Core differences between Zanzibar based solutions (Keto, OpenFGA, SpiceDB, Topaz)
Compared with SpiceDB
On the surface both products look alike, but here are major differences,
- Multi Tenancy: Our architecture is tenancy-based, which means you can create custom authorization models and relation tuples accordingly for different tenants and manage them in a single place.
- Contextual Permissions: we have a functionality that permissions can be dynamically added to access check requests. When you send these relations along with your requests, they get processed alongside existing relations in the database and will return a result: https://docs.permify.co/operations/contextual-tuples
- Schema Management: We're taking an approach that help engineering teams to ease and streamline the management and collaboration of their authorization logic. We have features like:
- Schema Stating to handle schema changes in different stages and deploy schemas with our GitOps workflow, specifically designed to approve/merge and monitor schema changes.
- Partial Schema Update give you the ability to update schema partially without need to change the whole schema.
- Data Bundles to handle multiple data creation and deletion when specific actions in your applications.
Compared with OpenFGA
Major differences,
- Better Performance: Observed guess, not necessarily a fact: Many folks have come to us from OpenFGA due to latency and performance issues. We’re implementing various levels of caching mechanisms to meet the required performance. We have also documented the differences in caching in the following document: https://permify.notion.site/Cache-Differences-Between-Permify-and-OpenFGA-3e32552227a94b069a6bfdd556e3b1ea.
- Schema Management: We're taking an approach that help engineering teams to ease and streamline the management and collaboration of their authorization logic. We have features like:
- Schema Stating to handle schema changes in different stages and deploy schemas with our GitOps workflow, specifically designed to approve/merge and monitor schema changes.
- Partial Schema Update give you the ability to update schema partially without need to change the whole schema.
- Data Bundles to handle multiple data creation and deletion when specific actions in your applications.
Compared with ORY Keto
Major differences,
- Multi Tenancy: Our architecture is tenancy-based, which means you can create custom authorization models and relation tuples accordingly for different tenants and manage them in a single place. https://docs.permify.co/use-cases/multi-tenancy
- Attribute Based Access Control: We're supporting attribute-based access control and contextual permissions. This gives users the ability to define more complex policies using dynamic attributes such as boolean variables, IP range, time periods, location, etc.
- Schema Management: We're taking an approach that help engineering teams to ease and streamline the management and collaboration of their authorization logic. We have features like:
- Schema Stating to handle schema changes in different stages and deploy schemas with our GitOps workflow, specifically designed to approve/merge and monitor schema changes.
- Partial Schema Update give you the ability to update schema partially without need to change the whole schema.
- Data Bundles to handle multiple data creation and deletion when specific actions in your applications.
- Contextual Permissions: we have a functionality that permissions can be dynamically added to access check requests. When you send these relations along with your requests, they get processed alongside existing relations in the database and will return a result: https://docs.permify.co/operations/contextual-tuples.
- Zookies Support: As far as I know, Ory Keto doesn't support Zookies consistency tokens, which are mentioned in the Zanzibar paper. Zookies are unique tokens created with each permission write, representing that specific action. Clients can store these tokens for each resource and optionally use them during runtime checks to ensure the checks are consistent with that particular write. This approach also helps prevent the 'new-enemy problem,' where permission checks could be inaccurate due to permissions changes being processed out of order, by ensuring that writes are correctly ordered. You can learn more from our docs: https://docs.permify.co/operations/snap-tokens
Compared with Topaz