HACKER Q&A
📣 gruuya

Experience using Zanzibar-styled authorization in production?


In particular, with some OSS solution, like Ory Keto (https://www.ory.sh/keto) or Authorizer (https://www.authorizer.tech/docs/overview/introduction), both of which look promising for our use case.

Even though Ory Keto is more well known, Authorizer seems to be a step ahead by already supporting subject set rewrites, one of the key core concepts from the original Zanzibar paper (the lack of which being a major handicap).

Also, how do you manage cascade relation tuple deletion upon deleting the corresponding object/subject resource (e.g. user/group/etc)?

  👤 wikibob Accepted Answer ✓
Check out this comprehensive explanation from TailScale.io, a wireguard VPN startup, on how they use Zanzibar

https://tailscale.com/blog/rbac-like-it-was-meant-to-be/

And see also this talk explaining the Zanzibar paper from Authzed.com a startup that will sell you Zanzibar as a service.

https://authzed.com/blog/what-is-zanzibar/