Introduction
Authentication and authorization are often confused, but they solve different problems. Authentication verifies who a user is, while authorization determines what that user is allowed to do.
As applications grow, authorization becomes increasingly complex. A simple role-based approach may work for small applications, but enterprise systems often require more granular control. For example:
A user can edit documents they own.
Managers can view reports for their department.
Project members can access specific resources.
Administrators can manage permissions across the system.
Implementing these rules directly in application code quickly becomes difficult to maintain and scale.
This is where SpiceDB comes in.
SpiceDB is an open-source authorization database designed to manage fine-grained permissions at scale. Inspired by Google's Zanzibar authorization system, SpiceDB provides a centralized way to define, store, and evaluate permissions across applications.
In this article, we'll explore what SpiceDB is, how it works, and how organizations can use it to build scalable authorization systems.
What Is SpiceDB?
SpiceDB is a dedicated authorization system that allows developers to manage access control independently from application logic.
Instead of embedding permission checks throughout your codebase, SpiceDB centralizes authorization decisions.
Key capabilities include:
Fine-grained access control
Relationship-based permissions
Centralized authorization
Scalable permission evaluation
Multi-tenant support
API-driven architecture
Flexible permission modeling
SpiceDB is particularly useful for applications where permissions change frequently or involve complex relationships between users and resources.
Why Traditional Authorization Becomes Difficult
Many applications begin with Role-Based Access Control (RBAC).
Example:
Admin
Editor
Viewer
This works well initially but often becomes difficult to manage as requirements evolve.
Consider a project management platform:
Authorization logic becomes more complicated when permissions depend on ownership, team membership, resource hierarchy, or organizational structure.
Embedding these rules in application code often leads to:
A centralized authorization system helps solve these challenges.
Understanding Relationship-Based Access Control
SpiceDB uses a relationship-based authorization model.
Instead of assigning permissions directly, it stores relationships between users and resources.
Example:
Alice --> owner --> Document1
Bob --> viewer --> Document1
Carol --> editor --> Document1
Permissions are derived from these relationships.
This approach provides significantly more flexibility than traditional role-based systems.
How SpiceDB Works
A simplified SpiceDB architecture looks like this:
Application
|
v
SpiceDB
|
+---- Users
+---- Resources
+---- Relationships
|
v
Authorization Decision
When an application needs to verify access:
The application sends an authorization request.
SpiceDB evaluates relationships.
Permission rules are processed.
A decision is returned.
The application simply consumes the result.
Core Concepts in SpiceDB
Understanding a few core concepts is essential.
Objects
Objects represent resources within the system.
Examples:
document:123
project:456
repository:789
These are the entities being protected.
Subjects
Subjects represent actors.
Examples:
user:alice
user:bob
group:engineering
Subjects perform actions on resources.
Relationships
Relationships connect subjects and objects.
Example:
document:123#owner@user:alice
This means Alice owns Document 123.
Permissions
Permissions define what actions are allowed.
Examples:
view
edit
delete
share
Permissions are typically derived from relationships.
Defining an Authorization Schema
SpiceDB uses schemas to define authorization models.
Example:
definition user {}
definition document {
relation owner: user
relation viewer: user
permission view = owner + viewer
}
In this model:
Permissions are expressed declaratively rather than through application code.
Creating Relationships
After defining a schema, relationships can be stored.
Example:
document:report#owner@user:alice
document:report#viewer@user:bob
These relationships become part of the authorization graph.
SpiceDB uses this graph to evaluate access requests.
Checking Permissions
Suppose an application wants to determine whether Bob can view a document.
Authorization request:
Can user:bob view document:report?
SpiceDB evaluates the relationship graph and returns:
Allowed
The application does not need to understand how the decision was made.
It simply consumes the result.
Hierarchical Permissions
One of SpiceDB's strengths is handling hierarchical relationships.
Example:
Organization
|
v
Team
|
v
Project
|
v
Document
Permissions can flow through this hierarchy.
For example:
This greatly simplifies authorization management.
Real-World Example
Consider a document collaboration platform.
Relationships might look like:
Alice -> Owner -> Document A
Bob -> Editor -> Document A
Carol -> Viewer -> Document A
Permission rules:
Instead of implementing this logic throughout the application, SpiceDB handles it centrally.
Benefits of Using SpiceDB
Centralized Authorization
Permission logic exists in one place.
This reduces duplication and simplifies maintenance.
Fine-Grained Access Control
Permissions can be defined at the resource level.
Scalability
SpiceDB is designed for large-scale authorization workloads.
Consistency
Applications receive authorization decisions from a single source of truth.
Security
Centralized permission evaluation reduces the risk of inconsistent access controls.
Common Use Cases
SpiceDB is increasingly used across different industries.
SaaS Applications
Manage tenant-specific permissions and resource access.
Collaboration Platforms
Control access to documents, projects, and shared resources.
Enterprise Systems
Implement complex organizational authorization policies.
Developer Platforms
Manage repository, environment, and deployment permissions.
Cloud Services
Enforce access control across distributed infrastructure.
Best Practices
Design Authorization Early
Authorization models become harder to change as systems grow.
Plan relationships and permissions from the beginning.
Keep Schemas Simple
Avoid overly complex permission definitions whenever possible.
Centralize Authorization Logic
Do not duplicate permission checks across multiple services.
Audit Permissions Regularly
Review authorization models to ensure they reflect business requirements.
Test Permission Scenarios
Validate both expected access and denied access cases.
SpiceDB vs Traditional RBAC
| Feature | RBAC | SpiceDB |
|---|
| Role-Based Access | Yes | Yes |
| Relationship-Based Access | Limited | Yes |
| Fine-Grained Permissions | Limited | Yes |
| Hierarchical Permissions | Complex | Built-In |
| Centralized Authorization | No | Yes |
| Large-Scale Authorization | Moderate | Excellent |
While RBAC remains useful for many applications, SpiceDB provides much greater flexibility for modern systems with complex access requirements.
Conclusion
SpiceDB offers a powerful approach to authorization by treating permissions as relationships rather than hard-coded application logic. Inspired by Google's Zanzibar model, it enables organizations to build scalable, consistent, and fine-grained access control systems across modern applications.
Whether you're developing a SaaS platform, collaboration tool, enterprise application, or cloud service, SpiceDB can simplify authorization management while improving security and maintainability. By centralizing permission decisions and supporting relationship-based access control, it helps teams manage complex authorization requirements without increasing application complexity.