While our customers tell us they appreciate our Authentication (AuthN) features, we’ve seen an increase in requests to expand our Authorization (AuthZ) offering to help builders accelerate their development. This is why we’ve released key features like Organizations and Roles.
While reading Google’s Zanzibar paper describing their global access system, we found the approach to be highly creative and inspiring. It had the flexibility to support so many of their products and was scalable, highly reliable, and extremely fast. Companies like Airbnb and Carta have developed their own version, and companies and new products are being built inspired by Zanzibar. This is why we believe that Authorization systems built using the Zanzibar model are going to grow in number over the next few years.
What is Zanzibar
Zanzibar is Google’s global authorization system. It powers authorization for YouTube, Google Drive, Google Workspaces, Google Cloud Platform, and their other services. It drives Google’s core collaboration features like sharing a document with someone or sharing photos with a friend. Like anything Google makes, it has to scale to billions of users and trillions of digital objects. Creating an access control system for that many people and object combinations is a daunting task, and Google laid out how they did it in their 2019 Google Zanzibar paper. It talks about the different considerations and tradeoffs they made. Simplicity and extensibility were key considerations because Google needed to ensure that its internal teams could use the system for a wide array of use cases with certainty with how it would respond to their specific needs.
Zanzibar has steadily grown in popularity since the paper’s release. We set out this past year to talk with the organizations about their implementation experiences, and learn from what worked and didn’t work. You can find some of those discussions here.
Introducing Zanzibar Academy
We've always pushed to create content that is useful for the global development community and today we’re taking another important step in our Authorization journey by releasing the zanzibar.academy learning site. Zanzibar.academy is meant to help builders understand the value and power of Zanzibar style systems, much like JWT.io educates and spreads the understanding of the JSON Web Token standard. It’s a place for builders to learn the Zanzibar concepts in a progressive, guided way.
ReBAC in a Wider AuthZ World
One of the key differences between Google Zanzibar and other AuthZ systems is that Google Zanzibar uses graph-based data structures to create Relationship-Based Access Control (ReBAC). ReBAC centralizes more data so Access Control Lists (ACLs) are less cumbersome to manage.
With no viable alternatives, organizations have been rolling their own AuthZ, or extending systems like OPA, that handle policies for authorization based on attribute-based access control (ABAC), to manage things outside their typical use cases. These types of systems give developers an incredible amount of control over their authorization decisions, but also an incredible amount of responsibility to develop and manage them. Policies are also hard to build against, it’s very hard to create filtered lists of accessible resources in a search function based on a policy system.
Instead, Zanzibar offers a system that can be indexed and reverse indexed for various purposes in an application. It’s easily extensible, so new features can easily be added. In our own version we’re working to make this process easier for developers by creating an out-of-the-box assertions system, so developers can create automated tests of changes to their implementation. Zanzibar-style systems won’t solve all AtuthZ problems, there is still an important place for OPA-style ABAC systems, but Zanzibar systems will only be more widely adopted as time goes on.
Auth0 is here to support builders — and, frankly, what the team at Google created is inspiring. But learning from a paper isn’t always easy. With the Zanzibar Academy website and related presentations, we seek to make the concepts and practices in the Zanzibar paper easier to understand with interactive descriptions and examples — always with full credit to the original team.
We’re further supporting builders by creating our own version for developers to use. You can explore our implementation here. Inspired by the Zanzibar paper, we’ve applied our 8 years of experience in building tools for developers to build a version all builders will be delighted to use.
We’re excited for you to learn more at zanzibar.academy, we’ll see you there! If you’re interested in learning more about Zanzibar and Auth0s new Zanzibar based AuthZ platform, join our Discord community.