Identity != Permissions

Authorization is hard - and authorization is often conflated with authentication and identity. We think that tightly coupling "Identity and Access Management" in a single solution is the wrong approach. These two concerns should be clearly separated.

As your software becomes more complex, not maintaining this separation leads to problems. Back in 2016 we wrote a blog post that expressed this concern.

Identity + Permissions == Authorization

Identity is universal, whereas permissions are application specific. This is why the identity system should not define permissions.

Instead, identity should be one of the inputs to an authorization system. The combination of identity and an application-specific policy produces the actual permissions for an application.

While there are many ways to model authorization, we found that the concept of roles and permissions to be the most prevalent. Please watch the below recording to get more full background.


This is why we have developed "PolicyServer", which is an implementation of the above pattern.

We offer two versions of PolicyServer.

We have a very simple OSS proof of concept of the PolicyServer concept that can be used by applications that do not require a database or management UI for their authorization policies. It includes libraries that illustrate the patterns we believe in to achieve the separation of authentication and authorization for a single application.

Our commercial product includes a backend schema, management and runtime APIs, a management UI and has several tiers to allow for simpler solutions to manage few application policies, and enterprise solutions to manage policies for multiple applications, multi-tenancy, policy hierarchy, audit and more.