Files
identity-canon/research/authorization-relationships/zanzibar-rebac.md
tegwick 1c1b5c9bc6 Complete IDENTITY-WP-0003 corpus backfill and model refinement
Backfill all 23 research source notes with terminology extracts, modeling
assumptions, conflicts, canonical mappings, and references. Refresh terminology
artifacts, refine the conceptual model with explicit scenario paths, reconcile
canon surfaces and open questions, and mark the workplan finished.
2026-06-21 20:22:20 +02:00

4.8 KiB

Google Zanzibar ReBAC

Source Type

Architecture pattern and research paper. Google Zanzibar (2019) defines relationship-based access control at global scale.

Domain

Relationship-based authorization, permission inheritance, and large-scale access control graphs.

Why This Source Matters

Zanzibar/OpenFGA-style relationship tuples are especially close to what identity-canon needs for memberships, ownership, representation, delegation, and tenant administration.

Zanzibar is the reference architecture for storing authorization facts as subject-relation-object tuples with computed permission expansion.

Key Concepts

  • Relation tuple: object#relation@subject or object#relation@subject#subject_relation.
  • Object: typed entity with namespace and ID (e.g., document:readme).
  • Subject: user, group, or object acting through a relation.
  • Relation: named edge type on an object type (owner, editor, viewer, member).
  • Userset rewrite: computed relations via union, intersection, exclusion, and arrow operators (e.g., parent->owner).
  • Namespace configuration: schema defining object types, relations, and rewrite rules.
  • Check API: evaluate whether subject has relation to object.
  • Expand API: enumerate subjects with relation to object.
  • zookie: consistency token for read-after-write semantics.
  • Group as subject: usersets allow group-like indirection in tuples.

Relevant Terminology

Term Source meaning
Tuple Stored authorization fact.
Object Resource or entity being authorized.
Subject Actor or userset granted a relation.
Relation Named permission edge on object type.
Userset Indirect subject reference via relation chain.
Namespace Schema for object types and relations.
Check Boolean permission query.
Expand Enumerate authorized subjects.
owner / editor / viewer Common relation names (deployment-specific).
parent relation Hierarchical inheritance via rewrite rules.

Modeling Assumptions

  • Authorization facts are relationships, not role assignments on users alone.
  • Subjects and objects are typed strings, not rich identity records.
  • Inheritance is computed from tuple graph via rewrite rules.
  • Identity provisioning is external; Zanzibar stores authorization state only.
  • Groups are modeled as objects with member relations, not as separate IAM groups.
  • Consistency matters for distributed reads (zookie tokens).
  • No canonical person model; subject IDs are opaque.

Identity-Canon Implications

  • Zanzibar tuple maps to Relationship Tuple (authorization projection).
  • Object maps to Authorization Resource projection.
  • Subject maps to Authorization Principal projection.
  • Relation maps to typed Relationship with authorization implication.
  • Namespace maps to Authorization Domain Scope.
  • Userset rewrite is authorization engine logic, not canonical identity.
  • Membership tuples (group:eng#member@user:alice) parallel Membership Relationship but live in authz layer.
  • Supports S05 (admin delegation), S08 (moderator relations), S10 (service account acting for org via tuple).

Terminology Conflicts

  • Subject: Zanzibar subject is authz participant; OIDC subject is identifier.
  • Object: Zanzibar object is authz resource; grammar object ≠ domain object.
  • Relation vs. Relationship: Zanzibar relation is permission edge; canon Relationship is broader (social, legal, operational).
  • Member: Zanzibar member relation on group object ≠ social membership.
  • User: Zanzibar user ID is opaque; no person/account distinction.

Candidate Canonical Mappings

Zanzibar concept Candidate canonical concept
Relation tuple Relationship Tuple (authorization projection)
Object Authorization Resource
Subject Authorization Principal
Relation name Relationship type (authz-implied)
Namespace config Authorization Domain Scope
Group object + member Group + Membership (authz projection)
Userset rewrite Authorization engine derivation (non-canonical)
zookie Consistency metadata (operational)

Open Questions

  • Should canonical Membership Relationship be shared between identity and authz layers, or always projected into tuples?
  • How should representation/delegation map to Zanzibar relations vs. identity-layer Representation Relationship?
  • Should object namespace prefixes map to Scope identifiers?
  • When does a social Following relationship warrant an authz tuple vs. remain identity-only?

References