Permguard
Permguard is an Open Source Multi-Account, Multi-Tenant, Zero-Trust Auth* Provider.
Getting StartedPemGuard is an Open Source Zero-Trust Auth* Provider for cloud-native, edge, and multi-tenant apps, decoupled from application code. It implements a centralized authorization layer using Policy-as-code, enabling enforcement of permission from anywhere, including VMs, Containers, and Serverless.
Accounts
Create and configure an Account, optionally including its Tenants.
Identities
Create and identity source and populate it with Users and Actors using available SDKs.
Repositories
Create Repository and configure its Schema (domains, resources and actions).
Policies
Configure Policies to define what can be permitted or forbidden.
Permissions
Configure Permissions on policies and assign them to identities (users and actors).
Enforce
Enforce the permissions in the application using available SDKs.
Permguard Server
Start the Permguard Server to act as the central authority for managing Accounts, Identity Sources, Identities, and Tenants. It’s important to integrate your preferred authentication provider, as Permguard does not implement authentication
Workspace
Initialize a local workspace and checkout a remote Permguard server account using the Permguard Command Line.
Policy as Code (PAC)
Define your authorization model using YAML schemas and write policies in supported languages. Cedar Policy Language is now available, with additional languages coming soon.
Before
After
func checkPermissions(token, system, resource, action string) bool {
payload := decodeJWT(token)
actors, ok := payload["actors"].([]string)
if !ok {
return false
}
for _, actor := range actors {
actorPermissions := getPermissionsForActor(actor)
if resources, systemFound := actorPermissions[resource]; systemFound {
if actions, resourceFound := resources[system]; resourceFound {
for _, allowedAction := range actions {
if strings.EqualFold(allowedAction, action) {
return true // Permission granted
}
}
}
}
}
return false // No permission granted
}
hasPermissions := checkPermissions(token, system, "inventory", "view")
func checkPermissions(token, system, resource, action string) bool {
payload := decodeJWT(token)
actors, ok := payload["actors"].([]string)
if !ok {
return false
}
for _, actor := range actors {
actorPermissions := getPermissionsForActor(actor)
if resources, systemFound := actorPermissions[resource]; systemFound {
if actions, resourceFound := resources[system]; resourceFound {
for _, allowedAction := range actions {
if strings.EqualFold(allowedAction, action) {
return true // Permission granted
}
}
}
}
}
return false // No permission granted
}
hasPermissions := checkPermissions(token, system, "inventory", "view")
hasPermissions := permguard.Check(
jwt,
"permguard@localhost/581616507495/permguard/authn/identity/actor/pharmacist",
"magicfarmacia",
"inventory",
"view",
)
Apply Policy as Code to Remote Repo
Use the Permguard command line to build a plan based on the local state and apply changes to the remote repository.
Integrate Permguard PEP
Integrate Permguard’s Policy Enforcement Point (PEP) using the available SDKs, or build your own with gRPC endpoints for unsupported languages.
Go
Python
TypeScript
Soon.NET Core
SoonJava
SoonEnforce Permissions in Your Code
Ensure permissions in your code by verifying that the current identity has the rights to perform actions on the specified resources.
@app.get("/inventory")
async def view_inventory(token: str = Depends(oauth2_scheme)):
uur = get_uur_from_token(token)
has_permissions = check_permissions(uur, "inventory", "view")
if has_permissions:
return get_inventory()
else:
raise HTTPException(status_code=403, detail="Actor cannot view inventory")
Where to Enforce
The Policy Enforcement Point (PEP) can be set up in various environments:
Kubernetes, using a sidecar deployment
Serverless, with proximity node agents
Standalone server Edge computing
Guaranteed Versioning & Immutability
Permguard guarantees compliance through built-in versioning and
immutability using a Git-like algorithm, ensuring policies and permissions
are stored in a tamper-proof and traceable manner.
Proximity nodes independently pull updates via the NOTP (Negotiated Object
Transfer Protocol), allowing each node to reference specific points in
time while optimizing bandwidth usage. Policies are stored in immutable blobs.
This approach, combined with the abstract language layer, allows Permguard to
extend seamlessly with other languages, ensuring there is no dependency on
code-specific APIs.
Multi Tenancy
With Permguard, you can implement multi-tenancy permissions, ideal for SaaS environments where different permission models are needed for each tenant.
Install The VS Code Extension
Install the Visual Studio Code Extension to enhance your development experience.