CINXE.COM
Authorization (AuthZ): Quick Start Guide for Enterprise Permissions | AuthZed.com
<!DOCTYPE html><html lang="en" class="__variable_403957 __variable_f8bf1a"><head><meta charSet="utf-8"/><meta name="viewport" content="width=device-width, initial-scale=1"/><link rel="preload" href="/_next/static/media/92f44bb82993d879-s.p.woff2" as="font" crossorigin="" type="font/woff2"/><link rel="preload" href="/_next/static/media/a34f9d1faa5f3315-s.p.woff2" as="font" crossorigin="" type="font/woff2"/><link rel="preload" as="image" href="/authzed-icon-multi.svg" fetchPriority="high"/><link rel="preload" as="image" imageSrcSet="/_next/image?url=%2Fimages%2Fblogs%2Fblog-featured-image.png&w=640&q=75 640w, /_next/image?url=%2Fimages%2Fblogs%2Fblog-featured-image.png&w=750&q=75 750w, /_next/image?url=%2Fimages%2Fblogs%2Fblog-featured-image.png&w=828&q=75 828w, /_next/image?url=%2Fimages%2Fblogs%2Fblog-featured-image.png&w=1080&q=75 1080w, /_next/image?url=%2Fimages%2Fblogs%2Fblog-featured-image.png&w=1200&q=75 1200w, /_next/image?url=%2Fimages%2Fblogs%2Fblog-featured-image.png&w=1920&q=75 1920w, /_next/image?url=%2Fimages%2Fblogs%2Fblog-featured-image.png&w=2048&q=75 2048w, /_next/image?url=%2Fimages%2Fblogs%2Fblog-featured-image.png&w=3840&q=75 3840w" imageSizes="100vw" fetchPriority="high"/><link rel="stylesheet" href="/_next/static/css/b1f6f9dd7f6ae292.css" data-precedence="next"/><link rel="stylesheet" href="/_next/static/css/35351f010017696e.css" data-precedence="next"/><link rel="stylesheet" href="/_next/static/css/da72cc09e5cef6cf.css" data-precedence="next"/><link rel="preload" href="/_next/static/chunks/webpack-76ab6381491b6f7e.js" as="script" fetchPriority="low"/><script src="/_next/static/chunks/fd9d1056-35f33f7ae5fc529e.js" async=""></script><script src="/_next/static/chunks/7864-3806b5b4c5d54493.js" async=""></script><script src="/_next/static/chunks/main-app-f98c4186aa19bb86.js" async=""></script><link rel="preload" href="https://js.hsforms.net/forms/embed/v2.js" as="script"/><link rel="preload" href="/vendor/consent-manager.js" as="script"/><link rel="preload" href="https://use.typekit.net/pjz2dde.css" as="style"/><title>Authorization (AuthZ): Quick Start Guide for Enterprise Permissions | AuthZed.com</title><meta name="description" content="This AuthZ quick start guide covers what AuthZ is, why it's an issue, use cases and requirements for enterprise permissions systems. It also provides an introduction to Google Zanzibar's ReBAC approach and how it solves authZ."/><meta name="robots" content="index, follow, nocache"/><meta name="googlebot" content="index, follow, noimageindex, max-video-preview:-1, max-image-preview:large, max-snippet:-1"/><link rel="canonical" href="https://authzed.com/blog/authz-primer"/><meta property="og:title" content="Authorization (AuthZ): Quick Start Guide for Enterprise Permissions | AuthZed.com"/><meta property="og:description" content="This AuthZ quick start guide covers what AuthZ is, why it's an issue, use cases and requirements for enterprise permissions systems. It also provides an introduction to Google Zanzibar's ReBAC approach and how it solves authZ."/><meta property="og:image" content="https://authzed.com/images/blogs/blog-featured-image.png"/><meta name="twitter:card" content="summary_large_image"/><meta name="twitter:title" content="Authorization (AuthZ): Quick Start Guide for Enterprise Permissions | AuthZed.com"/><meta name="twitter:description" content="This AuthZ quick start guide covers what AuthZ is, why it's an issue, use cases and requirements for enterprise permissions systems. It also provides an introduction to Google Zanzibar's ReBAC approach and how it solves authZ."/><meta name="twitter:image" content="https://authzed.com/images/blogs/blog-featured-image.png"/><meta name="next-size-adjust"/><link rel="icon" type="image/svg+xml" href="/favicon.svg"/><link rel="icon" type="image/x-icon" href="/favicon.ico"/><link rel="icon" type="image/png" sizes="32x32" href="/favicon-32x32.png"/><link rel="icon" type="image/png" sizes="16x16" href="/favicon-16x16.png"/><link rel="mask-icon" href="/safari-pinned-tab.svg" type="image/svg+xml"/><link rel="alternate" type="application/atom+xml" title="Atom Feed for authzed.com" href="/feed/atom"/><link rel="alternate" type="application/rss+xml" title="RSS Feed for authzed.com" href="/feed/rss"/><link rel="stylesheet" href="https://use.typekit.net/pjz2dde.css"/><script defer="" data-domain="authzed.com" src="/js/script.js" data-api="/api/event"></script><script src="/_next/static/chunks/polyfills-c67a75d1b6f99dc8.js" noModule=""></script></head><body class="bg-dark text-white overflow-x-hidden"><style> div[data-consent-manager-dialog] button[type=submit] { color: #fff; background-color: rgb(133, 74, 170); background-image: none; } </style><div id="consent-manager" class="fixed left-6 bottom-6 mr-6 z-[2147483647] shadow-lg [&>div]:rounded-lg [&>div]:p-4 [&>div]:pr-10 [&>div]:bg-suns-1000"></div><!--$!--><template data-dgst="NEXT_DYNAMIC_NO_SSR_CODE"></template><!--/$--><div class="bg-dark text-white"><div class="flex announcement-bar relative flex-wrap justify-between gap-y-2.5 py-3 px-5 z-50 text-[.8125rem] text-white bg-rocks-700/85 opacity-100 border-rocks-500 border-b-2"><div class="announcment grid grid-flow-col auto-cols-2 tablet:flex tablet:flex-wrap gap-2 justify-items-start items-center"><div class="flex flex-initial"><p>How authorization fits into the architecture of secure AI RAG stacks: AuthZed CEO Jacob Moshenko interviewed at theCube + NYSE Media Day</p></div><a href="https://www.youtube.com/watch?v=9Giynn1odZo"><button class="inline-flex items-center justify-center disabled:pointer-events-none disabled:opacity-50 focus:nonedata-[state=open]:bg-slate-100 bg-gradient-to-b from-[#FF5C61] to-[#9C3774] rounded-full border border-[#AC5184] transition-transform duration-100 hover:scale-[1.03] h-5 content-center text-[.75rem] font-medium px-3 py-2.5" label="Watch" icon="play">Watch<svg aria-hidden="true" focusable="false" data-prefix="fas" data-icon="play" class="svg-inline--fa fa-play bg-transparent h-[0.625rem] w-[0.625rem] ml-2" role="img" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 384 512"><path fill="currentColor" d="M73 39c-14.8-9.1-33.4-9.4-48.5-.9S0 62.6 0 80V432c0 17.4 9.4 33.4 24.5 41.9s33.7 8.1 48.5-.9L361 297c14.3-8.7 23-24.2 23-41s-8.7-32.2-23-41L73 39z"></path></svg></button></a></div><div class="hidden laptop:flex gh-container flex-wrap flex-initial self-end gap-y-2.5"><span><a href="https://github.com/authzed/spicedb" class="text-current no-underline">SpiceDB, Open Source Google Zanzibar FGA </a></span><a href="https://github.com/authzed/spicedb"><button class="w-max flex items-center content-center justify-center bg-white border-[rgba(27,31,36,.15)] font-sans text-[#323040] font-medium transition-transform duration-100 active:scale-95 hover:scale-105 focus:outline-none focus:ring-2 focus:ring-slate-400 focus:ring-offset-2 h-5 rounded-sm text-[0.6875rem] leading-[.9rem] border-[1px]" type="button"><div class="px-1 border-[1px] h-full border-r border-[rgba(27,31,36,.05)] flex flex-nowrap items-center place-content-center bg-[#EBF0F4]"><svg aria-hidden="true" focusable="false" data-prefix="fab" data-icon="github" class="svg-inline--fa fa-github fa-lg " role="img" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 496 512"><path fill="currentColor" d="M165.9 397.4c0 2-2.3 3.6-5.2 3.6-3.3.3-5.6-1.3-5.6-3.6 0-2 2.3-3.6 5.2-3.6 3-.3 5.6 1.3 5.6 3.6zm-31.1-4.5c-.7 2 1.3 4.3 4.3 4.9 2.6 1 5.6 0 6.2-2s-1.3-4.3-4.3-5.2c-2.6-.7-5.5.3-6.2 2.3zm44.2-1.7c-2.9.7-4.9 2.6-4.6 4.9.3 2 2.9 3.3 5.9 2.6 2.9-.7 4.9-2.6 4.6-4.6-.3-1.9-3-3.2-5.9-2.9zM244.8 8C106.1 8 0 113.3 0 252c0 110.9 69.8 205.8 169.5 239.2 12.8 2.3 17.3-5.6 17.3-12.1 0-6.2-.3-40.4-.3-61.4 0 0-70 15-84.7-29.8 0 0-11.4-29.1-27.8-36.6 0 0-22.9-15.7 1.6-15.4 0 0 24.9 2 38.6 25.8 21.9 38.6 58.6 27.5 72.9 20.9 2.3-16 8.8-27.1 16-33.7-55.9-6.2-112.3-14.3-112.3-110.5 0-27.5 7.6-41.3 23.6-58.9-2.6-6.5-11.1-33.3 2.6-67.9 20.9-6.5 69 27 69 27 20-5.6 41.5-8.5 62.8-8.5s42.8 2.9 62.8 8.5c0 0 48.1-33.6 69-27 13.7 34.7 5.2 61.4 2.6 67.9 16 17.7 25.8 31.5 25.8 58.9 0 96.5-58.9 104.2-114.8 110.5 9.2 7.9 17 22.9 17 46.4 0 33.7-.3 75.4-.3 83.6 0 6.5 4.6 14.4 17.3 12.1C428.2 457.8 496 362.9 496 252 496 113.3 383.5 8 244.8 8zM97.2 352.9c-1.3 1-1 3.3.7 5.2 1.6 1.6 3.9 2.3 5.2 1 1.3-1 1-3.3-.7-5.2-1.6-1.6-3.9-2.3-5.2-1zm-10.8-8.1c-.7 1.3.3 2.9 2.3 3.9 1.6 1 3.6.7 4.3-.7.7-1.3-.3-2.9-2.3-3.9-2-.6-3.6-.3-4.3.7zm32.4 35.6c-1.6 1.3-1 4.3 1.3 6.2 2.3 2.3 5.2 2.6 6.5 1 1.3-1.3.7-4.3-1.3-6.2-2.2-2.3-5.2-2.6-6.5-1zm-11.4-14.7c-1.6 1-1.6 3.6 0 5.9 1.6 2.3 4.3 3.3 5.6 2.3 1.6-1.3 1.6-3.9 0-6.2-1.4-2.3-4-3.3-5.6-2z"></path></svg><div class="pl-1">Star</div></div><span class="py- px-1">5165</span></button></a></div></div><nav class="sticky top-0 z-100"><div class="nav-bar"><div class="left-nav"><a class="ml-4 py-2 min-w-[60px] tablet:block" href="/"><img alt="AuthZed" fetchPriority="high" width="60" height="30" decoding="async" data-nimg="1" style="color:transparent" src="/authzed-icon-multi.svg"/></a><div class="nav-links"><div class="py-6 inline-block"><a class="py-2 px-4 inline-flex items-center" href="/why-authzed">Why AuthZed?</a></div><div class="nav-link group" tabindex="0"><div class="label"><span class="mr-1">Products</span><svg class="fill-current h-4 w-4" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 20 20"><path d="M9.293 12.95l.707.707L15.657 8l-1.414-1.414L10 10.828 5.757 6.586 4.343 8z"></path></svg></div><div class="grid grid-cols-3 gap-2 sub-nav"><div><div class="group-header"><span class="">Managed Services</span></div><div><a tabindex="0" href="/products/authzed-dedicated">AuthZed Dedicated</a></div><div><a tabindex="0" href="/products/authzed-serverless">AuthZed Serverless</a></div></div><div><div class="group-header"><span class="">Self-Hosted</span></div><div><a tabindex="0" href="/products/authzed-support">AuthZed Support</a></div><div><a tabindex="0" href="/products/spicedb-enterprise">SpiceDB Enterprise</a></div></div><div><div class="group-header"><span class="">Open Source</span></div><div><a tabindex="0" href="/spicedb">SpiceDB</a></div><div><a tabindex="0" href="/products/spicedb-operator">SpiceDB Operator</a></div><div><a tabindex="0" href="/products/spicedb-clients">SpiceDB Clients</a></div></div></div></div><div class="nav-link group" tabindex="0"><div class="label"><span class="mr-1">Resources</span><svg class="fill-current h-4 w-4" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 20 20"><path d="M9.293 12.95l.707.707L15.657 8l-1.414-1.414L10 10.828 5.757 6.586 4.343 8z"></path></svg></div><div class="grid grid-cols-4 gap-2 sub-nav"><div><div class="group-header"><span class="">Learn</span></div><div><a tabindex="0" href="/docs">Docs</a></div><div><a tabindex="0" href="https://play.authzed.com">Playground</a></div></div><div><div class="group-header"><span class="">Company</span></div><div><a tabindex="0" href="/blog">Blog</a></div><div><a tabindex="0" href="/customers">Customer Stories</a></div></div><div><div class="group-header"><span class="">Support</span></div><div><a tabindex="0" href="https://security.authzed.com">Security</a></div><div><a tabindex="0" href="https://status.authzed.com/">Status Page</a></div><div><a tabindex="0" href="/create-ticket">Submit a Ticket</a></div><div><a tabindex="0" href="/call">Schedule a Call</a></div></div><div><div class="group-header"><span class="">Community</span></div><div><a tabindex="0" href="https://authzed.com/discord">Discord</a></div><div><a tabindex="0" href="https://github.com/authzed">GitHub</a></div><div><a tabindex="0" href="https://twitter.com/authzed">Twitter</a></div><div><a tabindex="0" href="https://www.youtube.com/@authzed">YouTube</a></div><div><a tabindex="0" href="https://www.linkedin.com/company/authzed/">LinkedIn</a></div></div></div></div><div class="py-6 inline-block"><a class="py-2 px-4 inline-flex items-center" href="/pricing">Pricing</a></div><div class="py-6 inline-block"><a class="py-2 px-4 inline-flex items-center" href="/spicedb">SpiceDB</a></div><div class="py-6 inline-block"><a class="py-2 px-4 inline-flex items-center" href="/demo">Demo</a></div></div></div><div class="right-nav"><a class="nav-secondary-cta" target="_blank" rel="noopener noreferrer" href="https://app.authzed.com">Log In</a><div class="nav-primary-cta"><a class="" href="/get-started"><div class="border-transparent rounded-[22px] border-2 w-fit" style="background:linear-gradient(to bottom, #6C3E5C, #6C3E5C) padding-box, linear-gradient(to right, #BE5D9B, #834AA9) border-box"><button class="inline-flex items-center justify-center text-sm font-medium transition-all duration-500 disabled:pointer-events-none disabled:opacity-50 focus:nonedata-[state=open]:bg-slate-100 bg-light hover:text-light hover:bg-suns-900 py-2 px-4 overflow-hidden relative h-8 rounded-[22px] button-hover-gradient bg-gradient-to-r from-[#5C344E] to-[#211E2E] text-white"><span class="z-[10] flex items-center">Get Started<svg aria-hidden="true" focusable="false" data-prefix="fas" data-icon="chevron-right" class="svg-inline--fa fa-chevron-right bg-transparent h-[0.875rem] w-[0.875rem] ml-2" role="img" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 320 512"><path fill="currentColor" d="M310.6 233.4c12.5 12.5 12.5 32.8 0 45.3l-192 192c-12.5 12.5-32.8 12.5-45.3 0s-12.5-32.8 0-45.3L242.7 256 73.4 86.6c-12.5-12.5-12.5-32.8 0-45.3s32.8-12.5 45.3 0l192 192z"></path></svg></span></button></div></a><a class="hidden" href="/learn-more"><div class="border-transparent rounded-[22px] border-2 w-fit" style="background:linear-gradient(to bottom, #6C3E5C, #6C3E5C) padding-box, linear-gradient(to right, #BE5D9B, #834AA9) border-box"><button class="inline-flex items-center justify-center text-sm font-medium transition-all duration-500 disabled:pointer-events-none disabled:opacity-50 focus:nonedata-[state=open]:bg-slate-100 bg-light hover:text-light hover:bg-suns-900 py-2 px-4 overflow-hidden relative h-8 rounded-[22px] button-hover-gradient bg-gradient-to-r from-[#5C344E] to-[#211E2E] text-white"><span class="z-[10] flex items-center">Learn More<svg aria-hidden="true" focusable="false" data-prefix="fas" data-icon="arrow-right" class="svg-inline--fa fa-arrow-right bg-transparent h-[0.875rem] w-[0.875rem] ml-2" role="img" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path fill="currentColor" d="M438.6 278.6c12.5-12.5 12.5-32.8 0-45.3l-160-160c-12.5-12.5-32.8-12.5-45.3 0s-12.5 32.8 0 45.3L338.8 224 32 224c-17.7 0-32 14.3-32 32s14.3 32 32 32l306.7 0L233.4 393.4c-12.5 12.5-12.5 32.8 0 45.3s32.8 12.5 45.3 0l160-160z"></path></svg></span></button></div></a></div></div><div class="mobile-nav-button"><button type="button" class="p-2 mr-4 inline-flex items-center text-white bg-transparent"><span class="sr-only">Open menu</span><svg class="w-6 h-6" aria-hidden="true" fill="currentColor" viewBox="0 0 20 20" xmlns="http://www.w3.org/2000/svg"><path fill-rule="evenodd" d="M3 5a1 1 0 011-1h12a1 1 0 110 2H4a1 1 0 01-1-1zM3 10a1 1 0 011-1h12a1 1 0 110 2H4a1 1 0 01-1-1zM3 15a1 1 0 011-1h12a1 1 0 110 2H4a1 1 0 01-1-1z" clip-rule="evenodd"></path></svg></button></div></div></nav><div class="mobile-nav translate-x-full"><section class="w-screen h-full right-0 absolute"><div class="p-8 pb-10 flex flex-col space-y-6 overflow-y-scroll h-full"><div class="self-end"><svg aria-hidden="true" focusable="false" data-prefix="fas" data-icon="xmark" class="svg-inline--fa fa-xmark w-[20px] h-[20px]" role="img" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 320 512"><path fill="currentColor" d="M310.6 150.6c12.5-12.5 12.5-32.8 0-45.3s-32.8-12.5-45.3 0L160 210.7 54.6 105.4c-12.5-12.5-32.8-12.5-45.3 0s-12.5 32.8 0 45.3L114.7 256 9.4 361.4c-12.5 12.5-12.5 32.8 0 45.3s32.8 12.5 45.3 0L160 301.3 265.4 406.6c12.5 12.5 32.8 12.5 45.3 0s12.5-32.8 0-45.3L205.3 256 310.6 150.6z"></path></svg></div><div class="flex flex-col"><div class="flex justify-between mb-8"><a class="self-center inline-block" target="_blank" rel="noopener noreferrer" href="https://app.authzed.com">Log In</a><div class="inline-block"><a href="/get-started"><div class="border-transparent rounded-[22px] border-2 w-fit" style="background:linear-gradient(to bottom, #6C3E5C, #6C3E5C) padding-box, linear-gradient(to right, #BE5D9B, #834AA9) border-box"><button class="inline-flex items-center justify-center text-sm font-medium transition-all duration-500 disabled:pointer-events-none disabled:opacity-50 focus:nonedata-[state=open]:bg-slate-100 bg-light hover:text-light hover:bg-suns-900 py-2 px-4 overflow-hidden relative h-8 rounded-[22px] button-hover-gradient bg-gradient-to-r from-[#5C344E] to-[#211E2E] text-white"><span class="z-[10] flex items-center">Get Started<svg aria-hidden="true" focusable="false" data-prefix="fas" data-icon="chevron-right" class="svg-inline--fa fa-chevron-right bg-transparent h-[0.875rem] w-[0.875rem] ml-2" role="img" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 320 512"><path fill="currentColor" d="M310.6 233.4c12.5 12.5 12.5 32.8 0 45.3l-192 192c-12.5 12.5-32.8 12.5-45.3 0s-12.5-32.8 0-45.3L242.7 256 73.4 86.6c-12.5-12.5-12.5-32.8 0-45.3s32.8-12.5 45.3 0l192 192z"></path></svg></span></button></div></a></div></div><div class="pb-16"><div class="mb-10 hover:underline"><a class="py-2" href="/why-authzed">Why AuthZed?</a></div><div class="mb-10"><div class="group-title">Products</div><div class="group"><div class="group-header"><span>Managed Services</span></div><div><a class="py-1 block whitespace-no-wrap hover:underline" href="/products/authzed-dedicated">AuthZed Dedicated</a></div><div><a class="py-1 block whitespace-no-wrap hover:underline" href="/products/authzed-serverless">AuthZed Serverless</a></div><div class="group-header"><span>Self-Hosted</span></div><div><a class="py-1 block whitespace-no-wrap hover:underline" href="/products/authzed-support">AuthZed Support</a></div><div><a class="py-1 block whitespace-no-wrap hover:underline" href="/products/spicedb-enterprise">SpiceDB Enterprise</a></div><div class="group-header"><span>Open Source</span></div><div><a class="py-1 block whitespace-no-wrap hover:underline" href="/spicedb">SpiceDB</a></div><div><a class="py-1 block whitespace-no-wrap hover:underline" href="/products/spicedb-operator">SpiceDB Operator</a></div><div><a class="py-1 block whitespace-no-wrap hover:underline" href="/products/spicedb-clients">SpiceDB Clients</a></div></div></div><div class="mb-10"><div class="group-title">Resources</div><div class="group"><div class="group-header"><span>Learn</span></div><div><a class="py-1 block whitespace-no-wrap hover:underline" href="/docs">Docs</a></div><div><a class="py-1 block whitespace-no-wrap hover:underline" href="https://play.authzed.com">Playground</a></div><div class="group-header"><span>Company</span></div><div><a class="py-1 block whitespace-no-wrap hover:underline" href="/blog">Blog</a></div><div><a class="py-1 block whitespace-no-wrap hover:underline" href="/customers">Customer Stories</a></div><div class="group-header"><span>Support</span></div><div><a class="py-1 block whitespace-no-wrap hover:underline" href="https://security.authzed.com">Security</a></div><div><a class="py-1 block whitespace-no-wrap hover:underline" href="https://status.authzed.com/">Status Page</a></div><div><a class="py-1 block whitespace-no-wrap hover:underline" href="/create-ticket">Submit a Ticket</a></div><div><a class="py-1 block whitespace-no-wrap hover:underline" href="/call">Schedule a Call</a></div><div class="group-header"><span>Community</span></div><div><a class="py-1 block whitespace-no-wrap hover:underline" href="https://authzed.com/discord">Discord</a></div><div><a class="py-1 block whitespace-no-wrap hover:underline" href="https://github.com/authzed">GitHub</a></div><div><a class="py-1 block whitespace-no-wrap hover:underline" href="https://twitter.com/authzed">Twitter</a></div><div><a class="py-1 block whitespace-no-wrap hover:underline" href="https://www.youtube.com/@authzed">YouTube</a></div><div><a class="py-1 block whitespace-no-wrap hover:underline" href="https://www.linkedin.com/company/authzed/">LinkedIn</a></div></div></div><div class="mb-10 hover:underline"><a class="py-2" href="/pricing">Pricing</a></div><div class="mb-10 hover:underline"><a class="py-2" href="/spicedb">SpiceDB</a></div><div class="mb-10 hover:underline"><a class="py-2" href="/demo">Demo</a></div></div></div></div></section><section class=" w-screen h-full cursor-pointer "></section></div><div><main class="w-full bg-light relative z-50 text-rocks-1000"><div class="relative flex place-content-center w-full overflow-hidden bg-cover bg-center"><div class="z-10 bg-slate-900/70 h-full w-full flex place-content-center"><div class="relative z-10 py-8 laptop:py-16 flex flex-col gap-6 w-[90%] laptop:max-w-[1080px]"><div class="hidden laptop:flex items-center flex-wrap gap-1 tablet:gap-2"><a class="flex no-underline mt-0" href="/blog/tags/zanzibar"><span class="tag tag-lg hover:text-light">Zanzibar</span></a><a class="flex no-underline mt-0" href="/blog/tags/product"><span class="tag tag-lg hover:text-light">Product</span></a></div><div><h1 class="mb-0 text-3xl tablet:text-5xl text-white">Authorization (AuthZ): Quick Start Guide for Enterprise Permissions</h1></div><div class="flex items-center flex-wrap gap-6 tablet:gap-0"><div class="flex items-center gap-3"><div class="flex"><div class="relative inline-block h-[52px] w-[52px]" style="z-index:10"><img alt="/images/damian_in_da_house.jpeg" loading="lazy" decoding="async" data-nimg="fill" class="object-fill rounded-full border-2 border-white" style="position:absolute;height:100%;width:100%;left:0;top:0;right:0;bottom:0;color:transparent" sizes="100vw" srcSet="/_next/image?url=%2Fimages%2Fdamian_in_da_house.jpeg&w=640&q=75 640w, /_next/image?url=%2Fimages%2Fdamian_in_da_house.jpeg&w=750&q=75 750w, /_next/image?url=%2Fimages%2Fdamian_in_da_house.jpeg&w=828&q=75 828w, /_next/image?url=%2Fimages%2Fdamian_in_da_house.jpeg&w=1080&q=75 1080w, /_next/image?url=%2Fimages%2Fdamian_in_da_house.jpeg&w=1200&q=75 1200w, /_next/image?url=%2Fimages%2Fdamian_in_da_house.jpeg&w=1920&q=75 1920w, /_next/image?url=%2Fimages%2Fdamian_in_da_house.jpeg&w=2048&q=75 2048w, /_next/image?url=%2Fimages%2Fdamian_in_da_house.jpeg&w=3840&q=75 3840w" src="/_next/image?url=%2Fimages%2Fdamian_in_da_house.jpeg&w=3840&q=75"/></div></div><div class="flex flex-col gap-1"><div class="text-light"><a class="font-medium hover:text-suns-800 transition-colors duration-150 ease-in-out" href="https://linkedin.com/in/dsieczko">Damian Sieczkowski</a></div><div class="flex text-light gap-2 font-regular text-sm"><span>Updated November 18, 2024</span><span>|</span><span>8 min read</span></div></div></div></div></div></div><img alt="" fetchPriority="high" decoding="async" data-nimg="fill" class="z-0 absolute" style="position:absolute;height:100%;width:100%;left:0;top:0;right:0;bottom:0;object-fit:cover;color:transparent;background-size:cover;background-position:50% 50%;background-repeat:no-repeat;background-image:url("data:image/svg+xml;charset=utf-8,%3Csvg xmlns='http://www.w3.org/2000/svg' %3E%3Cfilter id='b' color-interpolation-filters='sRGB'%3E%3CfeGaussianBlur stdDeviation='20'/%3E%3CfeColorMatrix values='1 0 0 0 0 0 1 0 0 0 0 0 1 0 0 0 0 0 100 -1' result='s'/%3E%3CfeFlood x='0' y='0' width='100%25' height='100%25'/%3E%3CfeComposite operator='out' in='s'/%3E%3CfeComposite in2='SourceGraphic'/%3E%3CfeGaussianBlur stdDeviation='20'/%3E%3C/filter%3E%3Cimage width='100%25' height='100%25' x='0' y='0' preserveAspectRatio='xMidYMid slice' style='filter: url(%23b);' href='data:image/gif;base64,R0lGODlhAQABAPAAAIVKqv///yH5BAAAAAAALAAAAAABAAEAAAICRAEAOw=='/%3E%3C/svg%3E")" sizes="100vw" srcSet="/_next/image?url=%2Fimages%2Fblogs%2Fblog-featured-image.png&w=640&q=75 640w, /_next/image?url=%2Fimages%2Fblogs%2Fblog-featured-image.png&w=750&q=75 750w, /_next/image?url=%2Fimages%2Fblogs%2Fblog-featured-image.png&w=828&q=75 828w, /_next/image?url=%2Fimages%2Fblogs%2Fblog-featured-image.png&w=1080&q=75 1080w, /_next/image?url=%2Fimages%2Fblogs%2Fblog-featured-image.png&w=1200&q=75 1200w, /_next/image?url=%2Fimages%2Fblogs%2Fblog-featured-image.png&w=1920&q=75 1920w, /_next/image?url=%2Fimages%2Fblogs%2Fblog-featured-image.png&w=2048&q=75 2048w, /_next/image?url=%2Fimages%2Fblogs%2Fblog-featured-image.png&w=3840&q=75 3840w" src="/_next/image?url=%2Fimages%2Fblogs%2Fblog-featured-image.png&w=3840&q=75"/></div><div class="w-[90%] pt-8 content-default text-rocks-500 flex flex-col laptop:max-w-[1080px] laptop:pt-16 laptop:flex-row"><div class="w-full mb-24 prose tablet:prose-tablet max-w-none leading-[2rem] laptop:w-2/3 laptop:pr-20"><article><h2 id="user-content-introduction"><strong>Introduction</strong></h2> <p>A business operating complex software environments needs to provide end-user experiences that enable and delight users, but never at the cost of a poor security stance. In 2022, a lapse in security fetched <a href="https://www.ibm.com/reports/data-breach">on average 9.44M for a data breach in the US, and $4.35M globally according to IBM</a>.</p> <p>This post aims to help companies with their authorization decisions and systems and share what we see in the market through conversations with companies looking to solve their authorization challenges, specifically authorization that impacts end-user interaction with their products. I’ll cover how authorization became an issue for most companies, the different approaches, an introduction to Google Zanzibar–the solution the market is converging on, the prominent use cases driving businesses to adopt this new approach, and what you can expect when moving to a relationship-based access control system (ReBAC).</p> <h2 id="user-content-what-is-authz"><strong>What is AuthZ?</strong></h2> <p>Because the Internet is, by definition, a networked system that connects users, most Internet-facing software is designed with a multi-user experience in mind. These environments require constructs to facilitate a natural experience that protects users’ data: <strong>authentication</strong>, commonly referred to as authN, is the key that verifies an application-specific identity, typically called a user, and <strong>authorization</strong>, commonly referred to as authZ, dictates what doors that key can open for a user.</p> <p>AuthZ plays a pivotal role in software security by ensuring that users have the appropriate level of access to different resources and functionalities within a system. At its core, authZ involves granting or denying access rights to specific resources or actions based on the identity and privileges of the user. It is crucial in preventing unauthorized access and verifying that only authorized users can perform specific actions within a system. It serves as a gatekeeper that protects sensitive data and functionalities. By implementing robust authorization mechanisms, developers can control the level of access granted to different users or roles, thereby safeguarding the system from potential security breaches.</p> <p>Collectively in the context of a product’s end users, authN and authZ are called Customer Identity and Access Management (CIAM). Authorization is such a foundational part of the digital experience that its underlying design principles have become <a href="https://99percentinvisible.org/about/the-show/">99% invisible</a>, even to developers, leading to fundamental challenges as a business scales.</p> <h2 id="user-content-why-authz-is-an-issue"><strong>Why AuthZ is an Issue</strong></h2> <p>A company typically starts by aggregating all user requests into a single piece of software that tightly couples application logic with authZ. As the company’s product gains traction and its user base grows, the focus shifts to distributing the software and scaling infrastructure components, often ignoring a much-needed change to the authorization system. This further embeds an authorization construct not meant to handle a growing number of requirements.</p> <p>From the business perspective, the two key limitations of a legacy authorization system are:</p> <ul> <li><strong>Permissions are inflexible</strong>: There isn’t a way to easily add additional constructs like <a href="https://authzed.com/blog/user-defined-roles">user-defined roles</a>, recursive relationships, <a href="https://authzed.com/blog/abac-on-spicedb-enabling-netflix-complex-identity-types">attribute-based access control (ABAC)</a>, or <a href="https://authzed.com/blog/fine-grained-access-control">fine-grained authorization (FGA)</a>.</li> <li><strong>Siloed permissions:</strong> as a company grows, it scales revenue by offering additional products; application teams then build bespoke authorization implementations that are hard to reason about and don’t consider a holistic user experience, especially at large scale.</li> </ul> <p>Google set out to fix this problem, along with several “<a href="https://zanzibar.tech/2AT-rbOOg7:R:1h">unique challenges involving data consistency and scalability</a>.”</p> <h2 id="user-content-googles-solution-to-authorization-google-zanzibar"><strong>Google’s Solution to Authorization: Google Zanzibar</strong></h2> <p>The confluence of business requirements driving the adoption of <a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf">zero-trust architectures</a> and <a href="https://qonsent.com/static/pdf/qonsent-consumer-insights-june2022.pdf">94% of consumers wanting more control of their data</a> in near real-time galvanized the search for a modern authorization system. Google’s response was a modern approach that can scale with your business and maintain strict security requirements, now known as <a href="https://authzed.com/blog/what-is-google-zanzibar">Google Zanzibar</a>.</p> <p>Among the requirements set forth by the Google Zanzibar team is “<a href="https://zanzibar.tech/2MUghfOn_Y:A:1n">support for a rich set of access control policies as required by both consumer and enterprise applications</a>” and “[establish consistent semantics and user [developer] experience across applications](<a href="https://zanzibar.tech/2I7pd_DGm2:2C.49Q9UoJW_:J).%E2%80%9D">https://zanzibar.tech/2I7pd_DGm2:2C.49Q9UoJW_:J).”</a> Zanzibar powers authorization across hundreds of Google Products, including Google Calendar, Cloud, Drive, Maps, Photos, and YouTube. Notably, it unlocks unique experiences like <a href="https://zanzibar.tech/2Ry8nS2U5I:0:1t">cross-product authorization checks,</a> e.g., Slack’s Gmail extension can check if a recipient has access to a Google Doc, unlocking growth through reduced friction points while maintaining user privacy.</p> <p>Google Zanzibar is a relationship-based access control system (ReBAC), meaning that permissions are derived from the existence of a relationship between digital objects and users. This has positive performance implications, especially for recursive permissions, but, importantly, it’s a natural extension of sharing in the real world, which makes it intuitive for most developers.</p> <h2 id="user-content-use-cases-driving-adoption-of-google-zanzibar">Use-Cases Driving Adoption of Google Zanzibar</h2> <h3 id="user-content-product-led-growth"><strong>Product-Led Growth</strong></h3> <p>To share something is a user choice and subsequent action. Companies we’re speaking with have learned that facilitating frictionless sharing can help onboard additional users to their platforms. For instance, a hiring platform we’re working with implements fine-grained authorization (FGA) so enterprise recruiters are comfortable exposing permissions to hiring managers related to the positions the managers are looking to fill. Hiring managers, in turn, can proactively engage with candidates and increase activity on the platform.</p> <p>Another example is adding capabilities that foster more in-app experiences. For instance, a sharing economy company is boosting engagement with its platform by bringing resource management for users into their native applications instead of relying on third-party applications. Most companies we speak with share similar product-led growth initiatives built atop robust authorization.</p> <h3 id="user-content-breaking-into-the-enterprise"><strong>Breaking into the Enterprise</strong></h3> <p>Enhancing security and compliance is a key requirement for B2B companies looking to scale revenue within an enterprise market segment, and OWASP’s 2021 report cites <a href="https://owasp.org/Top10/A01_2021-Broken_Access_Control/">broken access control</a> as a top security concern. One of the main risks is “exposure of sensitive information to an unauthorized actor,” which is a core tenet of the Google Zanzibar paper; the system "<a href="https://zanzibar.tech/22_E1zFxjc:0.4BawKBUjM:1K">must ensure consistency of access control decisions to respect user intentions.</a>”</p> <p>Enterprise users also require increased flexibility; these manifest as the following requirements for product teams:</p> <ol> <li><strong>Fine-grained authorization (FGA):</strong> the ability to control resources down to a granular level, e.g., a page in a document, though there is a balance, see <a href="https://authzed.com/blog/fine-grained-access-control">Fine-Grained Access Control: Can You Go Too Fine?</a></li> <li><strong>User-defined Roles and Permissions:</strong> beyond a typical application-defined Role-Based Access Control (RBAC) system, product teams need to allow end-user admins to create roles and associated permissions for delegating to internal teams.</li> <li><strong>Recursive relationships:</strong> at a certain scale, teams start owning teams. This is challenging for a traditional authorization system dealing with permissions stored in a relational database alongside application data.</li> <li><strong>Attributes-Based Access Control (ABAC):</strong> support for dynamic time-bound or otherwise caveated access.</li> </ol> <h2 id="user-content-what-to-expect-when-adopting-relationship-based-access-control-rebac"><strong>What to Expect When Adopting Relationship-Based Access Control (ReBAC)</strong></h2> <p>A crucial part of ReBAC systems like Google Zanzibar and our own <a href="https://authzed.com/products/spicedb">Zanzibar-inspired authorization system, SpiceDB,</a> is storing permissions data in a separate database; product-specific data (e.g. content of a social media post) is stored in the application database, while the data that drives who can edit that data live in the permissions database. If you have an existing authorization flow, you’ll have to translate that data into permissions data.</p> <p>Modeling data is probably the most fun and intuitive part. SpiceDB, like other solutions, has a domain-specific language (DSL) called the <a href="https://authzed.com/docs/reference/schema-lang">SpiceDB Schema Language</a> for defining the objects you want to create an authorization system for. The permissions schema defines the objects, e.g., users and documents, how they relate to each other, and the permissions those relationships define.</p> <p>Since you’re writing permissions data, integration is a big part of the journey. A ReBAC authorization system is delivered over a gRPC or HTTP API; SpiceDB has libraries available in multiple languages to help developers get up to speed quickly. You’ll want to make sure whatever solution you choose delivers a solid developer experience.</p> <p>Google Zanzibar doesn’t mention policy, but we’ve learned through our collaboration building <a href="https://authzed.com/blog/abac-on-spicedb-enabling-netflix-complex-identity-types">Attribute-Based Access Control (ABAC) for Netflix</a> that pairing policy with ReBAC is a powerful paradigm. An example of this capability is SpiceDB Caveats: <a href="https://authzed.com/blog/caveats">Caveats: A Scalable Solution for Policy</a>.</p> <p>A common practice is to organize a core team of developers tasked with architecting and executing an overhaul to your authorization system. The effort must be cross-functional; you’ll want platform engineers, application engineers, and product managers to work together to ensure smooth adoption.</p> <h2 id="user-content-get-started">Get Started</h2> <p>Given how popular Google's approach to authorization has become, there are a number of new companies and projects looking to provide Zanzibar-aaS. At AuthZed, we've created a faithful open-source implementation of Google Zanzibar called <a href="https://github.com/authzed/spicedb">SpiceDB</a>, and offer managed commercial offerings that make it easy to get into production. Join the community on <a href="https://authzed.com/discord">Discord</a> or <a href="https://authzed.com/call">schedule a call</a> to learn more!</p> <h2 id="user-content-additional-reading">Additional Reading</h2> <p>If you’re interested in learning more about Authorization and Google Zanzibar, we recommend reading the following posts:</p> <ul> <li><a href="https://authzed.com/blog/what-is-google-zanzibar">Understanding Google Zanzibar: A Comprehensive Overview</a></li> <li><a href="https://authzed.com/blog/fine-grained-access-control">Fine-Grained Access Control: Can You Go Too Fine?</a></li> <li><a href="https://authzed.com/blog/exploring-rebac">Relationship Based Access Control (ReBAC): Using Graphs to Power your Authorization System</a></li> <li><a href="https://authzed.com/blog/pitfalls-of-jwt-authorization">Pitfalls of JWT Authorization</a></li> </ul></article><div class="mb-6 p-4 bg-rocks-100/70 rounded text-sm italic leading-relaxed">Originally published <!-- -->September 6, 2023</div></div><aside class="w-1/3 px-6 mb-6 text-rocks-1000 border-l sticky top-[80px] self-start ml-[1.25rem] max-h-[100-vh] overflow-y-auto"><div class="hidden laptop:block"><div class="text-body-sm font-bold mb-4">Table of Contents</div><div class="flex flex-col gap-2 max-w-[300px]"><div><div class="pl-[0.5rem] text-xs text-rocks-1000 flex gap-2 content-start items-start leading-[1.3125rem] transition-color duration-100 hover:text-suns-800"><div>•</div><a href="#introduction">Introduction</a></div></div><div><div class="pl-[0.5rem] text-xs text-rocks-1000 flex gap-2 content-start items-start leading-[1.3125rem] transition-color duration-100 hover:text-suns-800"><div>•</div><a href="#what-is-authz">What is AuthZ?</a></div></div><div><div class="pl-[0.5rem] text-xs text-rocks-1000 flex gap-2 content-start items-start leading-[1.3125rem] transition-color duration-100 hover:text-suns-800"><div>•</div><a href="#why-authz-is-an-issue">Why AuthZ is an Issue</a></div></div><div><div class="pl-[0.5rem] text-xs text-rocks-1000 flex gap-2 content-start items-start leading-[1.3125rem] transition-color duration-100 hover:text-suns-800"><div>•</div><a href="#googles-solution-to-authorization-google-zanzibar">Google’s Solution to Authorization: Google Zanzibar</a></div></div><div><div class="pl-[0.5rem] text-xs text-rocks-1000 flex gap-2 content-start items-start leading-[1.3125rem] transition-color duration-100 hover:text-suns-800"><div>•</div><a href="#use-cases-driving-adoption-of-google-zanzibar">Use-Cases Driving Adoption of Google Zanzibar</a></div></div><div><div class="pl-[1.5rem] text-xs text-rocks-1000 flex gap-2 content-start items-start leading-[1.3125rem] transition-color duration-100 hover:text-suns-800"><div>•</div><a href="#product-led-growth">Product-Led Growth</a></div></div><div><div class="pl-[1.5rem] text-xs text-rocks-1000 flex gap-2 content-start items-start leading-[1.3125rem] transition-color duration-100 hover:text-suns-800"><div>•</div><a href="#breaking-into-the-enterprise">Breaking into the Enterprise</a></div></div><div><div class="pl-[0.5rem] text-xs text-rocks-1000 flex gap-2 content-start items-start leading-[1.3125rem] transition-color duration-100 hover:text-suns-800"><div>•</div><a href="#what-to-expect-when-adopting-relationship-based-access-control-rebac">What to Expect When Adopting Relationship-Based Access Control (ReBAC)</a></div></div><div><div class="pl-[0.5rem] text-xs text-rocks-1000 flex gap-2 content-start items-start leading-[1.3125rem] transition-color duration-100 hover:text-suns-800"><div>•</div><a href="#get-started">Get Started</a></div></div><div><div class="pl-[0.5rem] text-xs text-rocks-1000 flex gap-2 content-start items-start leading-[1.3125rem] transition-color duration-100 hover:text-suns-800"><div>•</div><a href="#additional-reading">Additional Reading</a></div></div></div><div class="mt-8"><div class="text-md font-bold">Subscribe to Our Newsletter</div><div class="text-sm">Stay updated on new releases, features, and announcements.</div><div class="mt-2"><div id="blog-hs-form" class="[&_form]:flex [&_form]:flex-col [&_form]:gap-4 [&_.hs-submit]:text-right [&_.hs-button]:px-4 [&_.hs-button]:py-2 [&_.hs-button]:border [&_.hs-button]:border-suns-1000 [&_.hs-button]:bg-suns-1000 [&_.hs-button]:hover:bg-suns-1000/80 [&_.hs-button]:hover:cursor-pointer [&_.hs-button]:transition-all [&_.hs-button]:rounded-lg [&_.hs-button]:text-white [&_.hs-button]:font-medium [&_.input]:!m-0 [&_.hs-firstname_.input]:!mr-2 [&_.hs-input]:!w-full [&_.hs-input]:mt-1 [&_.hs-input]:p-2 [&_.hs-input]:text-rocks-700 [&_.hs-input]:bg-rocks-100 [&_.hs-input]:border [&_.hs-input]:border-rocks-300 [&_.hs-input]:rounded-lg [&_.hs-form-required]:ml-1 [&_.hs-error-msgs]:mt-1 [&_.hs-error-msg]:text-heat-600 [&_.hs-error-msg]:text-sm">...</div></div></div></div></aside></div><div class="w-[90%] content-default laptop:max-w-[1080px]"><div class="p-8 tablet:p-16 w-full flex flex-col gap-5 text-center text-white rounded-lg border border-[#C87CC9] bg-gradient-to-r from-[#AB58AA] to-[#E1769E]"><h3 class="font-new-hero text-2xl tablet:text-4xl font-semibold">Get started for free</h3><div class="text-md tablet:text-lg mb-4">Join 1000s of companies doing authorization the right way.</div><div class="flex justify-center self-center gap-4"><a href="https://app.authzed.com"><button class="inline-flex items-center justify-center transition-all duration-500 disabled:pointer-events-none disabled:opacity-50 focus:nonedata-[state=open]:bg-slate-100 border h-14 text-[1.0625rem] font-semibold px-4 py-3 tablet:px-8 tablet:py-5 text-rocks-500 hover:text-white bg-white hover:bg-suns-900 border-rocks-100 hover:border-suns-800 rounded-md" label="Try Free">Try Free</button></a><a href="/call"><button class="inline-flex items-center justify-center transition-all duration-500 disabled:pointer-events-none disabled:opacity-50 focus:nonedata-[state=open]:bg-slate-100 bg-transparent border h-14 text-[1.0625rem] font-semibold px-4 py-3 tablet:px-8 tablet:py-5 text-white hover:bg-suns-900 border-rocks-100 hover:border-suns-800 rounded-md" label="Book a Call">Book a Call</button></a></div></div></div></main><div class="w-full content-section bg-light"><section class="pt-7 pb-14 md:py-20 content-default"><div class="w-full pb-14 border-t border-rocks-100"></div><div class="self-center w-full"><div class="nav-links footer footer-light"><div class="group"><div class="group-title">Products</div><div><div class="group-header"><span>Managed Services</span></div><div><a href="/products/authzed-dedicated">AuthZed Dedicated</a></div><div><a href="/products/authzed-serverless">AuthZed Serverless</a></div><div class="group-header"><span>Self-Hosted</span></div><div><a href="/products/authzed-support">AuthZed Support</a></div><div><a href="/products/spicedb-enterprise">SpiceDB Enterprise</a></div><div class="group-header"><span>Open Source</span></div><div><a href="/spicedb">SpiceDB</a></div><div><a href="/products/spicedb-operator">SpiceDB Operator</a></div><div><a href="/products/spicedb-clients">SpiceDB Clients</a></div></div></div><div class="group"><div class="group-title">Resources</div><div><div class="group-header"><span>Learn</span></div><div><a href="https://play.authzed.com">Playground</a></div><div><a href="/docs">Docs</a></div><div><a href="/demo">Demo</a></div><div><a href="/customers">Customer Stories</a></div><div><a href="/blog/what-is-google-zanzibar">Learn More About Google Zanzibar</a></div><div class="group-header"><span>Support</span></div><div><a href="https://security.authzed.com">Security</a></div><div><a href="https://status.authzed.com/">Status Page</a></div><div><a href="/create-ticket">Submit a Ticket</a></div><div><a href="/call">Schedule a Call</a></div></div></div><div class="group"><div class="group-title">Company</div><div><div class="group-header"><span>Info</span></div><div><a href="/about">About Us</a></div><div><a href="/blog">Blog</a></div><div><a href="/contact-us">Contact</a></div><div><a href="https://www.workatastartup.com/companies/authzed">Join the Team</a></div><div class="group-header"><span>Legal</span></div><div><a href="/privacy-policy">Privacy Policy</a></div><div><a href="/terms-conditions">Terms & Conditions</a></div></div></div><div class="group"><div class="group-title">Community</div><div><div><a href="https://authzed.com/discord">Discord</a></div><div><a href="https://github.com/authzed">GitHub</a></div><div><a href="https://twitter.com/authzed">Twitter</a></div><div><a href="https://www.youtube.com/channel/UCFeSgZf0rPqQteiTQNGgTPg">YouTube</a></div><div><a href="https://www.linkedin.com/company/authzed/">LinkedIn</a></div></div></div></div></div><div class="my-12 px-6 flex flex-col tablet:flex-row gap-16 tablet:gap-0"><div class="justify-self-center"><a href="/"><img alt="AuthZed" loading="lazy" width="142" height="38.51" decoding="async" data-nimg="1" style="color:transparent" src="/authzed-logo-multi-dark.svg"/></a></div><div class="tablet:ml-auto flex gap-4"><img alt="Cloud Native Computing Foundation" loading="lazy" width="170" height="48" decoding="async" data-nimg="1" class="w-[170px] h-[48px] tablet:w-[170px] tablet:h-[48px]" style="color:transparent" src="/assets/logo-cncf-color.svg"/><img alt="SOC for Service Organizations" loading="lazy" width="170" height="168" decoding="async" data-nimg="1" class="w-[55px] h-[55px] tablet:w-[75px] tablet:h-[75px] self-end" style="color:transparent" src="/assets/SOC_NonCPA.svg"/></div></div></section></div></div></div><!--$--><!--/$--><!--$--><!--/$--><!--$--><!--/$--><!--$!--><template data-dgst="NEXT_DYNAMIC_NO_SSR_CODE"></template><!--/$--><div></div><script src="/_next/static/chunks/webpack-76ab6381491b6f7e.js" async=""></script><script>(self.__next_f=self.__next_f||[]).push([0])</script><script>self.__next_f.push([1,"1:HL[\"/_next/static/media/92f44bb82993d879-s.p.woff2\",\"font\",{\"crossOrigin\":\"\",\"type\":\"font/woff2\"}]\n2:HL[\"/_next/static/media/a34f9d1faa5f3315-s.p.woff2\",\"font\",{\"crossOrigin\":\"\",\"type\":\"font/woff2\"}]\n3:HL[\"/_next/static/css/b1f6f9dd7f6ae292.css\",\"style\"]\n0:\"$L4\"\n"])</script><script>self.__next_f.push([1,"5:HL[\"/_next/static/css/35351f010017696e.css\",\"style\"]\n6:HL[\"/_next/static/css/da72cc09e5cef6cf.css\",\"style\"]\n"])</script><script>self.__next_f.push([1,"7:I{\"id\":6054,\"chunks\":[\"2272:static/chunks/webpack-76ab6381491b6f7e.js\",\"2971:static/chunks/fd9d1056-35f33f7ae5fc529e.js\",\"7864:static/chunks/7864-3806b5b4c5d54493.js\"],\"name\":\"\",\"async\":false}\n9:I{\"id\":1729,\"chunks\":[\"2272:static/chunks/webpack-76ab6381491b6f7e.js\",\"2971:static/chunks/fd9d1056-35f33f7ae5fc529e.js\",\"7864:static/chunks/7864-3806b5b4c5d54493.js\"],\"name\":\"\",\"async\":false}\na:I{\"id\":8032,\"chunks\":[\"5878:static/chunks/9da6db1e-2c060865fcb6428d.js\",\"9733:static/chunks/9733-e2429ec2121e38e9.js\",\"8"])</script><script>self.__next_f.push([1,"475:static/chunks/8475-73b121e7d1cde5b3.js\",\"902:static/chunks/902-109f5995e466cf6c.js\",\"7967:static/chunks/7967-ff831c2c55ce81b3.js\",\"3185:static/chunks/app/layout-49140ae3683ce959.js\"],\"name\":\"PHProvider\",\"async\":false}\nb:\"$Sreact.suspense\"\nc:I{\"id\":3388,\"chunks\":[\"3676:static/chunks/870fdd6f-9c571350bc2478c3.js\",\"3958:static/chunks/69b09407-0b4f7c53994b856f.js\",\"4724:static/chunks/4724-69a117ad21aeeee7.js\",\"3718:static/chunks/3718-0050314636e810ad.js\",\"9733:static/chunks/9733-e2429ec2121e38e9.js\",\"8475:s"])</script><script>self.__next_f.push([1,"tatic/chunks/8475-73b121e7d1cde5b3.js\",\"902:static/chunks/902-109f5995e466cf6c.js\",\"1279:static/chunks/1279-23ffe5d7b074e3d8.js\",\"3959:static/chunks/app/(main)/blog/[slug]/page-d322d08932d0a0f0.js\"],\"name\":\"NoSSR\",\"async\":false}\nd:I{\"id\":9243,\"chunks\":[\"5878:static/chunks/9da6db1e-2c060865fcb6428d.js\",\"9733:static/chunks/9733-e2429ec2121e38e9.js\",\"8475:static/chunks/8475-73b121e7d1cde5b3.js\",\"902:static/chunks/902-109f5995e466cf6c.js\",\"7967:static/chunks/7967-ff831c2c55ce81b3.js\",\"3185:static/chunks/app/lay"])</script><script>self.__next_f.push([1,"out-49140ae3683ce959.js\"],\"name\":\"\",\"async\":false}\n"])</script><script>self.__next_f.push([1,"e:I{\"id\":3012,\"chunks\":[\"3676:static/chunks/870fdd6f-9c571350bc2478c3.js\",\"3958:static/chunks/69b09407-0b4f7c53994b856f.js\",\"6990:static/chunks/13b76428-98e8ebe465d89db3.js\",\"4724:static/chunks/4724-69a117ad21aeeee7.js\",\"3718:static/chunks/3718-0050314636e810ad.js\",\"9733:static/chunks/9733-e2429ec2121e38e9.js\",\"8475:static/chunks/8475-73b121e7d1cde5b3.js\",\"902:static/chunks/902-109f5995e466cf6c.js\",\"1279:static/chunks/1279-23ffe5d7b074e3d8.js\",\"7967:static/chunks/7967-ff831c2c55ce81b3.js\",\"5978:static/chunks/5978-044c34f5a716c8b6.js\",\"6377:static/chunks/6377-2505d413b8312f37.js\",\"9871:static/chunks/9871-24e0e967362f76fb.js\",\"3266:static/chunks/3266-c80e45b9d5385976.js\",\"5123:static/chunks/5123-e529ddc3b876db62.js\",\"1454:static/chunks/1454-f6b247387023aa28.js\",\"7744:static/chunks/7744-f908910e8437d6bc.js\",\"7974:static/chunks/app/(main)/page-cfcfdd7d130c8d8b.js\"],\"name\":\"SegmentProvider\",\"async\":false}\n"])</script><script>self.__next_f.push([1,"f:I{\"id\":1443,\"chunks\":[\"2272:static/chunks/webpack-76ab6381491b6f7e.js\",\"2971:static/chunks/fd9d1056-35f33f7ae5fc529e.js\",\"7864:static/chunks/7864-3806b5b4c5d54493.js\"],\"name\":\"\",\"async\":false}\n10:I{\"id\":8639,\"chunks\":[\"2272:static/chunks/webpack-76ab6381491b6f7e.js\",\"2971:static/chunks/fd9d1056-35f33f7ae5fc529e.js\",\"7864:static/chunks/7864-3806b5b4c5d54493.js\"],\"name\":\"\",\"async\":false}\n11:I{\"id\":4724,\"chunks\":[\"3676:static/chunks/870fdd6f-9c571350bc2478c3.js\",\"3958:static/chunks/69b09407-0b4f7c53994b856f."])</script><script>self.__next_f.push([1,"js\",\"4724:static/chunks/4724-69a117ad21aeeee7.js\",\"3718:static/chunks/3718-0050314636e810ad.js\",\"9733:static/chunks/9733-e2429ec2121e38e9.js\",\"8475:static/chunks/8475-73b121e7d1cde5b3.js\",\"902:static/chunks/902-109f5995e466cf6c.js\",\"1279:static/chunks/1279-23ffe5d7b074e3d8.js\",\"3959:static/chunks/app/(main)/blog/[slug]/page-d322d08932d0a0f0.js\"],\"name\":\"\",\"async\":false}\n12:I{\"id\":5827,\"chunks\":[\"3676:static/chunks/870fdd6f-9c571350bc2478c3.js\",\"3958:static/chunks/69b09407-0b4f7c53994b856f.js\",\"4724:static/c"])</script><script>self.__next_f.push([1,"hunks/4724-69a117ad21aeeee7.js\",\"3718:static/chunks/3718-0050314636e810ad.js\",\"9733:static/chunks/9733-e2429ec2121e38e9.js\",\"8475:static/chunks/8475-73b121e7d1cde5b3.js\",\"902:static/chunks/902-109f5995e466cf6c.js\",\"1279:static/chunks/1279-23ffe5d7b074e3d8.js\",\"4095:static/chunks/app/(main)/layout-c2a4bffd7f895ae6.js\"],\"name\":\"\",\"async\":false}\n13:I{\"id\":6987,\"chunks\":[\"3676:static/chunks/870fdd6f-9c571350bc2478c3.js\",\"3958:static/chunks/69b09407-0b4f7c53994b856f.js\",\"4724:static/chunks/4724-69a117ad21aeeee7."])</script><script>self.__next_f.push([1,"js\",\"3718:static/chunks/3718-0050314636e810ad.js\",\"9733:static/chunks/9733-e2429ec2121e38e9.js\",\"8475:static/chunks/8475-73b121e7d1cde5b3.js\",\"902:static/chunks/902-109f5995e466cf6c.js\",\"1279:static/chunks/1279-23ffe5d7b074e3d8.js\",\"4095:static/chunks/app/(main)/layout-c2a4bffd7f895ae6.js\"],\"name\":\"\",\"async\":false}\n"])</script><script>self.__next_f.push([1,"16:I{\"id\":3012,\"chunks\":[\"3676:static/chunks/870fdd6f-9c571350bc2478c3.js\",\"3958:static/chunks/69b09407-0b4f7c53994b856f.js\",\"6990:static/chunks/13b76428-98e8ebe465d89db3.js\",\"4724:static/chunks/4724-69a117ad21aeeee7.js\",\"3718:static/chunks/3718-0050314636e810ad.js\",\"9733:static/chunks/9733-e2429ec2121e38e9.js\",\"8475:static/chunks/8475-73b121e7d1cde5b3.js\",\"902:static/chunks/902-109f5995e466cf6c.js\",\"1279:static/chunks/1279-23ffe5d7b074e3d8.js\",\"7967:static/chunks/7967-ff831c2c55ce81b3.js\",\"5978:static/chunks/5978-044c34f5a716c8b6.js\",\"6377:static/chunks/6377-2505d413b8312f37.js\",\"9871:static/chunks/9871-24e0e967362f76fb.js\",\"3266:static/chunks/3266-c80e45b9d5385976.js\",\"5123:static/chunks/5123-e529ddc3b876db62.js\",\"1454:static/chunks/1454-f6b247387023aa28.js\",\"7744:static/chunks/7744-f908910e8437d6bc.js\",\"7974:static/chunks/app/(main)/page-cfcfdd7d130c8d8b.js\"],\"name\":\"SegmentPageView\",\"async\":false}\n"])</script><script>self.__next_f.push([1,"17:I{\"id\":4400,\"chunks\":[\"5878:static/chunks/9da6db1e-2c060865fcb6428d.js\",\"9733:static/chunks/9733-e2429ec2121e38e9.js\",\"8475:static/chunks/8475-73b121e7d1cde5b3.js\",\"902:static/chunks/902-109f5995e466cf6c.js\",\"7967:static/chunks/7967-ff831c2c55ce81b3.js\",\"3185:static/chunks/app/layout-49140ae3683ce959.js\"],\"name\":\"SpeedInsights\",\"async\":false}\n18:I{\"id\":5245,\"chunks\":[\"5878:static/chunks/9da6db1e-2c060865fcb6428d.js\",\"9733:static/chunks/9733-e2429ec2121e38e9.js\",\"8475:static/chunks/8475-73b121e7d1cde5b3.j"])</script><script>self.__next_f.push([1,"s\",\"902:static/chunks/902-109f5995e466cf6c.js\",\"7967:static/chunks/7967-ff831c2c55ce81b3.js\",\"3185:static/chunks/app/layout-49140ae3683ce959.js\"],\"name\":\"\",\"async\":false}\n19:I{\"id\":9034,\"chunks\":[\"5878:static/chunks/9da6db1e-2c060865fcb6428d.js\",\"9733:static/chunks/9733-e2429ec2121e38e9.js\",\"8475:static/chunks/8475-73b121e7d1cde5b3.js\",\"902:static/chunks/902-109f5995e466cf6c.js\",\"7967:static/chunks/7967-ff831c2c55ce81b3.js\",\"3185:static/chunks/app/layout-49140ae3683ce959.js\"],\"name\":\"\",\"async\":false}\n1a:I{\""])</script><script>self.__next_f.push([1,"id\":9414,\"chunks\":[\"5878:static/chunks/9da6db1e-2c060865fcb6428d.js\",\"9733:static/chunks/9733-e2429ec2121e38e9.js\",\"8475:static/chunks/8475-73b121e7d1cde5b3.js\",\"902:static/chunks/902-109f5995e466cf6c.js\",\"7967:static/chunks/7967-ff831c2c55ce81b3.js\",\"3185:static/chunks/app/layout-49140ae3683ce959.js\"],\"name\":\"\",\"async\":false}\n"])</script><script>self.__next_f.push([1,"4:[[[\"$\",\"link\",\"0\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/css/b1f6f9dd7f6ae292.css\",\"precedence\":\"next\"}]],[\"$\",\"$L7\",null,{\"buildId\":\"22QP9kwQ7iZcON3Jv6mYI\",\"assetPrefix\":\"\",\"initialCanonicalUrl\":\"/blog/authz-primer\",\"initialTree\":[\"\",{\"children\":[\"(main)\",{\"children\":[\"blog\",{\"children\":[[\"slug\",\"authz-primer\",\"d\"],{\"children\":[\"__PAGE__\",{}]}]}]}]},\"$undefined\",\"$undefined\",true],\"initialHead\":[false,\"$L8\"],\"globalErrorComponent\":\"$9\",\"children\":[null,[\"$\",\"html\",null,{\"lang\":\"en\",\"className\":\"__variable_403957 __variable_f8bf1a\",\"children\":[[\"$\",\"head\",null,{\"children\":[[\"$\",\"link\",null,{\"rel\":\"icon\",\"type\":\"image/svg+xml\",\"href\":\"/favicon.svg\"}],[\"$\",\"link\",null,{\"rel\":\"icon\",\"type\":\"image/x-icon\",\"href\":\"/favicon.ico\"}],[\"$\",\"link\",null,{\"rel\":\"icon\",\"type\":\"image/png\",\"sizes\":\"32x32\",\"href\":\"/favicon-32x32.png\"}],[\"$\",\"link\",null,{\"rel\":\"icon\",\"type\":\"image/png\",\"sizes\":\"16x16\",\"href\":\"/favicon-16x16.png\"}],[\"$\",\"link\",null,{\"rel\":\"mask-icon\",\"href\":\"/safari-pinned-tab.svg\",\"type\":\"image/svg+xml\"}],[\"$\",\"link\",null,{\"rel\":\"preload\",\"href\":\"https://use.typekit.net/pjz2dde.css\",\"as\":\"style\"}],[\"$\",\"link\",null,{\"rel\":\"stylesheet\",\"href\":\"https://use.typekit.net/pjz2dde.css\"}],[\"$\",\"link\",null,{\"rel\":\"alternate\",\"type\":\"application/atom+xml\",\"title\":\"Atom Feed for authzed.com\",\"href\":\"/feed/atom\"}],[\"$\",\"link\",null,{\"rel\":\"alternate\",\"type\":\"application/rss+xml\",\"title\":\"RSS Feed for authzed.com\",\"href\":\"/feed/rss\"}],[\"$\",\"script\",null,{\"defer\":true,\"data-domain\":\"authzed.com\",\"src\":\"/js/script.js\",\"data-api\":\"/api/event\"}]]}],[\"$\",\"body\",null,{\"className\":\"bg-dark text-white overflow-x-hidden\",\"children\":[[[\"$\",\"style\",null,{\"children\":\"\\n div[data-consent-manager-dialog] button[type=submit] {\\n color: #fff;\\n background-color: rgb(133, 74, 170);\\n background-image: none;\\n }\\n \"}],[\"$\",\"div\",null,{\"id\":\"consent-manager\",\"className\":\"fixed left-6 bottom-6 mr-6 z-[2147483647] shadow-lg [\u0026\u003ediv]:rounded-lg [\u0026\u003ediv]:p-4 [\u0026\u003ediv]:pr-10 [\u0026\u003ediv]:bg-suns-1000\"}]],[\"$\",\"$La\",null,{\"children\":[[\"$\",\"$b\",null,{\"fallback\":null,\"children\":[\"$\",\"$Lc\",null,{\"children\":[\"$\",\"$Ld\",null,{}]}]}],[\"$\",\"$Le\",null,{\"children\":[[\"$\",\"$Lf\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\"],\"loading\":\"$undefined\",\"loadingStyles\":\"$undefined\",\"hasLoading\":false,\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"template\":[\"$\",\"$L10\",null,{}],\"templateStyles\":\"$undefined\",\"notFound\":[[\"$\",\"title\",null,{\"children\":\"404: This page could not be found.\"}],[\"$\",\"div\",null,{\"style\":{\"fontFamily\":\"system-ui,\\\"Segoe UI\\\",Roboto,Helvetica,Arial,sans-serif,\\\"Apple Color Emoji\\\",\\\"Segoe UI Emoji\\\"\",\"height\":\"100vh\",\"textAlign\":\"center\",\"display\":\"flex\",\"flexDirection\":\"column\",\"alignItems\":\"center\",\"justifyContent\":\"center\"},\"children\":[\"$\",\"div\",null,{\"children\":[[\"$\",\"style\",null,{\"dangerouslySetInnerHTML\":{\"__html\":\"body{color:#000;background:#fff;margin:0}.next-error-h1{border-right:1px solid rgba(0,0,0,.3)}@media (prefers-color-scheme:dark){body{color:#fff;background:#000}.next-error-h1{border-right:1px solid rgba(255,255,255,.3)}}\"}}],[\"$\",\"h1\",null,{\"className\":\"next-error-h1\",\"style\":{\"display\":\"inline-block\",\"margin\":\"0 20px 0 0\",\"padding\":\"0 23px 0 0\",\"fontSize\":24,\"fontWeight\":500,\"verticalAlign\":\"top\",\"lineHeight\":\"49px\"},\"children\":\"404\"}],[\"$\",\"div\",null,{\"style\":{\"display\":\"inline-block\"},\"children\":[\"$\",\"h2\",null,{\"style\":{\"fontSize\":14,\"fontWeight\":400,\"lineHeight\":\"49px\",\"margin\":0},\"children\":\"This page could not be found.\"}]}]]}]}]],\"notFoundStyles\":[],\"childProp\":{\"current\":[null,[\"$\",\"div\",null,{\"className\":\"bg-dark text-white\",\"children\":[[\"$\",\"div\",null,{\"className\":\"flex announcement-bar relative flex-wrap justify-between gap-y-2.5 py-3 px-5 z-50 text-[.8125rem] text-white bg-rocks-700/85 opacity-100 border-rocks-500 border-b-2\",\"children\":[[\"$\",\"div\",null,{\"className\":\"announcment grid grid-flow-col auto-cols-2 tablet:flex tablet:flex-wrap gap-2 justify-items-start items-center\",\"children\":[[\"$\",\"div\",null,{\"className\":\"flex flex-initial\",\"dangerouslySetInnerHTML\":{\"__html\":\"\u003cp\u003eHow authorization fits into the architecture of secure AI RAG stacks: AuthZed CEO Jacob Moshenko interviewed at theCube + NYSE Media Day\u003c/p\u003e\"}}],[\"$\",\"$L11\",null,{\"href\":\"https://www.youtube.com/watch?v=9Giynn1odZo\",\"children\":[\"$\",\"button\",null,{\"className\":\"inline-flex items-center justify-center disabled:pointer-events-none disabled:opacity-50 focus:nonedata-[state=open]:bg-slate-100 bg-gradient-to-b from-[#FF5C61] to-[#9C3774] rounded-full border border-[#AC5184] transition-transform duration-100 hover:scale-[1.03] h-5 content-center text-[.75rem] font-medium px-3 py-2.5\",\"label\":\"Watch\",\"icon\":\"play\",\"children\":[\"$undefined\",\"Watch\",[\"$\",\"svg\",null,{\"aria-hidden\":\"true\",\"focusable\":\"false\",\"data-prefix\":\"fas\",\"data-icon\":\"play\",\"className\":\"svg-inline--fa fa-play bg-transparent h-[0.625rem] w-[0.625rem] ml-2\",\"role\":\"img\",\"xmlns\":\"http://www.w3.org/2000/svg\",\"viewBox\":\"0 0 384 512\",\"style\":{},\"children\":[\"$\",\"path\",null,{\"fill\":\"currentColor\",\"d\":\"M73 39c-14.8-9.1-33.4-9.4-48.5-.9S0 62.6 0 80V432c0 17.4 9.4 33.4 24.5 41.9s33.7 8.1 48.5-.9L361 297c14.3-8.7 23-24.2 23-41s-8.7-32.2-23-41L73 39z\",\"style\":{}}]}]]}]}]]}],[\"$\",\"div\",null,{\"className\":\"hidden laptop:flex gh-container flex-wrap flex-initial self-end gap-y-2.5\",\"children\":[[\"$\",\"span\",null,{\"children\":[\"$\",\"a\",null,{\"href\":\"https://github.com/authzed/spicedb\",\"className\":\"text-current no-underline\",\"children\":\"SpiceDB, Open Source Google Zanzibar FGA \"}]}],[\"$\",\"$L11\",null,{\"href\":\"https://github.com/authzed/spicedb\",\"children\":[\"$\",\"$L12\",null,{\"size\":\"xs\",\"starCount\":5165}]}]]}]]}],[\"$\",\"$L13\",null,{}],[\"$\",\"div\",null,{\"children\":[\"$\",\"$Lf\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\",\"(main)\",\"children\"],\"loading\":\"$undefined\",\"loadingStyles\":\"$undefined\",\"hasLoading\":false,\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"template\":[\"$\",\"$L10\",null,{}],\"templateStyles\":\"$undefined\",\"notFound\":[[\"$\",\"title\",null,{\"children\":\"404: This page could not be found.\"}],[\"$\",\"div\",null,{\"style\":{\"fontFamily\":\"system-ui,\\\"Segoe UI\\\",Roboto,Helvetica,Arial,sans-serif,\\\"Apple Color Emoji\\\",\\\"Segoe UI Emoji\\\"\",\"height\":\"100vh\",\"textAlign\":\"center\",\"display\":\"flex\",\"flexDirection\":\"column\",\"alignItems\":\"center\",\"justifyContent\":\"center\"},\"children\":[\"$\",\"div\",null,{\"children\":[[\"$\",\"style\",null,{\"dangerouslySetInnerHTML\":{\"__html\":\"body{color:#000;background:#fff;margin:0}.next-error-h1{border-right:1px solid rgba(0,0,0,.3)}@media (prefers-color-scheme:dark){body{color:#fff;background:#000}.next-error-h1{border-right:1px solid rgba(255,255,255,.3)}}\"}}],[\"$\",\"h1\",null,{\"className\":\"next-error-h1\",\"style\":{\"display\":\"inline-block\",\"margin\":\"0 20px 0 0\",\"padding\":\"0 23px 0 0\",\"fontSize\":24,\"fontWeight\":500,\"verticalAlign\":\"top\",\"lineHeight\":\"49px\"},\"children\":\"404\"}],[\"$\",\"div\",null,{\"style\":{\"display\":\"inline-block\"},\"children\":[\"$\",\"h2\",null,{\"style\":{\"fontSize\":14,\"fontWeight\":400,\"lineHeight\":\"49px\",\"margin\":0},\"children\":\"This page could not be found.\"}]}]]}]}]],\"notFoundStyles\":[],\"childProp\":{\"current\":[\"$\",\"$Lf\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\",\"(main)\",\"children\",\"blog\",\"children\"],\"loading\":\"$undefined\",\"loadingStyles\":\"$undefined\",\"hasLoading\":false,\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"template\":[\"$\",\"$L10\",null,{}],\"templateStyles\":\"$undefined\",\"notFound\":\"$undefined\",\"notFoundStyles\":\"$undefined\",\"childProp\":{\"current\":[\"$\",\"$Lf\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\",\"(main)\",\"children\",\"blog\",\"children\",[\"slug\",\"authz-primer\",\"d\"],\"children\"],\"loading\":\"$undefined\",\"loadingStyles\":\"$undefined\",\"hasLoading\":false,\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"template\":[\"$\",\"$L10\",null,{}],\"templateStyles\":\"$undefined\",\"notFound\":\"$undefined\",\"notFoundStyles\":\"$undefined\",\"childProp\":{\"current\":[\"$L14\",\"$L15\",null],\"segment\":\"__PAGE__\"},\"styles\":[[\"$\",\"link\",\"0\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/css/da72cc09e5cef6cf.css\",\"precedence\":\"next\"}]]}],\"segment\":[\"slug\",\"authz-primer\",\"d\"]},\"styles\":[]}],\"segment\":\"blog\"},\"styles\":[]}]}]]}],null],\"segment\":\"(main)\"},\"styles\":[[\"$\",\"link\",\"0\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/css/35351f010017696e.css\",\"precedence\":\"next\"}]]}],[\"$\",\"$b\",null,{\"fallback\":\"$undefined\",\"children\":[\"$\",\"$L16\",null,{\"properties\":\"$undefined\"}]}]]}]]}],[\"$\",\"$L17\",null,{\"sampleRate\":0.8}],[\"$\",\"$L18\",null,{}],[\"$\",\"$b\",null,{\"fallback\":null,\"children\":[\"$\",\"$Lc\",null,{\"children\":[\"$\",\"$L19\",null,{}]}]}],[\"$\",\"$L1a\",null,{}]]}]]}],null]}]]\n"])</script><script>self.__next_f.push([1,"1b:I{\"id\":4244,\"chunks\":[\"3676:static/chunks/870fdd6f-9c571350bc2478c3.js\",\"3958:static/chunks/69b09407-0b4f7c53994b856f.js\",\"4724:static/chunks/4724-69a117ad21aeeee7.js\",\"3718:static/chunks/3718-0050314636e810ad.js\",\"9733:static/chunks/9733-e2429ec2121e38e9.js\",\"8475:static/chunks/8475-73b121e7d1cde5b3.js\",\"902:static/chunks/902-109f5995e466cf6c.js\",\"1279:static/chunks/1279-23ffe5d7b074e3d8.js\",\"3959:static/chunks/app/(main)/blog/[slug]/page-d322d08932d0a0f0.js\"],\"name\":\"\",\"async\":false}\n1c:I{\"id\":2602,\"ch"])</script><script>self.__next_f.push([1,"unks\":[\"3676:static/chunks/870fdd6f-9c571350bc2478c3.js\",\"3958:static/chunks/69b09407-0b4f7c53994b856f.js\",\"4724:static/chunks/4724-69a117ad21aeeee7.js\",\"3718:static/chunks/3718-0050314636e810ad.js\",\"9733:static/chunks/9733-e2429ec2121e38e9.js\",\"8475:static/chunks/8475-73b121e7d1cde5b3.js\",\"902:static/chunks/902-109f5995e466cf6c.js\",\"1279:static/chunks/1279-23ffe5d7b074e3d8.js\",\"3959:static/chunks/app/(main)/blog/[slug]/page-d322d08932d0a0f0.js\"],\"name\":\"\",\"async\":false}\n1d:I{\"id\":6964,\"chunks\":[\"3676:stati"])</script><script>self.__next_f.push([1,"c/chunks/870fdd6f-9c571350bc2478c3.js\",\"3958:static/chunks/69b09407-0b4f7c53994b856f.js\",\"4724:static/chunks/4724-69a117ad21aeeee7.js\",\"3718:static/chunks/3718-0050314636e810ad.js\",\"9733:static/chunks/9733-e2429ec2121e38e9.js\",\"8475:static/chunks/8475-73b121e7d1cde5b3.js\",\"902:static/chunks/902-109f5995e466cf6c.js\",\"1279:static/chunks/1279-23ffe5d7b074e3d8.js\",\"3959:static/chunks/app/(main)/blog/[slug]/page-d322d08932d0a0f0.js\"],\"name\":\"Image\",\"async\":false}\n1f:I{\"id\":6900,\"chunks\":[\"3676:static/chunks/870f"])</script><script>self.__next_f.push([1,"dd6f-9c571350bc2478c3.js\",\"3958:static/chunks/69b09407-0b4f7c53994b856f.js\",\"4724:static/chunks/4724-69a117ad21aeeee7.js\",\"3718:static/chunks/3718-0050314636e810ad.js\",\"9733:static/chunks/9733-e2429ec2121e38e9.js\",\"8475:static/chunks/8475-73b121e7d1cde5b3.js\",\"902:static/chunks/902-109f5995e466cf6c.js\",\"1279:static/chunks/1279-23ffe5d7b074e3d8.js\",\"3959:static/chunks/app/(main)/blog/[slug]/page-d322d08932d0a0f0.js\"],\"name\":\"NewsletterSignUp\",\"async\":false}\n20:I{\"id\":2065,\"chunks\":[\"3676:static/chunks/870fdd"])</script><script>self.__next_f.push([1,"6f-9c571350bc2478c3.js\",\"3958:static/chunks/69b09407-0b4f7c53994b856f.js\",\"4724:static/chunks/4724-69a117ad21aeeee7.js\",\"3718:static/chunks/3718-0050314636e810ad.js\",\"9733:static/chunks/9733-e2429ec2121e38e9.js\",\"8475:static/chunks/8475-73b121e7d1cde5b3.js\",\"902:static/chunks/902-109f5995e466cf6c.js\",\"1279:static/chunks/1279-23ffe5d7b074e3d8.js\",\"3959:static/chunks/app/(main)/blog/[slug]/page-d322d08932d0a0f0.js\"],\"name\":\"CtaBoxWide\",\"async\":false}\n1e:T3238,"])</script><script>self.__next_f.push([1,"\u003ch2 id=\"user-content-introduction\"\u003e\u003cstrong\u003eIntroduction\u003c/strong\u003e\u003c/h2\u003e\n\u003cp\u003eA business operating complex software environments needs to provide end-user experiences that enable and delight users, but never at the cost of a poor security stance. In 2022, a lapse in security fetched \u003ca href=\"https://www.ibm.com/reports/data-breach\"\u003eon average 9.44M for a data breach in the US, and $4.35M globally according to IBM\u003c/a\u003e.\u003c/p\u003e\n\u003cp\u003eThis post aims to help companies with their authorization decisions and systems and share what we see in the market through conversations with companies looking to solve their authorization challenges, specifically authorization that impacts end-user interaction with their products. I’ll cover how authorization became an issue for most companies, the different approaches, an introduction to Google Zanzibar–the solution the market is converging on, the prominent use cases driving businesses to adopt this new approach, and what you can expect when moving to a relationship-based access control system (ReBAC).\u003c/p\u003e\n\u003ch2 id=\"user-content-what-is-authz\"\u003e\u003cstrong\u003eWhat is AuthZ?\u003c/strong\u003e\u003c/h2\u003e\n\u003cp\u003eBecause the Internet is, by definition, a networked system that connects users, most Internet-facing software is designed with a multi-user experience in mind. These environments require constructs to facilitate a natural experience that protects users’ data: \u003cstrong\u003eauthentication\u003c/strong\u003e, commonly referred to as authN, is the key that verifies an application-specific identity, typically called a user, and \u003cstrong\u003eauthorization\u003c/strong\u003e, commonly referred to as authZ, dictates what doors that key can open for a user.\u003c/p\u003e\n\u003cp\u003eAuthZ plays a pivotal role in software security by ensuring that users have the appropriate level of access to different resources and functionalities within a system. At its core, authZ involves granting or denying access rights to specific resources or actions based on the identity and privileges of the user. It is crucial in preventing unauthorized access and verifying that only authorized users can perform specific actions within a system. It serves as a gatekeeper that protects sensitive data and functionalities. By implementing robust authorization mechanisms, developers can control the level of access granted to different users or roles, thereby safeguarding the system from potential security breaches.\u003c/p\u003e\n\u003cp\u003eCollectively in the context of a product’s end users, authN and authZ are called Customer Identity and Access Management (CIAM). Authorization is such a foundational part of the digital experience that its underlying design principles have become \u003ca href=\"https://99percentinvisible.org/about/the-show/\"\u003e99% invisible\u003c/a\u003e, even to developers, leading to fundamental challenges as a business scales.\u003c/p\u003e\n\u003ch2 id=\"user-content-why-authz-is-an-issue\"\u003e\u003cstrong\u003eWhy AuthZ is an Issue\u003c/strong\u003e\u003c/h2\u003e\n\u003cp\u003eA company typically starts by aggregating all user requests into a single piece of software that tightly couples application logic with authZ. As the company’s product gains traction and its user base grows, the focus shifts to distributing the software and scaling infrastructure components, often ignoring a much-needed change to the authorization system. This further embeds an authorization construct not meant to handle a growing number of requirements.\u003c/p\u003e\n\u003cp\u003eFrom the business perspective, the two key limitations of a legacy authorization system are:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePermissions are inflexible\u003c/strong\u003e: There isn’t a way to easily add additional constructs like \u003ca href=\"https://authzed.com/blog/user-defined-roles\"\u003euser-defined roles\u003c/a\u003e, recursive relationships, \u003ca href=\"https://authzed.com/blog/abac-on-spicedb-enabling-netflix-complex-identity-types\"\u003eattribute-based access control (ABAC)\u003c/a\u003e, or \u003ca href=\"https://authzed.com/blog/fine-grained-access-control\"\u003efine-grained authorization (FGA)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSiloed permissions:\u003c/strong\u003e as a company grows, it scales revenue by offering additional products; application teams then build bespoke authorization implementations that are hard to reason about and don’t consider a holistic user experience, especially at large scale.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eGoogle set out to fix this problem, along with several “\u003ca href=\"https://zanzibar.tech/2AT-rbOOg7:R:1h\"\u003eunique challenges involving data consistency and scalability\u003c/a\u003e.”\u003c/p\u003e\n\u003ch2 id=\"user-content-googles-solution-to-authorization-google-zanzibar\"\u003e\u003cstrong\u003eGoogle’s Solution to Authorization: Google Zanzibar\u003c/strong\u003e\u003c/h2\u003e\n\u003cp\u003eThe confluence of business requirements driving the adoption of \u003ca href=\"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf\"\u003ezero-trust architectures\u003c/a\u003e and \u003ca href=\"https://qonsent.com/static/pdf/qonsent-consumer-insights-june2022.pdf\"\u003e94% of consumers wanting more control of their data\u003c/a\u003e in near real-time galvanized the search for a modern authorization system. Google’s response was a modern approach that can scale with your business and maintain strict security requirements, now known as \u003ca href=\"https://authzed.com/blog/what-is-google-zanzibar\"\u003eGoogle Zanzibar\u003c/a\u003e.\u003c/p\u003e\n\u003cp\u003eAmong the requirements set forth by the Google Zanzibar team is “\u003ca href=\"https://zanzibar.tech/2MUghfOn_Y:A:1n\"\u003esupport for a rich set of access control policies as required by both consumer and enterprise applications\u003c/a\u003e” and “[establish consistent semantics and user [developer] experience across applications](\u003ca href=\"https://zanzibar.tech/2I7pd_DGm2:2C.49Q9UoJW_:J).%E2%80%9D\"\u003ehttps://zanzibar.tech/2I7pd_DGm2:2C.49Q9UoJW_:J).”\u003c/a\u003e Zanzibar powers authorization across hundreds of Google Products, including Google Calendar, Cloud, Drive, Maps, Photos, and YouTube. Notably, it unlocks unique experiences like \u003ca href=\"https://zanzibar.tech/2Ry8nS2U5I:0:1t\"\u003ecross-product authorization checks,\u003c/a\u003e e.g., Slack’s Gmail extension can check if a recipient has access to a Google Doc, unlocking growth through reduced friction points while maintaining user privacy.\u003c/p\u003e\n\u003cp\u003eGoogle Zanzibar is a relationship-based access control system (ReBAC), meaning that permissions are derived from the existence of a relationship between digital objects and users. This has positive performance implications, especially for recursive permissions, but, importantly, it’s a natural extension of sharing in the real world, which makes it intuitive for most developers.\u003c/p\u003e\n\u003ch2 id=\"user-content-use-cases-driving-adoption-of-google-zanzibar\"\u003eUse-Cases Driving Adoption of Google Zanzibar\u003c/h2\u003e\n\u003ch3 id=\"user-content-product-led-growth\"\u003e\u003cstrong\u003eProduct-Led Growth\u003c/strong\u003e\u003c/h3\u003e\n\u003cp\u003eTo share something is a user choice and subsequent action. Companies we’re speaking with have learned that facilitating frictionless sharing can help onboard additional users to their platforms. For instance, a hiring platform we’re working with implements fine-grained authorization (FGA) so enterprise recruiters are comfortable exposing permissions to hiring managers related to the positions the managers are looking to fill. Hiring managers, in turn, can proactively engage with candidates and increase activity on the platform.\u003c/p\u003e\n\u003cp\u003eAnother example is adding capabilities that foster more in-app experiences. For instance, a sharing economy company is boosting engagement with its platform by bringing resource management for users into their native applications instead of relying on third-party applications. Most companies we speak with share similar product-led growth initiatives built atop robust authorization.\u003c/p\u003e\n\u003ch3 id=\"user-content-breaking-into-the-enterprise\"\u003e\u003cstrong\u003eBreaking into the Enterprise\u003c/strong\u003e\u003c/h3\u003e\n\u003cp\u003eEnhancing security and compliance is a key requirement for B2B companies looking to scale revenue within an enterprise market segment, and OWASP’s 2021 report cites \u003ca href=\"https://owasp.org/Top10/A01_2021-Broken_Access_Control/\"\u003ebroken access control\u003c/a\u003e as a top security concern. One of the main risks is “exposure of sensitive information to an unauthorized actor,” which is a core tenet of the Google Zanzibar paper; the system \"\u003ca href=\"https://zanzibar.tech/22_E1zFxjc:0.4BawKBUjM:1K\"\u003emust ensure consistency of access control decisions to respect user intentions.\u003c/a\u003e”\u003c/p\u003e\n\u003cp\u003eEnterprise users also require increased flexibility; these manifest as the following requirements for product teams:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eFine-grained authorization (FGA):\u003c/strong\u003e the ability to control resources down to a granular level, e.g., a page in a document, though there is a balance, see \u003ca href=\"https://authzed.com/blog/fine-grained-access-control\"\u003eFine-Grained Access Control: Can You Go Too Fine?\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eUser-defined Roles and Permissions:\u003c/strong\u003e beyond a typical application-defined Role-Based Access Control (RBAC) system, product teams need to allow end-user admins to create roles and associated permissions for delegating to internal teams.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRecursive relationships:\u003c/strong\u003e at a certain scale, teams start owning teams. This is challenging for a traditional authorization system dealing with permissions stored in a relational database alongside application data.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAttributes-Based Access Control (ABAC):\u003c/strong\u003e support for dynamic time-bound or otherwise caveated access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"user-content-what-to-expect-when-adopting-relationship-based-access-control-rebac\"\u003e\u003cstrong\u003eWhat to Expect When Adopting Relationship-Based Access Control (ReBAC)\u003c/strong\u003e\u003c/h2\u003e\n\u003cp\u003eA crucial part of ReBAC systems like Google Zanzibar and our own \u003ca href=\"https://authzed.com/products/spicedb\"\u003eZanzibar-inspired authorization system, SpiceDB,\u003c/a\u003e is storing permissions data in a separate database; product-specific data (e.g. content of a social media post) is stored in the application database, while the data that drives who can edit that data live in the permissions database. If you have an existing authorization flow, you’ll have to translate that data into permissions data.\u003c/p\u003e\n\u003cp\u003eModeling data is probably the most fun and intuitive part. SpiceDB, like other solutions, has a domain-specific language (DSL) called the \u003ca href=\"https://authzed.com/docs/reference/schema-lang\"\u003eSpiceDB Schema Language\u003c/a\u003e for defining the objects you want to create an authorization system for. The permissions schema defines the objects, e.g., users and documents, how they relate to each other, and the permissions those relationships define.\u003c/p\u003e\n\u003cp\u003eSince you’re writing permissions data, integration is a big part of the journey. A ReBAC authorization system is delivered over a gRPC or HTTP API; SpiceDB has libraries available in multiple languages to help developers get up to speed quickly. You’ll want to make sure whatever solution you choose delivers a solid developer experience.\u003c/p\u003e\n\u003cp\u003eGoogle Zanzibar doesn’t mention policy, but we’ve learned through our collaboration building \u003ca href=\"https://authzed.com/blog/abac-on-spicedb-enabling-netflix-complex-identity-types\"\u003eAttribute-Based Access Control (ABAC) for Netflix\u003c/a\u003e that pairing policy with ReBAC is a powerful paradigm. An example of this capability is SpiceDB Caveats: \u003ca href=\"https://authzed.com/blog/caveats\"\u003eCaveats: A Scalable Solution for Policy\u003c/a\u003e.\u003c/p\u003e\n\u003cp\u003eA common practice is to organize a core team of developers tasked with architecting and executing an overhaul to your authorization system. The effort must be cross-functional; you’ll want platform engineers, application engineers, and product managers to work together to ensure smooth adoption.\u003c/p\u003e\n\u003ch2 id=\"user-content-get-started\"\u003eGet Started\u003c/h2\u003e\n\u003cp\u003eGiven how popular Google's approach to authorization has become, there are a number of new companies and projects looking to provide Zanzibar-aaS. At AuthZed, we've created a faithful open-source implementation of Google Zanzibar called \u003ca href=\"https://github.com/authzed/spicedb\"\u003eSpiceDB\u003c/a\u003e, and offer managed commercial offerings that make it easy to get into production. Join the community on \u003ca href=\"https://authzed.com/discord\"\u003eDiscord\u003c/a\u003e or \u003ca href=\"https://authzed.com/call\"\u003eschedule a call\u003c/a\u003e to learn more!\u003c/p\u003e\n\u003ch2 id=\"user-content-additional-reading\"\u003eAdditional Reading\u003c/h2\u003e\n\u003cp\u003eIf you’re interested in learning more about Authorization and Google Zanzibar, we recommend reading the following posts:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://authzed.com/blog/what-is-google-zanzibar\"\u003eUnderstanding Google Zanzibar: A Comprehensive Overview\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://authzed.com/blog/fine-grained-access-control\"\u003eFine-Grained Access Control: Can You Go Too Fine?\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://authzed.com/blog/exploring-rebac\"\u003eRelationship Based Access Control (ReBAC): Using Graphs to Power your Authorization System\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://authzed.com/blog/pitfalls-of-jwt-authorization\"\u003ePitfalls of JWT Authorization\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e"])</script><script>self.__next_f.push([1,"15:[[\"$\",\"$L1b\",null,{\"src\":\"https://cdn.jsdelivr.net/npm/lite-youtube-embed@0.2.0/src/lite-yt-embed.min.js\",\"strategy\":\"lazyOnload\"}],[\"$\",\"$L1c\",null,{}],[\"$\",\"main\",null,{\"className\":\"w-full bg-light relative z-50 text-rocks-1000\",\"children\":[[\"$\",\"div\",null,{\"className\":\"relative flex place-content-center w-full overflow-hidden bg-cover bg-center\",\"children\":[[\"$\",\"div\",null,{\"className\":\"z-10 bg-slate-900/70 h-full w-full flex place-content-center\",\"children\":[\"$\",\"div\",null,{\"className\":\"relative z-10 py-8 laptop:py-16 flex flex-col gap-6 w-[90%] laptop:max-w-[1080px]\",\"children\":[[\"$\",\"div\",null,{\"className\":\"hidden laptop:flex items-center flex-wrap gap-1 tablet:gap-2\",\"children\":[[\"$\",\"$L11\",\"zanzibar\",{\"href\":\"/blog/tags/zanzibar\",\"className\":\"flex no-underline mt-0\",\"children\":[\"$\",\"span\",null,{\"className\":\"tag tag-lg hover:text-light\",\"children\":\"Zanzibar\"}]}],[\"$\",\"$L11\",\"product\",{\"href\":\"/blog/tags/product\",\"className\":\"flex no-underline mt-0\",\"children\":[\"$\",\"span\",null,{\"className\":\"tag tag-lg hover:text-light\",\"children\":\"Product\"}]}]]}],[\"$\",\"div\",null,{\"children\":[\"$\",\"h1\",null,{\"className\":\"mb-0 text-3xl tablet:text-5xl text-white\",\"children\":\"Authorization (AuthZ): Quick Start Guide for Enterprise Permissions\"}]}],[\"$\",\"div\",null,{\"className\":\"flex items-center flex-wrap gap-6 tablet:gap-0\",\"children\":[\"$\",\"div\",null,{\"className\":\"flex items-center gap-3\",\"children\":[[\"$\",\"div\",null,{\"className\":\"flex\",\"children\":[[\"$\",\"div\",\"/images/damian_in_da_house.jpeg\",{\"className\":\"relative inline-block h-[52px] w-[52px]\",\"style\":{\"zIndex\":10},\"children\":[\"$\",\"$L1d\",null,{\"src\":\"/images/damian_in_da_house.jpeg\",\"className\":\"object-fill rounded-full border-2 border-white\",\"alt\":\"/images/damian_in_da_house.jpeg\",\"fill\":true,\"sizes\":\"100vw\"}]}]]}],[\"$\",\"div\",null,{\"className\":\"flex flex-col gap-1\",\"children\":[[\"$\",\"div\",null,{\"className\":\"text-light\",\"children\":[\"$\",\"$L11\",null,{\"className\":\"font-medium hover:text-suns-800 transition-colors duration-150 ease-in-out\",\"href\":\"https://linkedin.com/in/dsieczko\",\"children\":\"Damian Sieczkowski\"}]}],[\"$\",\"div\",null,{\"className\":\"flex text-light gap-2 font-regular text-sm\",\"children\":[[\"$\",\"span\",null,{\"children\":\"Updated November 18, 2024\"}],[\"$\",\"span\",null,{\"children\":\"|\"}],[\"$\",\"span\",null,{\"children\":\"8 min read\"}]]}]]}]]}]}]]}]}],[\"$\",\"$L1d\",null,{\"src\":\"/images/blogs/blog-featured-image.png\",\"className\":\"z-0 absolute\",\"fill\":true,\"sizes\":\"100vw\",\"style\":{\"objectFit\":\"cover\"},\"alt\":\"\",\"priority\":true,\"placeholder\":\"blur\",\"blurDataURL\":\"data:image/gif;base64,R0lGODlhAQABAPAAAIVKqv///yH5BAAAAAAALAAAAAABAAEAAAICRAEAOw==\"}]]}],[\"$\",\"div\",null,{\"className\":\"w-[90%] pt-8 content-default text-rocks-500 flex flex-col laptop:max-w-[1080px] laptop:pt-16 laptop:flex-row\",\"children\":[[\"$\",\"div\",null,{\"className\":\"w-full mb-24 prose tablet:prose-tablet max-w-none leading-[2rem] laptop:w-2/3 laptop:pr-20\",\"children\":[[\"$\",\"article\",null,{\"dangerouslySetInnerHTML\":{\"__html\":\"$1e\"}}],[\"$\",\"div\",null,{\"className\":\"mb-6 p-4 bg-rocks-100/70 rounded text-sm italic leading-relaxed\",\"children\":[\"Originally published \",\"September 6, 2023\",\"\"]}]]}],[\"$\",\"aside\",null,{\"className\":\"w-1/3 px-6 mb-6 text-rocks-1000 border-l sticky top-[80px] self-start ml-[1.25rem] max-h-[100-vh] overflow-y-auto\",\"children\":[\"$\",\"div\",null,{\"className\":\"hidden laptop:block\",\"children\":[[[\"$\",\"div\",null,{\"className\":\"text-body-sm font-bold mb-4\",\"children\":\"Table of Contents\"}],[\"$\",\"div\",null,{\"className\":\"flex flex-col gap-2 max-w-[300px]\",\"children\":[[\"$\",\"div\",\"Introduction\",{\"children\":[\"$\",\"div\",null,{\"className\":\"pl-[0.5rem] text-xs text-rocks-1000 flex gap-2 content-start items-start leading-[1.3125rem] transition-color duration-100 hover:text-suns-800\",\"children\":[[\"$\",\"div\",null,{\"children\":\"•\"}],[\"$\",\"a\",null,{\"href\":\"#introduction\",\"children\":\"Introduction\"}]]}]}],[\"$\",\"div\",\"What is AuthZ?\",{\"children\":[\"$\",\"div\",null,{\"className\":\"pl-[0.5rem] text-xs text-rocks-1000 flex gap-2 content-start items-start leading-[1.3125rem] transition-color duration-100 hover:text-suns-800\",\"children\":[[\"$\",\"div\",null,{\"children\":\"•\"}],[\"$\",\"a\",null,{\"href\":\"#what-is-authz\",\"children\":\"What is AuthZ?\"}]]}]}],[\"$\",\"div\",\"Why AuthZ is an Issue\",{\"children\":[\"$\",\"div\",null,{\"className\":\"pl-[0.5rem] text-xs text-rocks-1000 flex gap-2 content-start items-start leading-[1.3125rem] transition-color duration-100 hover:text-suns-800\",\"children\":[[\"$\",\"div\",null,{\"children\":\"•\"}],[\"$\",\"a\",null,{\"href\":\"#why-authz-is-an-issue\",\"children\":\"Why AuthZ is an Issue\"}]]}]}],[\"$\",\"div\",\"Google’s Solution to Authorization: Google Zanzibar\",{\"children\":[\"$\",\"div\",null,{\"className\":\"pl-[0.5rem] text-xs text-rocks-1000 flex gap-2 content-start items-start leading-[1.3125rem] transition-color duration-100 hover:text-suns-800\",\"children\":[[\"$\",\"div\",null,{\"children\":\"•\"}],[\"$\",\"a\",null,{\"href\":\"#googles-solution-to-authorization-google-zanzibar\",\"children\":\"Google’s Solution to Authorization: Google Zanzibar\"}]]}]}],[\"$\",\"div\",\"Use-Cases Driving Adoption of Google Zanzibar\",{\"children\":[\"$\",\"div\",null,{\"className\":\"pl-[0.5rem] text-xs text-rocks-1000 flex gap-2 content-start items-start leading-[1.3125rem] transition-color duration-100 hover:text-suns-800\",\"children\":[[\"$\",\"div\",null,{\"children\":\"•\"}],[\"$\",\"a\",null,{\"href\":\"#use-cases-driving-adoption-of-google-zanzibar\",\"children\":\"Use-Cases Driving Adoption of Google Zanzibar\"}]]}]}],[\"$\",\"div\",\"Product-Led Growth\",{\"children\":[\"$\",\"div\",null,{\"className\":\"pl-[1.5rem] text-xs text-rocks-1000 flex gap-2 content-start items-start leading-[1.3125rem] transition-color duration-100 hover:text-suns-800\",\"children\":[[\"$\",\"div\",null,{\"children\":\"•\"}],[\"$\",\"a\",null,{\"href\":\"#product-led-growth\",\"children\":\"Product-Led Growth\"}]]}]}],[\"$\",\"div\",\"Breaking into the Enterprise\",{\"children\":[\"$\",\"div\",null,{\"className\":\"pl-[1.5rem] text-xs text-rocks-1000 flex gap-2 content-start items-start leading-[1.3125rem] transition-color duration-100 hover:text-suns-800\",\"children\":[[\"$\",\"div\",null,{\"children\":\"•\"}],[\"$\",\"a\",null,{\"href\":\"#breaking-into-the-enterprise\",\"children\":\"Breaking into the Enterprise\"}]]}]}],[\"$\",\"div\",\"What to Expect When Adopting Relationship-Based Access Control (ReBAC)\",{\"children\":[\"$\",\"div\",null,{\"className\":\"pl-[0.5rem] text-xs text-rocks-1000 flex gap-2 content-start items-start leading-[1.3125rem] transition-color duration-100 hover:text-suns-800\",\"children\":[[\"$\",\"div\",null,{\"children\":\"•\"}],[\"$\",\"a\",null,{\"href\":\"#what-to-expect-when-adopting-relationship-based-access-control-rebac\",\"children\":\"What to Expect When Adopting Relationship-Based Access Control (ReBAC)\"}]]}]}],[\"$\",\"div\",\"Get Started\",{\"children\":[\"$\",\"div\",null,{\"className\":\"pl-[0.5rem] text-xs text-rocks-1000 flex gap-2 content-start items-start leading-[1.3125rem] transition-color duration-100 hover:text-suns-800\",\"children\":[[\"$\",\"div\",null,{\"children\":\"•\"}],[\"$\",\"a\",null,{\"href\":\"#get-started\",\"children\":\"Get Started\"}]]}]}],[\"$\",\"div\",\"Additional Reading\",{\"children\":[\"$\",\"div\",null,{\"className\":\"pl-[0.5rem] text-xs text-rocks-1000 flex gap-2 content-start items-start leading-[1.3125rem] transition-color duration-100 hover:text-suns-800\",\"children\":[[\"$\",\"div\",null,{\"children\":\"•\"}],[\"$\",\"a\",null,{\"href\":\"#additional-reading\",\"children\":\"Additional Reading\"}]]}]}]]}]],[\"$\",\"div\",null,{\"className\":\"mt-8\",\"children\":[[\"$\",\"div\",null,{\"className\":\"text-md font-bold\",\"children\":\"Subscribe to Our Newsletter\"}],[\"$\",\"div\",null,{\"className\":\"text-sm\",\"children\":\"Stay updated on new releases, features, and announcements.\"}],[\"$\",\"div\",null,{\"className\":\"mt-2\",\"children\":[\"$\",\"$L1f\",null,{\"id\":\"blog-hs-form\"}]}]]}]]}]}]]}],[\"$\",\"div\",null,{\"className\":\"w-[90%] content-default laptop:max-w-[1080px]\",\"children\":[\"$\",\"$L20\",null,{\"title\":\"Get started for free\",\"subtitle\":\"Join 1000s of companies doing authorization the right way.\",\"buttonLabel\":\"Try Free\",\"href\":\"https://app.authzed.com\",\"buttonLabelSecondary\":\"Book a Call\",\"hrefSecondary\":\"/call\",\"clickEventName\":\"CTA Clicked\",\"clickEventProperties\":{\"az_cta_id\":\"blog_post_primary\",\"az_component\":\"CtaBoxWide\",\"az_content\":\"Try Free\"},\"clickEventNameSecondary\":\"CTA Clicked\",\"clickEventPropertiesSecondary\":{\"az_cta_id\":\"blog_post_secondary\",\"az_component\":\"CtaBoxWide\",\"az_content\":\"Book a Call\"}}]}],[\"$\",\"$L1b\",null,{\"type\":\"application/ld+json\",\"id\":\"structured-data\",\"strategy\":\"afterInteractive\",\"children\":\"{\\n \\\"@context\\\": \\\"https://schema.org\\\",\\n \\\"@type\\\": \\\"BlogPosting\\\",\\n \\\"headline\\\": \\\"Authorization (AuthZ): Quick Start Guide for Enterprise Permissions | AuthZed.com\\\",\\n \\\"name\\\": \\\"Authorization (AuthZ): Quick Start Guide for Enterprise Permissions | AuthZed.com\\\",\\n \\\"image\\\": [\\n \\\"https://authzed.com/images/blogs/blog-featured-image.png\\\"\\n ],\\n \\\"datePublished\\\": \\\"2023-09-06T15:37:08.588Z\\\",\\n \\\"dateModified\\\": \\\"2024-11-18T11:48:00.000Z\\\",\\n \\\"author\\\": [{\\\"@type\\\":\\\"Person\\\",\\\"name\\\":\\\"\\\\\\\"Damian Sieczkowski\\\\\\\"\\\",\\\"url\\\":\\\"https://linkedin.com/in/dsieczko\\\"}],\\n \\\"publisher\\\":\\n {\\n \\\"name\\\": \\\"AuthZed Blog\\\",\\n \\\"url\\\": \\\"https://authzed.com/blog\\\"\\n }\\n}\"}]]}],[\"$\",\"div\",null,{\"className\":\"w-full content-section bg-light\",\"children\":[\"$\",\"section\",null,{\"className\":\"pt-7 pb-14 md:py-20 content-default\",\"children\":[[\"$\",\"div\",null,{\"className\":\"w-full pb-14 border-t border-rocks-100\"}],[\"$\",\"div\",null,{\"className\":\"self-center w-full\",\"children\":[\"$\",\"div\",null,{\"className\":\"nav-links footer footer-light\",\"children\":[[\"$\",\"div\",\"group-0\",{\"className\":\"group\",\"children\":[[\"$\",\"div\",null,{\"className\":\"group-title\",\"children\":\"Products\"}],[\"$\",\"div\",null,{\"children\":[[[\"$\",\"div\",\"div-0-0\",{\"className\":\"group-header\",\"children\":[\"$\",\"span\",null,{\"children\":\"Managed Services\"}]}],[\"$\",\"div\",\"item-0-1\",{\"children\":[\"$\",\"$L11\",null,{\"href\":\"/products/authzed-dedicated\",\"children\":\"AuthZed Dedicated\"}]}],[\"$\",\"div\",\"item-0-2\",{\"children\":[\"$\",\"$L11\",null,{\"href\":\"/products/authzed-serverless\",\"children\":\"AuthZed Serverless\"}]}]],[[\"$\",\"div\",\"div-0-3\",{\"className\":\"group-header\",\"children\":[\"$\",\"span\",null,{\"children\":\"Self-Hosted\"}]}],[\"$\",\"div\",\"item-0-4\",{\"children\":[\"$\",\"$L11\",null,{\"href\":\"/products/authzed-support\",\"children\":\"AuthZed Support\"}]}],[\"$\",\"div\",\"item-0-5\",{\"children\":[\"$\",\"$L11\",null,{\"href\":\"/products/spicedb-enterprise\",\"children\":\"SpiceDB Enterprise\"}]}]],[[\"$\",\"div\",\"div-0-6\",{\"className\":\"group-header\",\"children\":[\"$\",\"span\",null,{\"children\":\"Open Source\"}]}],[\"$\",\"div\",\"item-0-7\",{\"children\":[\"$\",\"$L11\",null,{\"href\":\"/spicedb\",\"children\":\"SpiceDB\"}]}],[\"$\",\"div\",\"item-0-8\",{\"children\":[\"$\",\"$L11\",null,{\"href\":\"/products/spicedb-operator\",\"children\":\"SpiceDB Operator\"}]}],[\"$\",\"div\",\"item-0-9\",{\"children\":[\"$\",\"$L11\",null,{\"href\":\"/products/spicedb-clients\",\"children\":\"SpiceDB Clients\"}]}]]]}]]}],[\"$\",\"div\",\"group-1\",{\"className\":\"group\",\"children\":[[\"$\",\"div\",null,{\"className\":\"group-title\",\"children\":\"Resources\"}],[\"$\",\"div\",null,{\"children\":[[[\"$\",\"div\",\"div-1-0\",{\"className\":\"group-header\",\"children\":[\"$\",\"span\",null,{\"children\":\"Learn\"}]}],[\"$\",\"div\",\"item-1-1\",{\"children\":[\"$\",\"$L11\",null,{\"href\":\"https://play.authzed.com\",\"children\":\"Playground\"}]}],[\"$\",\"div\",\"item-1-2\",{\"children\":[\"$\",\"$L11\",null,{\"href\":\"/docs\",\"children\":\"Docs\"}]}],[\"$\",\"div\",\"item-1-3\",{\"children\":[\"$\",\"$L11\",null,{\"href\":\"/demo\",\"children\":\"Demo\"}]}],[\"$\",\"div\",\"item-1-4\",{\"children\":[\"$\",\"$L11\",null,{\"href\":\"/customers\",\"children\":\"Customer Stories\"}]}],[\"$\",\"div\",\"item-1-5\",{\"children\":[\"$\",\"$L11\",null,{\"href\":\"/blog/what-is-google-zanzibar\",\"children\":\"Learn More About Google Zanzibar\"}]}]],[[\"$\",\"div\",\"div-1-6\",{\"className\":\"group-header\",\"children\":[\"$\",\"span\",null,{\"children\":\"Support\"}]}],[\"$\",\"div\",\"item-1-7\",{\"children\":[\"$\",\"$L11\",null,{\"href\":\"https://security.authzed.com\",\"children\":\"Security\"}]}],[\"$\",\"div\",\"item-1-8\",{\"children\":[\"$\",\"$L11\",null,{\"href\":\"https://status.authzed.com/\",\"children\":\"Status Page\"}]}],[\"$\",\"div\",\"item-1-9\",{\"children\":[\"$\",\"$L11\",null,{\"href\":\"/create-ticket\",\"children\":\"Submit a Ticket\"}]}],[\"$\",\"div\",\"item-1-10\",{\"children\":[\"$\",\"$L11\",null,{\"href\":\"/call\",\"children\":\"Schedule a Call\"}]}]]]}]]}],[\"$\",\"div\",\"group-2\",{\"className\":\"group\",\"children\":[[\"$\",\"div\",null,{\"className\":\"group-title\",\"children\":\"Company\"}],[\"$\",\"div\",null,{\"children\":[[[\"$\",\"div\",\"div-2-0\",{\"className\":\"group-header\",\"children\":[\"$\",\"span\",null,{\"children\":\"Info\"}]}],[\"$\",\"div\",\"item-2-1\",{\"children\":[\"$\",\"$L11\",null,{\"href\":\"/about\",\"children\":\"About Us\"}]}],[\"$\",\"div\",\"item-2-2\",{\"children\":[\"$\",\"$L11\",null,{\"href\":\"/blog\",\"children\":\"Blog\"}]}],[\"$\",\"div\",\"item-2-3\",{\"children\":[\"$\",\"$L11\",null,{\"href\":\"/contact-us\",\"children\":\"Contact\"}]}],[\"$\",\"div\",\"item-2-4\",{\"children\":[\"$\",\"$L11\",null,{\"href\":\"https://www.workatastartup.com/companies/authzed\",\"children\":\"Join the Team\"}]}],[\"$\",\"div\",\"div-2-5\",{\"className\":\"group-header\",\"children\":[\"$\",\"span\",null,{\"children\":\"Legal\"}]}],[\"$\",\"div\",\"item-2-6\",{\"children\":[\"$\",\"$L11\",null,{\"href\":\"/privacy-policy\",\"children\":\"Privacy Policy\"}]}],[\"$\",\"div\",\"item-2-7\",{\"children\":[\"$\",\"$L11\",null,{\"href\":\"/terms-conditions\",\"children\":\"Terms \u0026 Conditions\"}]}]]]}]]}],[\"$\",\"div\",\"group-3\",{\"className\":\"group\",\"children\":[[\"$\",\"div\",null,{\"className\":\"group-title\",\"children\":\"Community\"}],[\"$\",\"div\",null,{\"children\":[[[\"$\",\"div\",\"item-3-0\",{\"children\":[\"$\",\"$L11\",null,{\"href\":\"https://authzed.com/discord\",\"children\":\"Discord\"}]}],[\"$\",\"div\",\"item-3-1\",{\"children\":[\"$\",\"$L11\",null,{\"href\":\"https://github.com/authzed\",\"children\":\"GitHub\"}]}],[\"$\",\"div\",\"item-3-2\",{\"children\":[\"$\",\"$L11\",null,{\"href\":\"https://twitter.com/authzed\",\"children\":\"Twitter\"}]}],[\"$\",\"div\",\"item-3-3\",{\"children\":[\"$\",\"$L11\",null,{\"href\":\"https://www.youtube.com/channel/UCFeSgZf0rPqQteiTQNGgTPg\",\"children\":\"YouTube\"}]}],[\"$\",\"div\",\"item-3-4\",{\"children\":[\"$\",\"$L11\",null,{\"href\":\"https://www.linkedin.com/company/authzed/\",\"children\":\"LinkedIn\"}]}]]]}]]}]]}]}],[\"$\",\"div\",null,{\"className\":\"my-12 px-6 flex flex-col tablet:flex-row gap-16 tablet:gap-0\",\"children\":[[\"$\",\"div\",null,{\"className\":\"justify-self-center\",\"children\":[\"$\",\"$L11\",null,{\"href\":\"/\",\"children\":[\"$\",\"$L1d\",null,{\"src\":\"/authzed-logo-multi-dark.svg\",\"alt\":\"AuthZed\",\"width\":142,\"height\":38.51}]}]}],[\"$\",\"div\",null,{\"className\":\"tablet:ml-auto flex gap-4\",\"children\":[[\"$\",\"$L1d\",null,{\"alt\":\"Cloud Native Computing Foundation\",\"src\":\"/assets/logo-cncf-color.svg\",\"width\":170,\"height\":48,\"className\":\"w-[170px] h-[48px] tablet:w-[170px] tablet:h-[48px]\"}],[\"$\",\"$L1d\",null,{\"alt\":\"SOC for Service Organizations\",\"src\":\"/assets/SOC_NonCPA.svg\",\"width\":170,\"height\":168,\"className\":\"w-[55px] h-[55px] tablet:w-[75px] tablet:h-[75px] self-end\"}]]}]]}]]}]}]]\n"])</script><script>self.__next_f.push([1,"8:[[\"$\",\"meta\",\"0\",{\"charSet\":\"utf-8\"}],[\"$\",\"title\",\"1\",{\"children\":\"Authorization (AuthZ): Quick Start Guide for Enterprise Permissions | AuthZed.com\"}],[\"$\",\"meta\",\"2\",{\"name\":\"description\",\"content\":\"This AuthZ quick start guide covers what AuthZ is, why it's an issue, use cases and requirements for enterprise permissions systems. It also provides an introduction to Google Zanzibar's ReBAC approach and how it solves authZ.\"}],[\"$\",\"meta\",\"3\",{\"name\":\"viewport\",\"content\":\"width=device-width, initial-scale=1\"}],[\"$\",\"meta\",\"4\",{\"name\":\"robots\",\"content\":\"index, follow, nocache\"}],[\"$\",\"meta\",\"5\",{\"name\":\"googlebot\",\"content\":\"index, follow, noimageindex, max-video-preview:-1, max-image-preview:large, max-snippet:-1\"}],[\"$\",\"link\",\"6\",{\"rel\":\"canonical\",\"href\":\"https://authzed.com/blog/authz-primer\"}],[\"$\",\"meta\",\"7\",{\"property\":\"og:title\",\"content\":\"Authorization (AuthZ): Quick Start Guide for Enterprise Permissions | AuthZed.com\"}],[\"$\",\"meta\",\"8\",{\"property\":\"og:description\",\"content\":\"This AuthZ quick start guide covers what AuthZ is, why it's an issue, use cases and requirements for enterprise permissions systems. It also provides an introduction to Google Zanzibar's ReBAC approach and how it solves authZ.\"}],[\"$\",\"meta\",\"9\",{\"property\":\"og:image\",\"content\":\"https://authzed.com/images/blogs/blog-featured-image.png\"}],[\"$\",\"meta\",\"10\",{\"name\":\"twitter:card\",\"content\":\"summary_large_image\"}],[\"$\",\"meta\",\"11\",{\"name\":\"twitter:title\",\"content\":\"Authorization (AuthZ): Quick Start Guide for Enterprise Permissions | AuthZed.com\"}],[\"$\",\"meta\",\"12\",{\"name\":\"twitter:description\",\"content\":\"This AuthZ quick start guide covers what AuthZ is, why it's an issue, use cases and requirements for enterprise permissions systems. It also provides an introduction to Google Zanzibar's ReBAC approach and how it solves authZ.\"}],[\"$\",\"meta\",\"13\",{\"name\":\"twitter:image\",\"content\":\"https://authzed.com/images/blogs/blog-featured-image.png\"}],[\"$\",\"meta\",\"14\",{\"name\":\"next-size-adjust\"}]]\n"])</script><script>self.__next_f.push([1,"14:null\n"])</script></body></html>