Top 5 Google Zanzibar open-source implementations in 2024

As organizations scale applications to millions of users, managing permissions and access control becomes increasingly complex. Google's Zanzibar authorization service emerged as the gold standard for handling this challenge, powering permissions across Google's vast ecosystem of products.

While Google hasn't publicly released Zanzibar, several open-source projects have implemented its core principles, offering developers powerful options for building scalable authorization systems.

In this article, we'll analyze the top 5 open-source implementations of Google Zanzibar in 2024, examining their strengths, trade-offs, and ideal use cases.

What is Google Zanzibar?

Google Zanzibar is a globally distributed authorization system that manages permissions at scale. Its key innovations include:

• Relationship-based modeling: Instead of traditional role-based access control (RBAC), Zanzibar uses a flexible relationship-based model that can express complex permission scenarios
• Consistency guarantees: The system provides external consistency and snapshot reads while handling millions of authorization checks per second
• Real-time updates: Changes to permissions are reflected globally within seconds
• Hierarchical namespaces: Resources and relationships can be organized hierarchically, enabling intuitive permission inheritance

Understanding fine-grained permissions: a practical example

To understand why Zanzibar-style fine-grained authorization is powerful, let's compare it with traditional role-based access control (RBAC) using a document management system example:First, let's consider a typical "coarse-grained" permissions approach.

This is a simplified example of traditional role-based access control (RBAC). Users are assigned roles (like "editor" or "viewer") globally. Documents specify which roles are allowed to access them. This creates a coarse-grained, inflexible permission system:

user.roles = ["editor"]  // User has a global "editor" role
document.allowedRoles = ["editor", "viewer"]  // Document allows editors and viewers

// Basic permission check function
// Simply checks if the user has ANY role that matches the document's allowed roles
function canAccessDocument(user, document) {
    return document.allowedRoles.some(role => user.roles.includes(role))
}

This model has a number of downsides. All editors have the same access to all documents that allow editors. You can't grant a user edit access to just one document.

You can't model nested permissions such as folders containing documents. You can't express complex relationships like "can share" or "can transfer ownership". Changing permissions in the deployed system means changing roles, which affects all documents.

Zanzibar takes a fundamentally different approach. Instead of global roles, it allows you to define custom entities (like documents, folders, or organizations) and their relationships using a schema language.

At runtime, the Zanzibar engine can efficiently traverse these relationship graphs and perform billions of permission checks per second.

Here's how a Zanzibar-inspired system like WorkOS FGA models the same scenario:

version 0.2

type user

type document
  relation viewer [user]
  relation editor [user]
  relation owner [user]
  
  // Inherit viewing permissions from editor relationship
  inherit viewer if
    relation editor
    
  // Define what editors can do through inheritance
  relation can_view []
  relation can_edit []
  relation can_share []
  relation can_delete []
  
  // Viewer can view
  inherit can_view if
    relation viewer
    
  // Editor can view, edit, and share
  inherit can_view if
    relation editor
  
  inherit can_edit if
    relation editor
    
  inherit can_share if
    relation editor
    
  // Only owner can delete
  inherit can_delete if
    relation owner

The resulting semantics are much richer allowing easier modeling of complex permissions scenarios.

Performance characteristics of Zanzibar

The performance characteristics of Zanzibar are remarkable:

• Sub-millisecond Latency: Most permission checks complete in microseconds
• Massive Scale: The system can handle billions of users and trillions of relationships
• Global Distribution: Changes to permissions propagate globally within seconds
• Consistent Results: The system provides external consistency across all nodes
• Efficient Storage: Relationship data is optimized for fast traversal
• Caching: Frequently accessed permissions are cached for even faster checks

Practical examples of fine-grained authorization

This model becomes particularly powerful when we consider familiar scenarios from Google's products. Consider how Google Drive implements these fine-grained permissions:

Direct sharing

When you share a document directly with colleague@company.com as an "Editor", Zanzibar creates a direct relationship:

user:colleague@company.com is editor of document:quarterly-report

Link sharing

When you create an "anyone with the link can comment" link, it creates a relationship with a group:

group:link-holders is commenter of document:quarterly-report

Nested folders

When you share a folder with your team, permissions cascade naturally:

group:marketing-team is viewer of folder:campaigns
folder:campaigns contains document:q2-campaign
// Zanzibar automatically determines marketing-team members can view q2-campaign

Mixed permissions

A document in a shared folder can have different permissions than its parent:

group:marketing-team is viewer of folder:campaigns
user:sarah@company.com is editor of document:q2-campaign
// Sarah has edit rights while others can only view

These real-world scenarios demonstrate why traditional role-based systems fall short. In Google Drive, a single user might be:

• An owner of their own documents
• An editor on their team's shared files
• A commenter on a client's proposal
• A viewer on company-wide resources

All these relationships are tracked and evaluated in real-time by Zanzibar, enabling the seamless permission management that users have come to expect from modern applications.

Top 5 Google Zanzibar open-source implementations in 2024

1. SpiceDB

SpiceDB is an open-source authorization database that closely mirrors Google Zanzibar's design principles.

Key Features:

• Schema-based modeling with built-in consistency guarantees
• Multi-backend support (PostgreSQL, CockroachDB, Spanner)
• Real-time permission updates via Watch API

Best For:

• Large-scale applications requiring strict consistency
• Teams needing enterprise-grade permission management
• Complex hierarchical permission scenarios

Limitations:

• Steeper learning curve than traditional RBAC
• Requires distributed systems expertise
• Limited third-party integrations

2. Permify

Permify focuses on multi-tenant scenarios and developer experience.

Key Features:

• Built for multi-tenant applications
• Custom schema modeling language
• Real-time permission updates

Best For:

• SaaS applications with multiple tenants
• Teams needing tenant isolation
• Projects with complex data relationships

Limitations:

• Early-stage project
• Limited production examples
• Smaller community support

3. OpenFGA

OpenFGA prioritizes developer experience while maintaining high performance.

Key features:

• User-friendly modeling language and visualization tools
• Dual API system for storage and computation
• Fast authorization checks with caching

Best for:

• Teams prioritizing quick implementation
• Applications needing visual modeling tools
• Projects with multiple authorization models

Limitations:

• Less extensive consistency guarantees
• Newer project with evolving practices
• Smaller community than alternatives

4. Warrant

Warrant is an open-source, highly scalable, centralized, fine-grained authorization service for defining, storing, querying, checking, and auditing application authorization models and access rules.

At its core, Warrant is a relationship based access control (ReBAC) engine (inspired by Google Zanzibar) capable of enforcing any authorization paradigm, including role based access control (RBAC), attribute based access control (ABAC), and relationship based access control (ReBAC).

Key features:

• HTTP APIs for managing your authorization model, access rules, and other Warrant resources
• Real-time, low-latency API for performing access checks in your application(s) at runtime
• Integrates with in-house and third-party identity providers
• Officially supported SDKs for popular languages and frameworks (backend and frontend)
• Support for a number of databases, including: MySQL, Postgres, and SQLite (in-memory or file)

Best for:

• Allow customers to define and manage their own roles and permissions via the Warrant self-service dashboard or your own custom dashboard built using Warrant's component library.
• Implementing fine-grained, object/resource-level authorization specific to your application's data model
• Getting a list of all the resources a given subject has access to
• Add centralized and auditable access control around your internal applications and tools.
• Implementing approval flows
• Add Google Docs-like sharing and permissioning for your application's resources and objects.
• Gate access to SaaS features based on your product's pricing tiers and feature packages.
• Satisfy auditing and compliance requirements of frameworks and standards such as SOC2, HIPAA, GDPR and CCPA.

Limitations:

• The open-source version of Warrant is only capable of handling low-to-moderate throughput and is best suited for POCs, development/test environments, and low throughput use-cases. For production environments, use WorkOS FGA.

5. Ory Keto

Ory Keto offers a microservice-oriented Zanzibar implementation.Key Features:

• Microservice-first architecture
• YAML configuration with DSL support
• HTTP/gRPC API flexibility

Best For:

• Microservice architectures
• Teams using Ory ecosystem
• Projects needing deployment flexibility

Limitations:

• Complex initial configuration
• Steep learning curve for DSL
• Limited standalone documentation

WorkOS: fine-grained authorization as a service

‍WorkOS FGA provides a centralized authorization service inspired by Google Zanzibar, designed for teams building modern applications.

Key Features:

• Fast, reliable permission checks via Check API
• Resource querying capabilities via Query API
• Centralized audit logging and monitoring
• Pre-built templates for common patterns

Best For:

• Teams needing quick time-to-market
• Applications requiring audit trails
• Multi-tenant SaaS applications
• Organizations wanting managed infrastructure

Trade-offs:

• Managed service vs. self-hosted control
• Higher cost than open-source options

Choosing the right FGA solution

When selecting an FGA implementation, consider these key factors:

• Scale: Will you need to handle millions of permission checks?
• Consistency: How important are strong consistency guarantees?
• Resources: Do you have the expertise to manage a distributed system?
• Integration: What existing systems need to connect to your authorization layer?

For organizations with standard authorization needs and a preference for managed services, WorkOS provides a compelling option.

The most important factor is aligning your choice with your organization's specific needs, technical capabilities, and growth trajectory.