Skip to main content

· 4 min read
Stanley Phu

Building and maintaining a role-based access control (RBAC) model at a growing company can be a challenge as your application evolves with continually changing product requirements. As requirements and features are updated, your access model needs to keep up. Today, we're excited to introduce a new concept and features to help you manage your RBAC model with less complexity: implied roles and permissions.

What is it?

Many RBAC models involve some sort of inheritance, where an admin role may have all the permissions of a lesser role plus more admin-specific permissions. This can involve duplication of permission assignments across roles and quickly turn your roles and permissions into a complex mess that's difficult to manage.

We've eliminated the need for this duplication and made it simpler to manage complex RBAC models via API or Dashboard with the concept of implied roles and permissions. With implied roles and permissions, you can define a role or permission that will automatically be implied when a user is assigned a particular role or permission. For example, a manager and basic role can be implied by the admin role so any user with the admin role will automatically be granted the capabilities of both the manager and basic roles.

· One min read
Aditya Kajla

The two primary ways to view, manage and enforce an access model in Warrant include APIs and the admin UI. Today we're introducing a third way, geared towards power users, especially those that ❤️ automation: a native command-line interface (CLI).

CLI

· 2 min read
Aditya Kajla

Here's what we've been up to in July:

Introducing the Warrant Edge Agent

The Edge Agent is a lightweight Go service that customers can deploy in their own infrastructure which functions as an in-network, local cache capable of responding to access check requests with single millisecond response times. You can read more about Edge here and check out the source code on GitHub.

· 3 min read
Karan Kajla

Today, we're excited to launch the Warrant Edge Agent! It's been a long time in the making, and we're finally ready to share more about it and roll it out to our customers.

What is it?

As a centralized, stand-alone service, engineering teams have consistently brought up the latency & reliability concerns of performing access checks with Warrant because it means adding a network request to the critical path of almost every request to their applications. While our globally distributed authorization service boasts both low-latency and high availability that meets most customers' demands, some teams have stricter requirements.

· 3 min read
Aditya Kajla

Over the past few months, we've had the opportunity to speak with and work closely with engineering teams implementing authorization in their applications with Warrant. A common topic that came up in these conversations was the level of integration between Warrant and our customers' applications.

For example, implementing multi-tenancy with Warrant requires our customers to call the Warrant API each time a tenant or a user is created in their application and whenever a user is added to or removed from a tenant. This is done in order to keep the access rules in Warrant up-to-date as data changes in the customer's application.

We received feedback from teams that adding this logic to their applications can be somewhat redundant and lead to tighter coupling (particularly on the write path) with Warrant. We listened, and in an effort to reduce the friction of initial and ongoing integration with Warrant, we're excited to launch Warrant Sync!

· 2 min read
Aditya Kajla

Here's what we've been up to in June:

Introducing Warrant Sync

We’re excited to officially launch Warrant Sync into beta today! Sync connects with your existing database and automatically creates, updates and deletes warrants for common use-cases like managing users, tenants and RBAC. We built Sync to make integrating with Warrant significantly easier and cut down on a lot of the boilerplate API integration. Check out more in our Sync launch post and get in touch if you'd like to try it out.

· 2 min read
Aditya Kajla

Here's what we've been up to in May:

New set rules & operators

First up, Warrant now supports the 'allOf' (intersection) and 'noneOf' (not) set rules for object type relations, in addition to the already supported 'anyOf' (union) rule. This brings the Warrant authz service closer to the Google Zanzibar specification. Using these rules, you can create more powerful authz policies including those based on exclusion rules to prevent common issues like 'role explosion.' You can read more about the new rule types here.

· 7 min read
Karan Kajla

Introduction

When tasked with adding authorization & access control to an application, one of the first decisions many developers make is whether to store their application's access control policies in policy files or in a database. This decision is dictated by the business & operational needs of the application and is often made indirectly when choosing to use a library or implement a custom access control system from scratch. In this post, we'll cover the pros and cons of both approaches and discuss ideal use-cases for each.

· One min read
Aditya Kajla

Here's what we've been up to in April:

New dashboard homepage

We've added a brand new homepage to the Warrant dashboard that contains all your monthly API metrics including total # of calls, authorizations, users and tenants.