Here's what we've been up to in May:

New set rules & operators​

First up, Warrant now supports the 'allOf' (intersection) and 'noneOf' (not) set rules for object type relations, in addition to the already supported 'anyOf' (union) rule. This brings the Warrant authz service closer to the Google Zanzibar specification. Using these rules, you can create more powerful authz policies including those based on exclusion rules to prevent common issues like 'role explosion.' You can read more about the new rule types here.

Introduction​

When tasked with adding authorization & access control to an application, one of the first decisions many developers make is whether to store their application's access control policies in policy files (policy as code) or in a database (policy as data). This decision is dictated by the business & operational needs of the application and is often made indirectly when choosing to use a library or implement a custom access control system from scratch. In this post, we'll cover the pros and cons of both approaches and discuss ideal use-cases for each.

Here's what we've been up to in April:

New dashboard homepage​

We've added a brand new homepage to the Warrant dashboard that contains all your monthly API metrics including total # of calls, authorizations, users and tenants.

Here's what we've been up to in March:

SDKs updated for RBAC​

We've updated our SDKs with easy-to-use RBAC-specific methods that align with Warrant's built-in RBAC support. Check out the changes on Github.

Today, I'm excited to launch our newest feature! 🎉 The Warrant Self Service Dashboard is a prebuilt, Warrant-hosted page where your customers can manage their own roles & permissions (think Stripe Checkout for user roles & permissions). Built on top of our core Authorization API, the Self Service Dashboard is fast, flexible, and easy to setup.

Here's what we've been up to in February:

Enterprise-grade authz​

Over the past several weeks, we’ve been hard at work augmenting and reinforcing our back-end infrastructure. The result is a much more scalable authz service that is globally distributed with ~50% better query latency. There’s more to come on this front but reach out to us if you have any questions about our enterprise roadmap.

Happy new year! Here's what we've been up to in January:

New year, new look​

As you can probably tell, we've updated our look! Check out our new website and dashboard.

Awesome-authorization​

We've realized that good authz resources and content are hard to come by, so we put together a curated 'awesome-authorization' list of our fav articles and resources on Github. Check it out, star it and feel free to add your favs!

Here's what we've been up to in December:

Ruby SDK​

By popular demand, the official Warrant Ruby SDK is now available.

Dashboard updates​

Some minor updates to the dashboard this month, including the ability to add user-friendly and identifiable usernames for each of your users.

I'm excited to announce that Warrant now has built-in support for Role Based Access Control! 🥳 RBAC is one of the most widely used forms of access control, so we wanted to make it as easy as possible for developers to add robust RBAC to their apps. We also know that access control isn't a "set it and forget it" type of problem. Applications evolve over time, whether it's through new features or other changes, so we've made some major updates to the Warrant Dashboard to make it easier to manage RBAC in a live application.

Insecure Direct Object Reference (shortened as IDOR) is one of the most common forms of broken access control which OWASP recently listed as the number one application security issue in 2021. A quick search for "IDOR" on Hacker One's Hacktivity feed shows that many top tech companies (and even the U.S. Department of Defense) have fallen victim to IDOR, in some cases paying out well over $10,000 per bug bounty. In this post, I'll explain what IDOR is, what causes it, and ways to protect your application against it.