Policy Governance
Separate policy from code using Git-like, versioned objects that are portable, immutable, and audit-ready. Guarantee consistent authorization across environments, with full traceability for compliance and auditing.
From Static Claims to Runtime Trust: Secure, Auditable Decisions for Humans and Workloads. Boost SIEM & SOC with Decision Insights.
Built for Zero Trust and distributed systems, it ensures consistent enforcement even during network disruptions. Policies are versioned and distributed through a Git-like model, enabling proximity-based decisions, including on-behalf-of execution, with audit-ready decision logs.
Closing the gap left by token-based protocols: instead of relying on impersonation, it's time to act on behalf of, with full context and verifiable consent. Authorization governance, trust, and policies must propagate across the entire distributed transaction, from the initial caller to every downstream action.
Separate policy from code using Git-like, versioned objects that are portable, immutable, and audit-ready. Guarantee consistent authorization across environments, with full traceability for compliance and auditing.
Define which workloads are allowed to act on behalf of others. Classify workloads by trust level and validate not just the token, but also the runtime identity executing the action.
Make authorization decisions based on both the user and the calling workload. Enable advanced flows like Trust Elevation for secure, dynamic execution across identity boundaries.
Enable verifiable "on-behalf-of" execution as a native runtime feature. Every action respects consent, enforces policy, and leaves a complete audit trail, always aligned with least privilege.
Deploy the central AuthZ server, configure it with your Trust Zone, identities, and ledger, and get ready to provision policies and start enforcing access decisions in real time.
Initialize a local workspace and checkout a remote PermGuard server account using the PermGuard Command Line.
Code your policies using your preferred IDE, plan the provisioning, and apply changes.
Policies are managed as Git-like objects, ensuring immutability, versioning, and correctness by design.
Easily integrate Permguard into your app using SDKs for Go, Python, Node.js, .NET, and more.
Before
After
// BEFORE
func getPermissionsForRole(role string) map[string]map[string][]string {
// Here boilerplate code to fetch permissions for a role
return permissions
}
func checkPermissions(token, system, resource, action string) bool {
payload := decodeJWT(token)
roles, ok := payload["role"].([]string)
if !ok {
return false
}
for _, role := range roles {
rolePermissions := getPermissionsForRole(role)
if resources, systemFound := rolePermissions[resource]; systemFound {
if actions, resourceFound := resources[system]; resourceFound {
for _, allowedAction := range actions {
if strings.EqualFold(allowedAction, action) {
return true
}
}
}
}
}
return false
}
hasPermissions := checkPermissions(token, system, "subscription", "view")
if hasPermissions {
fmt.Println("✅ Authorization Permitted")
} else {
fmt.Println("❌ Authorization Denied")
}
// BEFORE
func getPermissionsForRole(role string) map[string]map[string][]string {
// Here boilerplate code to fetch permissions for a role
return permissions
}
func checkPermissions(token, system, resource, action string) bool {
payload := decodeJWT(token)
roles, ok := payload["role"].([]string)
if !ok {
return false
}
for _, role := range roles {
rolePermissions := getPermissionsForRole(role)
if resources, systemFound := rolePermissions[resource]; systemFound {
if actions, resourceFound := resources[system]; resourceFound {
for _, allowedAction := range actions {
if strings.EqualFold(allowedAction, action) {
return true
}
}
}
}
}
return false
}
hasPermissions := checkPermissions(token, system, "subscription", "view")
if hasPermissions {
fmt.Println("✅ Authorization Permitted")
} else {
fmt.Println("❌ Authorization Denied")
}
// AFTER
import (
"github.com/permguard/permguard-go"
"github.com/permguard/permguard-go/az/azreq"
)
azClient := permguard.NewAZClient(
permguard.WithEndpoint("localhost", 9094),
)
req := azreq.NewAZAtomicRequestBuilder(273165098782, "fd1ac44e4afa4fc4beec622494d3175a",
"amy.smith@acmecorp.com", "MagicFarmacia::Platform::Subscription", "MagicFarmacia::Platform::Action::create").
WithResourceID("e3a786fd07e24bfa95ba4341d3695ae8").
Build()
ok, _, _ := azClient.Check(req)
if decsion {
fmt.Println("✅ Authorization Permitted")
} else {
fmt.Println("❌ Authorization Denied")
}
The Policy Enforcement Point (PEP) can be set up in various environments:
Kubernetes, using a sidecar deployment
Serverless, with proximity node agents
Standalone server Edge computing
Install the Visual Studio Code Extension to enhance your development experience.