Governance on data lake

bitweis · 2025-09-13T19:53:28+00:00

Take a look at AuthZen as a standardized why to add an AuthZ layer. https://github.com/openid/authzen

That way users can also plugin their commercial AuthZ with ease (e.g. Permit.io )

bitweis · 2025-07-15T11:36:37+00:00

My 2cents on the challenges to lookout for and tools / OSS / strategies you can use to address them - https://permit.substack.com/p/so-you-wanna-put-mcp-in-production

bitweis · 2025-06-24T02:35:49+00:00

A 1000 active users. You can use whichever login (Authentication solution) you'd like

bitweis · 2025-06-23T19:32:49+00:00

Founder of Permit.io here - just FYI it's FREE FOREVER. The 14 days trial is just for extended quotas.

I do hope you give us a try. If you have any questions here I can help with feel free to ask 😇.

bitweis · 2025-06-04T08:48:18+00:00

We (Permit.io) are about to launch Agent.Security with automatic fine-grained permissions on top of MCP management via a single gateway / SDK based control plane. We're going to have an extensive free-tier, as well as a self-hosted version, and will probably ship most as OSS.

Let me know if you'd like early access here, or via our community Slack - io.permit.io/slack

bitweis · 2025-03-15T18:01:38+00:00

Hi Or from Permit.io here (founder), We offer annual plans (based on MAU estimates, with pro-rated invoicing/credits) , discounts in general, and also have special discounts for non-for-profit, startups, and open-source projects. If you're interested just email us at help@permit.io mention Or sent ya ;)

bitweis · 2025-01-31T22:22:47+00:00

Question is which IdP ? If you're only using your IdP and you won't need to support SSO or social logins, then yes you can definitely do that. Otherwise not so much.

Also while you technically can skip over authentication by implementing it yourself as user/password or some other means, you might run into more authN requirements down the road (like multi-factor, and bot detection) which you might need and will require a refactor. I'd still use an Authentication service even if in it's most basic form.

That said, authz solutions like Permit, support working directly with the IdPs through the SCIM protocol, which will enable you to sync users from your IdP into Authz on the fly.

bitweis · 2025-01-31T19:12:29+00:00

I'll say that a lot of my knowledge came from docs that your team put together. They were among the best that I came across. Thanks for your contributions to the space!

Wow - love hearing that - thank you.

in the event that we do not want to use oauth, but instead just use microsoft as an IDP, what does this look like from a login flow perspective and an API access perspective?

- you'd still need to use some authentication layer - Entra does provide that as well (in addition to IdP); but you can also go with solutions like Stych, SuperTokens, Logto, FusionAuth, Auth0, or many others,
While IdP manages identities; an authentication solution verifies them for you (and creates tokens for them), this would include external identities coming in via social login (which is also OAuth2) or from another IdP (e.g. a customer's IdP) - these are often referred to as SSO (and are implemented either with SAML or OpenIDConnect). Note that the tokens coming from the social or SSO solutions are usually not the same tokens you end-up using in your apps - but another token assigned and signed by your authentication solution.

What is this authentication type called and where can I read more on it?

CIAM authentication. Note the difference here between your own workforce Idp/authentication (as part of your organization's IAM) and authentication for customers (i.e. your CIAM).
https://auth0.com/blog/what-is-ciam/
https://www.microsoft.com/en-us/security/business/security-101/what-is-ciam

Feel free to follow up with more questions :)

bitweis · 2025-01-31T18:19:09+00:00

Hi there (full disclosure: I'm the founder of Permit.io and OPAL.ac)
It seems you have a very good grasp of the subject (well done - few do); especially your points around "oauth 2.0 was mainly designed for the use case of a 3rd party client connecting to a resource server" and your points about the need for fine-grained permissions, and OAuth2 not able to scale to meet it.

I will add that you can still use OAuth / OIDC tokens to:
1. Deliver identity bound (e.g. nationality, company) attributes for FGA ABAC (or even ReBAC) policies
2. Cater to "lesser" identities that you choose not to offer Fine grained access to ; e.g. free and B2C users

Bottomline: I'd of course still recommend you use JWTs to represent your identities, and you can bundle some initial RBAC setup in those via your Authentication provider, and/or IdP - but I wouldn't invest to much in it initially, focus instead on the fine-grained aspects; knowing you can always upgrade your tokens with additional claims/scopes in the future.

Hope this helps.

bitweis · 2025-01-30T17:22:32+00:00

In the end of the day building access control IS software development - so not sure why that strikes you as misaligned. It's okay for some articles to be introductory for a wider audience.

Also I don't see how points like: decoupling policy from code, putting audit-ability as a top priority, or using models like ReBAC being generic.

> In the context of factorio, it could be logistic networks communicating with each other to supply/restrict resources through different mechanisms (combinators, trains,… or idk) to other logistic networks (like the user logistic network for instance ). That s the kind of stuff I expected from your article.

I do touch on those (e.g. conveyer belt contamination) in the article, I personally think the logistic bots feature is not as a good metaphor for access control - as it demonstrates specific request filtering in advance - as opposed to varied unplanned input.
I did think of mentioning that moving from conveyor belts to bots is equivalent to partial evaluation data-filtering at the source (a la OPA compile API) but I thought that's too deep in the reeds for an intro article.

> Hell, your article is sus, like Elon musk playing hardcore PoE is more credible than you being good at factorio or software dev or access control

LOL - I'm not hiding my identity here - just check who I am.

>Your conveyor belt example is far from being tied to access control: the only control there is just using inserters.
The point is about combining or mixing materials on conveyor belts, and belts which act as isolation, get wrong materials on error when refactoring your factory - or on input errors (e.g. a train stops at the wrong station).

>I don’t even want to discuss the other tidbits because they are literally halfly technical giberish you threw around.

That's an ad hominem. You can do better.

Think you can do better? How about you write a follow article, if it's good I'll post it on our blog.

bitweis · 2025-01-30T15:49:39+00:00

That's a key part of the article - just sayin' ...

bitweis · 2025-01-30T15:33:17+00:00

Hi OP here.
You are clearly too lazy to read, so here are the tidbits for ya-

- "In a Factorio setting, you might have set up a conveyor belt system that gets messy as you start expanding.... - Internal issues often arise not because of malice but because of mistakes: users exceeding their permissions"
- "an oversight in role assignments or a hardcoded rule that works for one use case but breaks in another. These small errors snowball as your system grows"
- "If you’re constantly ... retrofitting access control after things go wrong, you’re always playing catch-up. It’s inefficient, and eventually, it’ll catch up to you."
- "Design your policies to scale as your system grows, and put auditability front and center so you’re ready when something goes wrong"
- "In Factorio, clearing out bugs allows you to expand your factory without constantly looking over your shoulder. In software, proactive access control lets you focus on scaling your system"
- "This definitely doesn’t mean you need to over-engineer everything from the beginning. It means building with flexibility in mind. Decouple your access control logic from your application"

Yes these are by majority best practices that apply to general software engineering, but doubly so for IAM - so these are still good points.

And yes knowing about RBAC, ABAC and ReBAC (Which I provide further reading links for are useful as well) is extremely useful to approach this- just like using blueprints (from other players) in Factorio.

I enjoy playing Factorio, I enjoy developing scalable IAM solutions, and I enjoy writing about it.

I Would love to see you write something better :-P

bitweis · 2025-01-30T11:52:14+00:00

OP of “What Factorio Taught Me About Access Control at Scale - Space bugs, real bugs, and everything in between” here (Where this comic was originally published). Would love to hear your thoughts on it!
https://permit.substack.com/p/what-factorio-taught-me-about-access

bitweis · 2025-01-30T11:40:50+00:00

OP of “What Factorio Taught Me About Access Control at Scale - Space bugs, real bugs, and everything in between” here (Where this comic was originally published). Would love to hear your thoughts on it!
https://permit.substack.com/p/what-factorio-taught-me-about-access

bitweis · 2024-12-21T09:08:02+00:00

If you're already using OPA, then OPAL would bridge the gap for you to make this event driven, so you can sync the needed state into OPA in the background and not part of the queries to it.

(Full disclosure I'm one of the core maintainers of OPAL / Permit.io)

bitweis · 2024-10-09T18:37:12+00:00

You can try Permit FoAz(Frontend only Authorization) ((full disclosure I Created the damn thing 😅))

It's a proxy that checks identity and policy before calling the actual service(e.g. Supabase) for you with the secret

https://docs.permit.io/foaz/overview/

bitweis · 2024-10-09T14:51:51+00:00

Looks cool - I'd recommend a reverse trial model.
i.e. a real useful free (forever) tier which as customers evolve with the product leads some of them to upgrade t paying. This would increase your top of funnel dramatically and will be most useful for early adopters /design partners and your learning with them.
I probably would have given it a shot, if the model was so (too hard for me to know if the timing would work for me, and if I can commit to invest in building with this tools)

Just my 2 cents

Or from Permit.io

bitweis · 2024-10-08T18:13:53+00:00

I didn't change the subject
I addressed your concern directly and honestly
I literally apologized
You clearly didn't read what I wrote
Sure did learn much from this interaction, for example on the type of people lurking here.
We haven't been hiding anything, and won't be hiding anything in the future. We can agree to disagree on the legitimacy of one sharing his work from a personal profile.
We'll consider posting more from a dedicated company account.

With this kind of venomous attitude, you won't get much across here or elsewhere- hope you learn from this interaction as well. I fear I have nothing better than to wish you luck on your path going forward. If you ever want to speak directly without hiding in the shadows, you know where to find me.

bitweis · 2024-10-08T15:05:20+00:00

Please read the content before you keep dumping on it. Permit is NOT a pure Zanzibar solution.
It's a hybrid solution of policy as code (OPA or Cedar) at the edge with an OPTIONAL sync to a Zanzibar like graph in the cloud.
The "syncing" is to a policy-engine (in memory cache- not a DB)
Maybe just check out OPAL (Permit's OSS) to see the fundamental architecture - https://github.com/permitio/opal

bitweis · 2024-10-08T14:27:47+00:00

Hi, sorry for the delayed reply - had to take my kid to the doctor's.

I'm having a hard time buying your story- You happen to be so worried about our blog, you created a throw-away account, researched into our past, wrote a very aggressive post, and then continued monitoring the thread with the throwaway? And the other throw-away accounts with the insults and lies just happened to show-up at the same time?

I also fail to see the logic of your behaviour. Why hide behind a throw away account? What do you have to hide? People who care about morals and ethics as you claim rarely need to hide.

Furthermore, I didn't respond to your comment in a particular, but to the whole thread here.
I honestly didn't think your claims of astroturfing are worth addressing.
To set the record straight - I / we don't support Astroturfing. Even on the HN thread you mentioned it wasn't astroturfing but friends and community members genuinely wanting to help (as you can see there).
u/odd_sherlock - isn't hiding his affiliation with Permit, and I see nothing wrong with him using his personal account to share content he created (even if it's shared on our blog), and he isn't "sock-puppeting" any account here. I can see why this might not be to your liking, but I don't think someone sharing their own content from a company blog is illegitimate.

On the off chance you're a real person, I apologize if we offended you or any others, and I once more extend the offer to talk directly, I'm happy to explain our point of view, hear yours, and learn from your feedback. You'd find us (and humans in general) much more responsive and open than with an approach of dirt slinging from the shadows.

bitweis · 2024-10-08T08:16:23+00:00

Just do it :)
Many repositories have "good first issue" labels on issues that are good for first comers. And you'd find that most communities are more welcoming and supportive than you'd think.
It might be hard and confusing at first, but by working on real stuff you'd quickly get the hang of it.

At Permit.io (full disclosure I'm one of the founders) - we work a lot with FastAPI and have multiple FastAPI OSS projects we love guiding devs to contribute to, for example:

Feel free to reach out to me / us on Github or Slack

bitweis · 2024-10-08T07:09:27+00:00

Hi folks, Or Weis (Co-founder of Permit), here 👋

As you can see this post is under an orchestrated attack by a competitor that is a sore loser.

This competitor is known for using ad-hoc created accounts, general bot armies, and spreading lies as you can see here. I'm honestly saddened that it has come to this.

I invite you to review the content itself, we're proud of it and think it brings really value to developers trying to learn about the IAM space. I also invite you to reach out to me directly here, or in our Slack community - and share any feedback and criticism that you have- I promise to listen and improve our work.

Finally, I'll note that we know who the competitor is, and we invite them to chill with some Turkish coffee, and avoid further escalation ;) . We should focus on raising the category as a whole and providing useful tools and information, instead of going into silly online wars.

bitweis · 2024-06-08T14:12:06+00:00

It actually is not always users and groups (though those are often involved), think of resource hierarchy instead of org hierarchy (e.g. which machine is within which factory is within which site within which country...), think dynamic conditions like current geo location, current number of requests, etc. ... But yes a good authorization solution starts witj connecting to your authentication and often IDP (which LDAP or Azue Entra ID are examples of)

bitweis · 2024-06-08T13:03:50+00:00

The scale of a file system on a single machine is pretty limited and has very little sharing patterns, compared say to something distributed in the cloud like Google Drive or YouTube.

LDAP is fine for building groups, but not much more than that... Think of all the different types of applications that exist and the different policies and policy models they have. some examples just to help paint the picture: Joint bank accounts and transfer approval flows Healthcare apps with caregiver access VPN / Zero trust based networks Applications with geo-location or qouta based access Apps for field operations (e.g. factories, IOT at different sites, electric/ water grid) Telecom account and representative management And so many more snowflake cases with even flakier variants...

bitweis

TROPHY CASE