Skip to main content

· 2 min read
Aditya Kajla

Here's what we've been up to in May:

New set rules & operators

First up, Warrant now supports the 'allOf' (intersection) and 'noneOf' (not) set rules for object type relations, in addition to the already supported 'anyOf' (union) rule. This brings the Warrant authz service closer to the Google Zanzibar specification. Using these rules, you can create more powerful authz policies including those based on exclusion rules to prevent common issues like 'role explosion.' You can read more about the new rule types here.

· 7 min read
Karan Kajla

Introduction

When tasked with adding authorization & access control to an application, one of the first decisions many developers make is whether to store their application's access control policies in policy files or in a database. This decision is dictated by the business & operational needs of the application and is often made indirectly when choosing to use a library or implement a custom access control system from scratch. In this post, we'll cover the pros and cons of both approaches and discuss ideal use-cases for each.

· One min read
Aditya Kajla

Here's what we've been up to in April:

New dashboard homepage

We've added a brand new homepage to the Warrant dashboard that contains all your monthly API metrics including total # of calls, authorizations, users and tenants.

· One min read
Aditya Kajla

Here's what we've been up to in February:

Enterprise-grade authz

Over the past several weeks, we’ve been hard at work augmenting and reinforcing our back-end infrastructure. The result is a much more scalable authz service that is globally distributed with ~50% better query latency. There’s more to come on this front but reach out to us if you have any questions about our enterprise roadmap.

· One min read
Aditya Kajla

Happy new year! Here's what we've been up to in January:

New year, new look

As you can probably tell, we've updated our look! Check out our new website and dashboard.

Awesome-authorization

We've realized that good authz resources and content are hard to come by, so we put together a curated 'awesome-authorization' list of our fav articles and resources on Github. Check it out, star it and feel free to add your favs!

· One min read
Aditya Kajla

Here's what we've been up to in December:

Ruby SDK

By popular demand, the official Warrant Ruby SDK is now available.

Dashboard updates

Some minor updates to the dashboard this month, including the ability to add user-friendly and identifiable usernames for each of your users.

· 2 min read
Karan Kajla

I'm excited to announce that Warrant now has built-in support for Role Based Access Control! 🥳 RBAC is one of the most widely used forms of access control, so we wanted to make it as easy as possible for developers to add robust RBAC to their apps. We also know that access control isn't a "set it and forget it" type of problem. Applications evolve over time, whether it's through new features or other changes, so we've made some major updates to the Warrant Dashboard to make it easier to manage RBAC in a live application.

· 8 min read
Karan Kajla

Insecure Direct Object Reference (shortened as IDOR) is one of the most common forms of broken access control which OWASP recently listed as the number one application security issue in 2021. A quick search for "IDOR" on Hacker One's Hacktivity feed shows that many top tech companies (and even the U.S. Department of Defense) have fallen victim to IDOR, in some cases paying out well over $10,000 per bug bounty. In this post, I'll explain what IDOR is, what causes it, and ways to protect your application against it.