Permguard

Permguard is an Open Source Multi-Account, Multi-Tenant, Zero-Trust Auth* Provider.

Getting Started
Permguard schema
Permguard schema

PemGuard is an Open Source Zero-Trust Auth* Provider for cloud-native, edge, and multi-tenant apps, decoupled from application code. It implements a centralized authorization layer using Policy-as-code, enabling enforcement of permission from anywhere, including VMs, Containers, and Serverless.

Accounts

Accounts

Create and configure an Account, optionally including its Tenants.

Identities

Identities

Create and identity source and populate it with Users and Actors using available SDKs.

Repositories

Repositories

Create Repository and configure its Schema (domains, resources and actions).

Policies

Policies

Configure Policies to define what can be permitted or forbidden.

Permissions

Permissions

Configure Permissions on policies and assign them to identities (users and actors).

Enforce

Enforce

Enforce the permissions in the application using available SDKs.

Diagram Diagram

Permguard Server

Start the Permguard Server to act as the central authority for managing Accounts, Identity Sources, Identities, and Tenants. It’s important to integrate your preferred authentication provider, as Permguard does not implement authentication

Permguard Server
Workspace Workspace

Workspace

Initialize a local workspace and checkout a remote Permguard server account using the Permguard Command Line.

Policy as Code (PAC)

Define your authorization model using YAML schemas and write policies in supported languages. Cedar Policy Language is now available, with additional languages coming soon.

Before

After


func checkPermissions(token, system, resource, action string) bool {
    payload := decodeJWT(token)
    actors, ok := payload["actors"].([]string)
    if !ok {
        return false
    }

    for _, actor := range actors {
        actorPermissions := getPermissionsForActor(actor)
        if resources, systemFound := actorPermissions[resource]; systemFound {
            if actions, resourceFound := resources[system]; resourceFound {
                for _, allowedAction := range actions {
                    if strings.EqualFold(allowedAction, action) {
                        return true // Permission granted
                    }
                }
            }
        }
    }
    return false // No permission granted
}

hasPermissions := checkPermissions(token, system, "inventory", "view")

func checkPermissions(token, system, resource, action string) bool {
  payload := decodeJWT(token)
  actors, ok := payload["actors"].([]string)
  if !ok {
    return false
  }

  for _, actor := range actors {
    actorPermissions := getPermissionsForActor(actor)
    if resources, systemFound := actorPermissions[resource]; systemFound {
      if actions, resourceFound := resources[system]; resourceFound {
        for _, allowedAction := range actions {
          if strings.EqualFold(allowedAction, action) {
            return true // Permission granted
          }
        }
      }
    }
  }
  return false // No permission granted
}

hasPermissions := checkPermissions(token, system, "inventory", "view")
hasPermissions := permguard.Check(
  jwt,
  "permguard@localhost/581616507495/permguard/authn/identity/actor/pharmacist",
  "magicfarmacia",
  "inventory",
  "view",
)

Policies

Apply Policy as Code to Remote Repo

Use the Permguard command line to build a plan based on the local state and apply changes to the remote repository.

Integrate Permguard PEP

Integrate Permguard’s Policy Enforcement Point (PEP) using the available SDKs, or build your own with gRPC endpoints for unsupported languages.

Golang

Go

Python

Python

TypeScript

TypeScript

Soon
.NET Core

.NET Core

Soon
Java

Java

Soon

Enforce Permissions in Your Code

Ensure permissions in your code by verifying that the current identity has the rights to perform actions on the specified resources.

Code window
@app.get("/inventory")
async def view_inventory(token: str = Depends(oauth2_scheme)):
    uur = get_uur_from_token(token)
    has_permissions = check_permissions(uur, "inventory", "view")

    if has_permissions:
        return get_inventory()
    else:
        raise HTTPException(status_code=403, detail="Actor cannot view inventory")
    
Where to Enforce

Where to Enforce

The Policy Enforcement Point (PEP) can be set up in various environments:

  • Check sign

    Kubernetes, using a sidecar deployment

  • Check sign

    Serverless, with proximity node agents

  • Check sign

    Standalone server Edge computing

Guaranteed Versioning & Immutability

Permguard guarantees compliance through built-in versioning and immutability using a Git-like algorithm, ensuring policies and permissions are stored in a tamper-proof and traceable manner.

Proximity nodes independently pull updates via the NOTP (Negotiated Object Transfer Protocol), allowing each node to reference specific points in time while optimizing bandwidth usage. Policies are stored in immutable blobs. This approach, combined with the abstract language layer, allows Permguard to extend seamlessly with other languages, ensuring there is no dependency on code-specific APIs.

Guaranteed Versioning Guaranteed Versioning

Multi Tenancy

With Permguard, you can implement multi-tenancy permissions, ideal for SaaS environments where different permission models are needed for each tenant.

Multi Tenancy
Vscode Extension

Install The VS Code Extension

Install the Visual Studio Code Extension to enhance your development experience.