Permguard

Permguard is an Open Source Multi-Application, Multi-Tenant, Zero-Trust Auth* Provider.

Getting Started
Permguard schema
Permguard schema

PemGuard is an Open Source Zero-Trust Auth* Provider for cloud-native, edge, and multi-tenant apps, decoupled from application code. It implements a centralized authorization layer using Policy-as-code, enabling enforcement of permission from anywhere, including VMs, Containers, and Serverless.

Applications

Applications

Create and configure an Application, optionally including its Tenants.

Identities

Identities

Create an identity source and populate it with Users and Actors using available SDKs.

Ledgers

Ledgers

Create a Policy Ledger and set up its Schema and Policies.

Policies

Policies

Configure Policies to define what can be permitted or forbidden.

Permissions

Permissions

Configure Permissions on policies and assign them to identities (users and actors).

Enforce

Enforce

Enforce the permissions in the application using available SDKs.

Please accept marketing-cookies to watch this video.
Diagram Diagram

Permguard Server

Start the PermGuard Authorization Server to serve as the central authority for managing Applications, Identity Sources, Identities, Tenants, Policy Ledgers, and more. Keep in mind that PermGuard requires integration with an external authentication provider, as it does not handle authentication itself.

Permguard Server
Workspace Workspace

Workspace

Initialize a local workspace and check out a remote Policy Ledger from a PermGuard Authorization Server using the PermGuard Command Line.

Policy as Code (PAC)

Implement your authorization model using schemas and write policies in supported languages. Cedar Policy Language is now available, with additional languages coming soon.

Before

After


func checkPermissions(token, system, resource, action string) bool {
    payload := decodeJWT(token)
    actors, ok := payload["actors"].([]string)
    if !ok {
        return false
    }

    for _, actor := range actors {
        actorPermissions := getPermissionsForActor(actor)
        if resources, systemFound := actorPermissions[resource]; systemFound {
            if actions, resourceFound := resources[system]; resourceFound {
                for _, allowedAction := range actions {
                    if strings.EqualFold(allowedAction, action) {
                        return true // Permission granted
                    }
                }
            }
        }
    }
    return false // No permission granted
}

hasPermissions := checkPermissions(token, system, "inventory", "view")

func checkPermissions(token, system, resource, action string) bool {
  payload := decodeJWT(token)
  actors, ok := payload["actors"].([]string)
  if !ok {
    return false
  }

  for _, actor := range actors {
    actorPermissions := getPermissionsForActor(actor)
    if resources, systemFound := actorPermissions[resource]; systemFound {
      if actions, resourceFound := resources[system]; resourceFound {
        for _, allowedAction := range actions {
          if strings.EqualFold(allowedAction, action) {
            return true // Permission granted
          }
        }
      }
    }
  }
  return false // No permission granted
}

hasPermissions := checkPermissions(token, system, "inventory", "view")
hasPermissions := permguard.Check(
  principal,
  policyStore,
  entities,
  subject,
  resource,
  action,
  context
)

Policies

Apply Policy as Code to Remote Ledger

Use the Permguard command line to build a plan based on the local state and apply changes to the remote ledger.

Integrate Permguard PEP

Integrate Permguard's Policy Enforcement Point (PEP) using the available SDKs, or build your own with gRPC endpoints for unsupported languages.

Golang

Go

Python

Python

TypeScript

TypeScript

Soon
.NET Core

.NET Core

Soon
Java

Java

Soon

Enforce Permissions in Your Code

Enforce permissions in your code by verifying that the current identity has the rights to perform actions on the specified resources.

Code window
@app.get("/inventory")
async def view_inventory(token: str = Depends(oauth2_scheme)):
    uur = get_uur_from_token(token)
    has_permissions = check_permissions(uur, "inventory", "view")

    if has_permissions:
        return get_inventory()
    else:
        raise HTTPException(status_code=403, detail="Actor cannot view inventory")
    
Where to Enforce

Where to Enforce

The Policy Enforcement Point (PEP) can be set up in various environments:

  • Check sign

    Kubernetes, using a sidecar deployment

  • Check sign

    Serverless, with proximity nodes

  • Check sign

    Standalone server Edge computing

Guaranteed Versioning & Immutability

Permguard guarantees compliance through built-in versioning and immutability using a Git-like algorithm, ensuring policies and permissions are stored in a tamper-proof and traceable manner.

Proximity nodes independently pull updates via the NOTP (Negotiated Object Transfer Protocol), allowing each node to reference specific points in time while optimizing bandwidth usage. Policies are stored in immutable blobs. This approach, combined with the abstract language layer, allows Permguard to extend seamlessly with other languages, ensuring there is no dependency on code-specific APIs.

Guaranteed Versioning Guaranteed Versioning

Multi Tenancy

With Permguard, you can implement multi-tenancy permissions, ideal for SaaS environments where different permission models are needed for each tenant.

Multi Tenancy
Vscode Extension

Install The VS Code Extension

Install the Visual Studio Code Extension to enhance your development experience.