Zones
Create and configure an Zone, optionally including its Tenants.
Rethinking Security with Fine-Grained Authorization
Bring Your Own Identity Provider, Define Code Policies, Enforce Zero Trust Security. Enable Trusted Delegation and Elevation for Human and Non-Human Identities. Boost SIEM & SOC with Decision Insights.
Secure identity-based actions with least privilege at the application boundary. The security model ensures eventual consistency, syncing immutably across nodes. The app acts as a Policy Enforcement Point, linked to the Authorization Server via the Policy Decision Point.
PemGuard is an Open Source ZTAuth* Provider for cloud-native, edge, and multi-tenant apps, decoupled from application code. It implements a centralized authorization layer using Policy-as-code, enabling enforcement of permission from anywhere, including VMs, Containers, and Serverless.
Identities
Create an identity source and populate it with Users and Actors using available SDKs.
Ledgers
Create a Policy Ledger and set up its Schema and Policies.
Policies
Configure Policies to define what can be permitted or forbidden.
Permissions
Configure Permissions on policies and assign them to identities (users and actors).
Enforce
Enforce the permissions in the application using available SDKs.
Permguard Server
Start the Permguard Authorization Server to serve as the central authority for managing Zones, Identity Sources, Identities, Tenants, Policy Ledgers, and more. Keep in mind that Permguard requires integration with an external authentication provider, as it does not handle authentication itself.
Workspace
Initialize a local workspace and check out a remote Policy Ledger from a Permguard Authorization Server using the Permguard Command Line.
Policy as Code (PAC)
Implement your authorization model using schemas and write policies in supported languages. Cedar Policy Language is now available, with additional languages coming soon.
Before
After
// BEFORE
func getPermissionsForRole(role string) map[string]map[string][]string {
// Here boilerplate code to fetch permissions for a role
return permissions
}
func checkPermissions(token, system, resource, action string) bool {
payload := decodeJWT(token)
roles, ok := payload["role"].([]string)
if !ok {
return false
}
for _, role := range roles {
rolePermissions := getPermissionsForRole(role)
if resources, systemFound := rolePermissions[resource]; systemFound {
if actions, resourceFound := resources[system]; resourceFound {
for _, allowedAction := range actions {
if strings.EqualFold(allowedAction, action) {
return true
}
}
}
}
}
return false
}
hasPermissions := checkPermissions(token, system, "subscription", "view")
if hasPermissions {
fmt.Println("✅ Authorization Permitted")
} else {
fmt.Println("❌ Authorization Denied")
}
// BEFORE
func getPermissionsForRole(role string) map[string]map[string][]string {
// Here boilerplate code to fetch permissions for a role
return permissions
}
func checkPermissions(token, system, resource, action string) bool {
payload := decodeJWT(token)
roles, ok := payload["role"].([]string)
if !ok {
return false
}
for _, role := range roles {
rolePermissions := getPermissionsForRole(role)
if resources, systemFound := rolePermissions[resource]; systemFound {
if actions, resourceFound := resources[system]; resourceFound {
for _, allowedAction := range actions {
if strings.EqualFold(allowedAction, action) {
return true
}
}
}
}
}
return false
}
hasPermissions := checkPermissions(token, system, "subscription", "view")
if hasPermissions {
fmt.Println("✅ Authorization Permitted")
} else {
fmt.Println("❌ Authorization Denied")
}
// AFTER
import (
"github.com/permguard/sdk-go"
"github.com/permguard/sdk-go/az/azreq"
)
azClient := permguard.NewAZClient(
permguard.WithEndpoint("localhost", 9094),
)
req := azreq.NewAZAtomicRequestBuilder(273165098782, "fd1ac44e4afa4fc4beec622494d3175a",
"amy.smith@acmecorp.com", "MagicFarmacia::Platform::Subscription", "MagicFarmacia::Platform::Action::create").
Build()
ok, _, _ := azClient.Check(req)
if decsion {
fmt.Println("✅ Authorization Permitted")
} else {
fmt.Println("❌ Authorization Denied")
}
Apply Policy as Code to the Remote Ledger
Use the Permguard command line to build a plan based on the local state and apply changes to the remote ledger.
Integrate Permguard PEP
Integrate Permguard's Policy Enforcement Point (PEP) using the available SDKs, or build your own with gRPC endpoints for unsupported languages.
Go
Python
Node.js
.NET Core
Java
Enforce Permissions in Your Code
Enforce permissions in your code by verifying that the current identity has the rights to perform actions on the specified resources.
@app.get("/inventory")
async def view_inventory(token: str = Depends(oauth2_scheme)):
uur = get_uur_from_token(token)
has_permissions = check_permissions(uur, "platform-creator",
"MagicFarmacia::Platform::Subscription", "MagicFarmacia::Platform::Action::create")
if has_permissions:
return get_inventory()
else:
raise HTTPException(status_code=403, detail="Actor cannot view inventory")
Where to Enforce
The Policy Enforcement Point (PEP) can be set up in various environments:
Kubernetes, using a sidecar deployment
Serverless, with proximity nodes
Standalone server Edge computing
Guaranteed Versioning & Immutability
Permguard guarantees compliance through built-in versioning and
immutability using a Git-like algorithm, ensuring policies and permissions
are stored in a tamper-proof and traceable manner.
Proximity nodes independently pull updates via the NOTP (Negotiated Object
Transfer Protocol), allowing each node to reference specific points in
time while optimizing bandwidth usage. Policies are stored in immutable
blobs. This approach, combined with the abstract language layer, allows
Permguard to extend seamlessly with other languages, ensuring there is no
dependency on code-specific APIs.
Multi Tenancy
With Permguard, you can implement multi-tenancy permissions, ideal for SaaS environments where different permission models are needed for each tenant.
Install The VS Code Extension
Install the Visual Studio Code Extension to enhance your development experience.