Permguard

Rethinking Authorization Beyond the Token

From Static Claims to Runtime Trust: Secure, Auditable Decisions for Humans and Workloads. Boost SIEM & SOC with Decision Insights.

Get Started View on Github

What Is Permguard

Built for Authorization at the Edge With Full Auditability

Built for Zero Trust and distributed systems, it ensures consistent enforcement even during network disruptions. Policies are versioned and distributed through a Git-like model, enabling proximity-based decisions, including on-behalf-of execution, with audit-ready decision logs.

Best In Class For Distributed Systems

Bringing Trust to the Space Between Identity and Action

Closing the gap left by token-based protocols: instead of relying on impersonation, it's time to act on behalf of, with full context and verifiable consent. Authorization governance, trust, and policies must propagate across the entire distributed transaction, from the initial caller to every downstream action.

Policy Governance

Separate policy from code using Git-like, versioned objects that are portable, immutable, and audit-ready. Guarantee consistent authorization across environments, with full traceability for compliance and auditing.

Workload Governance

Define which workloads are allowed to act on behalf of others. Classify workloads by trust level and validate not just the token, but also the runtime identity executing the action.

Zero Trust Enforcement

Make authorization decisions based on both the user and the calling workload. Enable advanced flows like Trust Elevation for secure, dynamic execution across identity boundaries.

Act-On-Behalf-Of, by Design

Enable verifiable "on-behalf-of" execution as a native runtime feature. Every action respects consent, enforces policy, and leaves a complete audit trail, always aligned with least privilege.

Deploy, Configure & Enforce.

Deploy the AuthZ Server and Start Enforcing Authorization

Deploy the central AuthZ server, configure it with your Trust Zone, identities, and ledger, and get ready to provision policies and start enforcing access decisions in real time.

Workspace

Initialize a local workspace and checkout a remote PermGuard server account using the PermGuard Command Line.

Policy as Code (PAC)

Code your policies using your preferred IDE, plan the provisioning, and apply changes.

Policies are managed as Git-like objects, ensuring immutability, versioning, and correctness by design.

Enforce Authorization in Your Application

Easily integrate Permguard into your app using SDKs for Go, Python, Node.js, .NET, and more.

Before

After

// BEFORE
  
  func getPermissionsForRole(role string) map[string]map[string][]string {
    // Here boilerplate code to fetch permissions for a role
    return permissions
  }
  
  func checkPermissions(token, system, resource, action string) bool {
    payload := decodeJWT(token)
    roles, ok := payload["role"].([]string)
    if !ok {
        return false
    }
  
    for _, role := range roles {
        rolePermissions := getPermissionsForRole(role)
        if resources, systemFound := rolePermissions[resource]; systemFound {
            if actions, resourceFound := resources[system]; resourceFound {
                for _, allowedAction := range actions {
                    if strings.EqualFold(allowedAction, action) {
                        return true
                    }
                }
            }
        }
    }
    return false
  }
  
  hasPermissions := checkPermissions(token, system, "subscription", "view")
  if hasPermissions {
    fmt.Println("✅ Authorization Permitted")
  } else {
  fmt.Println("❌ Authorization Denied")
  }

// BEFORE
  
  func getPermissionsForRole(role string) map[string]map[string][]string {
    // Here boilerplate code to fetch permissions for a role
    return permissions
  }
  
  func checkPermissions(token, system, resource, action string) bool {
    payload := decodeJWT(token)
    roles, ok := payload["role"].([]string)
    if !ok {
        return false
    }
  
    for _, role := range roles {
        rolePermissions := getPermissionsForRole(role)
        if resources, systemFound := rolePermissions[resource]; systemFound {
            if actions, resourceFound := resources[system]; resourceFound {
                for _, allowedAction := range actions {
                    if strings.EqualFold(allowedAction, action) {
                        return true
                    }
                }
            }
        }
    }
    return false
  }
  
  hasPermissions := checkPermissions(token, system, "subscription", "view")
  if hasPermissions {
    fmt.Println("✅ Authorization Permitted")
  } else {
  fmt.Println("❌ Authorization Denied")
  }

// AFTER
  
  import (
   "github.com/permguard/permguard-go"
   "github.com/permguard/permguard-go/az/azreq"
  )
  
  azClient := permguard.NewAZClient(
      permguard.WithEndpoint("localhost", 9094),
  )
  
  req := azreq.NewAZAtomicRequestBuilder(273165098782, "fd1ac44e4afa4fc4beec622494d3175a",
      "amy.smith@acmecorp.com", "MagicFarmacia::Platform::Subscription", "MagicFarmacia::Platform::Action::create").
      WithResourceID("e3a786fd07e24bfa95ba4341d3695ae8").
      Build()
  
  ok, _, _ := azClient.Check(req)
  if decsion {
      fmt.Println("✅ Authorization Permitted")
  } else {
      fmt.Println("❌ Authorization Denied")
  }

Where to Enforce

The Policy Enforcement Point (PEP) can be set up in various environments:

Kubernetes, using a sidecar deployment
Serverless, with proximity node agents
Standalone server Edge computing

Install the VS Code Extension

Install the Visual Studio Code Extension to enhance your development experience.