Applications
Create and configure an Application, optionally including its Tenants.
Permguard is an Open Source Multi-Application, Multi-Tenant, Zero-Trust Auth* Provider.
Getting StartedPemGuard is an Open Source Zero-Trust Auth* Provider for cloud-native, edge, and multi-tenant apps, decoupled from application code. It implements a centralized authorization layer using Policy-as-code, enabling enforcement of permission from anywhere, including VMs, Containers, and Serverless.
Create and configure an Application, optionally including its Tenants.
Create an identity source and populate it with Users and Actors using available SDKs.
Create a Policy Ledger and set up its Schema and Policies.
Configure Policies to define what can be permitted or forbidden.
Configure Permissions on policies and assign them to identities (users and actors).
Enforce the permissions in the application using available SDKs.
Start the PermGuard Authorization Server to serve as the central authority for managing Applications, Identity Sources, Identities, Tenants, Policy Ledgers, and more. Keep in mind that PermGuard requires integration with an external authentication provider, as it does not handle authentication itself.
Initialize a local workspace and check out a remote Policy Ledger from a PermGuard Authorization Server using the PermGuard Command Line.
Implement your authorization model using schemas and write policies in supported languages. Cedar Policy Language is now available, with additional languages coming soon.
Before
After
func checkPermissions(token, system, resource, action string) bool {
payload := decodeJWT(token)
actors, ok := payload["actors"].([]string)
if !ok {
return false
}
for _, actor := range actors {
actorPermissions := getPermissionsForActor(actor)
if resources, systemFound := actorPermissions[resource]; systemFound {
if actions, resourceFound := resources[system]; resourceFound {
for _, allowedAction := range actions {
if strings.EqualFold(allowedAction, action) {
return true // Permission granted
}
}
}
}
}
return false // No permission granted
}
hasPermissions := checkPermissions(token, system, "inventory", "view")
func checkPermissions(token, system, resource, action string) bool {
payload := decodeJWT(token)
actors, ok := payload["actors"].([]string)
if !ok {
return false
}
for _, actor := range actors {
actorPermissions := getPermissionsForActor(actor)
if resources, systemFound := actorPermissions[resource]; systemFound {
if actions, resourceFound := resources[system]; resourceFound {
for _, allowedAction := range actions {
if strings.EqualFold(allowedAction, action) {
return true // Permission granted
}
}
}
}
}
return false // No permission granted
}
hasPermissions := checkPermissions(token, system, "inventory", "view")
hasPermissions := permguard.Check(
principal,
policyStore,
entities,
subject,
resource,
action,
context
)
Use the Permguard command line to build a plan based on the local state and apply changes to the remote ledger.
Integrate Permguard's Policy Enforcement Point (PEP) using the available SDKs, or build your own with gRPC endpoints for unsupported languages.
Go
Python
TypeScript
Soon.NET Core
SoonJava
SoonEnforce permissions in your code by verifying that the current identity has the rights to perform actions on the specified resources.
@app.get("/inventory")
async def view_inventory(token: str = Depends(oauth2_scheme)):
uur = get_uur_from_token(token)
has_permissions = check_permissions(uur, "inventory", "view")
if has_permissions:
return get_inventory()
else:
raise HTTPException(status_code=403, detail="Actor cannot view inventory")
The Policy Enforcement Point (PEP) can be set up in various environments:
Kubernetes, using a sidecar deployment
Serverless, with proximity nodes
Standalone server Edge computing
Permguard guarantees compliance through built-in versioning and
immutability using a Git-like algorithm, ensuring policies and permissions
are stored in a tamper-proof and traceable manner.
Proximity nodes independently pull updates via the NOTP (Negotiated Object
Transfer Protocol), allowing each node to reference specific points in
time while optimizing bandwidth usage. Policies are stored in immutable
blobs. This approach, combined with the abstract language layer, allows
Permguard to extend seamlessly with other languages, ensuring there is no
dependency on code-specific APIs.
With Permguard, you can implement multi-tenancy permissions, ideal for SaaS environments where different permission models are needed for each tenant.
Install the Visual Studio Code Extension to enhance your development experience.