# Permify — Open Source Fine-Grained Authorization Service > Permify is an open-source authorization service inspired by Google Zanzibar that lets you define and enforce fine-grained, relationship-based access control across your applications. ## Install Save as a script file and run: # Permify — Open Source Fine-Grained Authorization Service ## Quick Use ```bash docker run -d -p 3476:3476 -p 3478:3478 ghcr.io/permify/permify serve # Write schema curl -X POST http://localhost:3476/v1/tenants/t1/schemas/write -d '{"schema":"entity user {}\nentity document {\n relation viewer @user\n action view = viewer\n}"}' ``` ## Introduction Permify centralizes authorization logic into a dedicated service so applications do not need to embed permission checks in business code. Using a Zanzibar-inspired relationship model, it stores who can do what on which resource and answers permission queries via gRPC and REST APIs. ## What Permify Does - Stores authorization relationships as tuples linking subjects to resources - Evaluates permission checks against a schema that defines relations and actions - Supports multi-tenancy with isolated schemas and data per tenant - Provides data filtering to list all resources a user can access - Offers client SDKs for Go, Node.js, Python, and Java ## Architecture Overview Permify runs as a single Go binary exposing gRPC and HTTP endpoints. Authorization schemas are written in a DSL and stored in the configured database. Relationship tuples are persisted in PostgreSQL. On a check request, Permify traverses the relation graph to resolve permissions, supporting union, intersection, and exclusion operations. ## Self-Hosting & Configuration - Deploy via Docker, docker-compose, Helm chart, or native binary - Configure PostgreSQL as the datastore with `PERMIFY_DATABASE_URI` - Set up multi-tenancy by creating tenants through the management API - Enable caching with the built-in in-memory or Redis-backed cache - Monitor with Prometheus metrics exposed on the `/metrics` endpoint ## Key Features - Schema DSL for defining entities, relations, and computed permissions - Multi-tenant architecture with per-tenant schema versioning - Subject filtering to answer "which resources can user X access?" - Snap tokens for consistent reads across distributed deployments - Validation and dry-run modes for testing schema changes before deployment ## Comparison with Similar Tools - **SpiceDB** — More mature Zanzibar implementation; Permify offers built-in multi-tenancy - **Cerbos** — Policy-as-code engine using YAML/JSON rules; Permify uses a relationship graph - **Casbin** — In-process library; Permify is a standalone networked service - **Ory Keto** — Early Zanzibar project with slower development; Permify is actively maintained ## FAQ **Q: How is Permify different from an identity provider like Keycloak?** A: Keycloak handles authentication (who are you). Permify handles authorization (what can you do). They complement each other. **Q: Does Permify scale horizontally?** A: Yes. Permify is stateless and can be replicated behind a load balancer with PostgreSQL as the shared store. **Q: Can I migrate from Casbin or OPA?** A: There is no automatic migration, but the Permify DSL can express RBAC and ReBAC models that those tools support. **Q: Is Permify free?** A: The core service is open source under Apache 2.0. Permify Cloud is available as a managed option. ## Sources - https://github.com/Permify/permify - https://docs.permify.co --- Source: https://tokrepo.com/en/workflows/ef62e5f4-3ade-11f1-9bc6-00163e2b0d79 Author: Script Depot