Access Control
LumoAuth provides multiple authorization models that can be used independently or combined to meet any access control requirement - from simple role checks to complex, context-aware policies.
Authorization Models
| Model | Best For | Complexity |
|---|---|---|
| RBAC | Simple role-based access | Low |
| Groups | Organizing users by team/department | Low |
| ABAC | Context-aware, attribute-based decisions | Medium |
| Zanzibar | Fine-grained relationship-based access (Google Zanzibar) | High |
| AI Policy Authoring | Natural language policy creation | Low (input), High (output) |
How They Work Together
You can use one model or layer them. For example:
- RBAC only - Assign users to roles like
admin,editor,viewer - RBAC + Groups - Assign roles to groups, users inherit permissions via group membership
- RBAC + ABAC - Base access on roles, with attribute conditions (e.g., "editors can only edit during business hours")
- Zanzibar - Model complex relationships (e.g., "user can edit document if they own it or if it's shared with their team")
Quick Comparison
| Feature | RBAC | Groups | ABAC | Zanzibar |
|---|---|---|---|---|
| Role-based decisions | ✅ | ✅ (via groups) | ❌ | ❌ |
| Attribute conditions | ❌ | ❌ | ✅ | ❌ |
| Relationship-based | ❌ | ❌ | ❌ | ✅ |
| Hierarchical | ❌ | ✅ | ❌ | ✅ |
| Context-aware | ❌ | ❌ | ✅ | ❌ |
| Scalable to millions of objects | ❌ | ❌ | ❌ | ✅ |
Permission Testing
LumoAuth includes a Permission Tester that lets you evaluate access decisions in real-time without affecting production:
URL: /t/{tenantSlug}/portal/access-management/permission-tester
The permission tester lets you:
- Select a user and a resource
- Choose an action (read, write, delete, etc.)
- See which policies match and what the decision would be
- Debug why access was granted or denied
Portal Locations
All access control features are managed under:
In This Section
| Guide | Description |
|---|---|
| Roles & Permissions | Define roles, assign permissions, manage RBAC |
| Groups | Organize users and assign roles to groups |
| ABAC | Attribute-based access control policies |
| Zanzibar | Fine-grained relationship-based access control |
| AI Policy Authoring | Create access policies using natural language |