap tokens for consistent reads across distributed deployments
• Validation and dry-run modes for testing schema changes before deployment

Comparison with Similar Tools

• SpiceDB — More mature Zanzibar implementation; Permify offers built-in multi-tenancy
• Cerbos — Policy-as-code engine using YAML/JSON rules; Permify uses a relationship graph
• Casbin — In-process library; Permify is a standalone networked service
• Ory Keto — Early Zanzibar project with slower development; Permify is actively maintained

FAQ

Q: How is Permify different from an identity provider like Keycloak? A: Keycloak handles authentication (who are you). Permify handles authorization (what can you do). They complement each other.

Q: Does Permify scale horizontally? A: Yes. Permify is stateless and can be replicated behind a load balancer with PostgreSQL as the shared store.

Q: Can I migrate from Casbin or OPA? A: There is no automatic migration, but the Permify DSL can express RBAC and ReBAC models that those tools support.

Q: Is Permify free? A: The core service is open source under Apache 2.0. Permify Cloud is available as a managed option.

Sources

• https://github.com/Permify/permify
• https://docs.permify.co