Permission Systems for Enterprise That Scale

Posted10 days agoActive6d ago

eliocs

99 points

33 comments

eliocapella.comTech Discussionstory

informativepositive

Debate

20/100

Permission SystemsSAASResearch

Key topics

Permission Systems

SAAS

Research

Diving into the complexities of permission systems for enterprises, commenters are weighing in on the best approaches to scaling these systems. Some are touting the Postgres ltree module as a game-changer for permission systems, particularly for file structure use-cases, while others are questioning its advantages over alternative solutions. The discussion also touches on the potential pitfalls of pre-computed permissions, with the author clarifying that while databases are ACID compliant, synchronization isn't enforced out of the box, requiring careful transaction management. As one commenter is about to embark on a similar project, the conversation is sparking valuable insights and practical advice.

Snapshot generated from the HN discussion

Discussion Activity

Active discussion

First comment

Peak period

0-6h

Avg / period

5.1

Comment distribution36 data points

Loading chart...

Based on 36 loaded comments

Key moments

01Story posted
Dec 24, 2025 at 4:50 AM EST
10 days ago
Step 01
02First comment
Dec 24, 2025 at 6:14 AM EST
1h after posting
Step 02
03Peak activity
17 comments in 0-6h
Hottest window of the conversation
Step 03
04Latest activity
Dec 27, 2025 at 12:18 PM EST
6d ago
Step 04

Generating AI Summary...

Analyzing up to 500 comments to identify key contributors and discussion patterns

Discussion (33 comments)

Showing 36 comments

bencyoung

10 days ago

3 replies

If you're using Postgres then using the ltree module is great for permission systems. Available in RDS too

calderwoodra

9 days ago

1 reply

Agreed, specifically for the file structure use-case, we were able to solve this with ltree.

amcvitty

9 days ago

About to embark on a similar project. Would love to hear any insights you can share!

casper14

10 days ago

Could you explain why this is great over alternatives?

nh2

9 days ago

Do you have an article about that?

charcircuit

10 days ago

3 replies

>We added a point of failure, as the permissions table can get out of sync with the actual data.

>The main risk with pre-computed permissions is data getting out of sync.

It would make sense to have permissions be a first class concept for databases and to ensure such a desync could never happen. Data being only read or written from specific users is a very common thing for data so it would be worth having first class support for it.

valiant55

9 days ago

3 replies

I'm struggling to understand what the issue that the author is getting at. The point of a database is that it's ACID compliant, wrap insets/updates/deletes in a transaction and no such drift would occur. What am I missing?

ahsisibssbx

9 days ago

Depending on your DBMS and isolation level, using a transaction might not fix things. That being said I don’t think (at least for Postgres) most people are using an isolation level that could cause this.

Much more likely I think is that you can’t use the db to prevent invalid states here (unique constraint, etc) and you’re dependent on other areas of the code correctly implementing concurrency controls. Race condition in resource A causes problems in your permissions table now.

And just from a general engineering perspective, you should assume things are going to fail and assess what your path forward looks like when they do. Recovery script sounds like a good idea for a critical area.

eliocsAuthor

9 days ago

I just want to point out you have to take care about that, yes you can have a trigger or a transaction to make sure it happens but it isn't there out of the box

charcircuit

9 days ago

I don't think you are missing anything. I think he is just pointing out that technically nothing is enforcing this synchronization, so if someone forgets to wrap things in a transaction, it could get out of sync.

eliocsAuthor

9 days ago

Lot of 'new' databases are basing their moat on this and sync engines. Eg: supabase, zero.dev, jazzdb, etc.

jeffbee

9 days ago

Why is it a useful property that everything is always "in sync"? I propose this is not possible anyway. These systems are always asynchronous, and the time of check is always before the time of use, and it is always possible that a revocation occurs between them, and this problem cannot be eliminated.

tekkk

10 days ago

4 replies

Strange the article proposes itself for "Enterprise" yet has no mention of Google's Zanzibar and how it compares to the other approaches. AFAIK it doesn't use pre-computed values but just queries really fast (using Spanner so there's that)

eliocsAuthor

9 days ago

2 replies

Can you let me know how would you for example query all accessible resources for a user using Google's Zanzibar?

phrotoma

9 days ago

1 reply

Related: if anyone has a method of achieving this query against GCP resources I'd be keen to learn that as well.

jschorr

9 days ago

We actually have users that synchronize their resources from various sources (AWS, Kubernetes, etc) into SpiceDB, explicitly so they can perform these kinds of queries!

One of the major benefits of a centralized authorization system is allowing for permissions queries across resources and subjects from multiple different services/sources (of course, with the need to synchronize the data in)

Happy to expand on how some users do so, if you're curious.

jschorr

9 days ago

In SpiceDB, this is known as the LookupResources [1] API, which returns all resources (of a particular type) that a particular subject (user in this case) has a particular permission on.

We have a guide on doing ACL-aware filtering and listing [2] with this API and describing other approaches for larger Enterprise scales

Disclaimer: I'm the co-founder and CTO of AuthZed, we develop SpiceDB, and I wrote our most recent implementation of LookupResources

[1]: https://buf.build/authzed/api/docs/main:authzed.api.v1#authz... [2]: https://authzed.com/docs/spicedb/modeling/protecting-a-list-...

svaha1728

9 days ago

2 replies

If you are interested in Zanzibar and Relationship-Based Access Control (ReBAC) it’s worth taking a look at OpenFGA https://openfga.dev/

hsluoyz

6d ago

Worth mentioning Casbin as well (https://github.com/casbin/casbin) - it's been around for a while and takes a slightly different approach. Instead of being purely Zanzibar-inspired, it uses a PERM (Policy, Effect, Request, Matchers) metamodel that lets you implement RBAC, ABAC, or ReBAC depending on what fits your use case.

mirzap

9 days ago

There are quite a few OSS Zanzibar-inspired authorization services/servers:

  - SpiceDB (https://github.com/authzed/spicedb)
  - Permify (https://github.com/Permify/permify)
  - Warrant (https://github.com/warrant-dev/warrant)
  - Ory Keto (https://github.com/ory/keto)

jschorr

9 days ago

1 reply

Google's Zanzibar actually does both: for the vast majority of queries, it uses significant levels of caching and a permitted amount of staleness [1], allowing Spanner to return a (somewhat stale) copy of the relationship data from local nodes, rather than having to wait or coordinate with the other nodes.

However, some deeply recursive or wide relations can still be slow, so Zanzibar also has a pre-computation cache called Leopard that is used for a very specific subset of these relations [2]. For SpiceDB, we called our version of this cache Materialize and it is designed expressly for handling "Enterprise" levels of scale in a similar fashion, as sometimes it is simply too slow to walk these deep graphs in real-time.

[1]: https://zanzibar.tech/24uQOiQnVi:1T:4S [2]: https://zanzibar.tech/21tieegnDR:0.H1AowI3SG:2O

samarthr1

7 days ago

1 reply

Ooh, and back when that was not a thing (iirc a few years back) me and a friend of mine had built a spiritually similar index for spicedb for our final year project at uni. We had a mini WAL and the ability to safely reject queries that specified a minimum update requirement after the index updation.

jschorr

6d ago

Sweet! I'd love to see it, if you have a link, or throw it in our Discord [1]!

[1]: https://discord.com/invite/GBeT3R4k84

smarx007

9 days ago

And https://projects.eclipse.org/projects/technology.biscuit

Xmd5a

9 days ago

2 replies

https://docs.feldera.com/use_cases/fine_grained_authorizatio...

Fine-grained authorization as an incremental computation problem

eliocsAuthor

9 days ago

1 reply

How would you achieve fast list queries of accessible resources with this approach?

gz09

9 days ago

feldera has a way to run ad-hoc/list queries on materialized views. Alternatively, you can send the result somewhere where you can query it.

gneray

9 days ago

Yes :) we've implemented this at Oso.

the_arun

9 days ago

1 reply

Isn’t Open Policy Agent (OPA) and Zanzibar not good enough to be in the article or author talking about specific permission controls?

samarthr1

7 days ago

My understanding is that Zanzibar is not usable as is for enterprises to use in their software?

And that it is an internal google system?

bitweis

9 days ago

1 reply

Permit.io

Scales both on the tech, and on the human side - e.g. your product manager can add roles (with CI approval) without requiring engineering involvement.

(I'm biased but still true)

afiori

9 days ago

1 reply

I only did a quick read of permit.io offering but iirc they don't focus on hierarchical data. If having access to a resource cannot grant access to unbounded number of other independent resources (eg sharing a folder) then almost all issues of the article disappear

bitweis

9 days ago

too quick man, it's a key feature:

https://www.permit.io/rebac

zkmon

10 days ago

I feel this is abuse of dark theme by forcing readers to increase brightness of their screens to full. Even then, the text is too faint. I also hate those dark themes which result in too much contrast for text (white text on black background) due to increased brightness of the screen.

julik

7 days ago

Interesting article, but it mixes up two concerns, I would say. One is retrieving trees from the DB and storing them - which can be annoying but has nothing to do with permissions. Another one is "hiding" unpermitted nodes/branches from the viewer (if that is what applying permissions is about - it can also handle read-only things, for instance). If these two concepts get separated and it is not a big deal to "overfetch" for the current user before doing the filtering - things become way easier. When the tree is reconstructed, you can do breadth-first traversal and compute permissions for every item in there - or retrieve the permissions for items at that level, if you are doing ACL stuff. From there - if there is no permission for the current viewer on that node - you exclude it from further scans and you do not add its' children to further traversals as you go down. Max. number of scans = tree depth. With some PG prowess you could even fold this into sophisticated SQL stuff.

Trees with RDBMSes do stay a pain, though :-)

ExoticPearTree

9 days ago

Another approach to complex requirements without spending a lot of time querying databases is to use bitmaps. A set of permissions can be expressed through a bitmap and all you need to do in code is to "decode" that to what you actually let the user do.

The downside to this approach is that it requires some planning and to maintain in code what mask retrieves what permission(s).

View full discussion on Hacker News

ID: 46374117Type: storyLast synced: 12/27/2025, 9:40:35 AM

Want the full context?

Jump to the original sources

Read the primary article or dive into the live Hacker News thread when you're ready.

Open link View on HN