Skip to content
IAM Day by Day

Zanzibar & Relationship-Based Access Control (ReBAC)

The Sovereign Logic of Global Scale

Section titled “The Sovereign Logic of Global Scale”

Zanzibar is the “Sovereign Logic” of Google’s global-scale authorization system, handling trillions of access checks across services like Drive, YouTube, and Cloud. It introduced the world to Relationship-Based Access Control (ReBAC), a model where permissions are not just about “Roles,” but about a recursive graph of relationships between subjects and objects. In a Zanzibar-based system, authorization is externalized into a high-performance, centralized service that can answer a simple question: “Does User U have relation R on Object O?” with sub-millisecond latency and global consistency. For the IAM architect, Zanzibar/ReBAC represents the End-State of Authorization, providing the scalability and precision required for the modern, interconnected enterprise.

REBAC / ZANZIBAR

Graph Sovereign
Core Mission
Universal Relationship Authority. Establishing a high-performance, graph-based authorization framework that ensures access decisions are consistent, scalable, and inherently tied to the structural relationships of the organization.
Like a Global Family Tree of Trust: Imagine your organization's permissions are like a massive, global family tree. You don't have to keep a list of "Who can see the family photos." Instead, you define a rule: "Only family members can see the photos." If you are a child of a person who is a sibling of the photo owner, the "Sovereign Sentry" (Zanzibar) instantly calculates that relationship path. You don't need a specific "Photo Viewer" role; your position in the family tree (The Relationship Graph) defines your access automatically.
Global-Scale SaaS / Complex Document Sharing / Multi-Tenant Isolation / Nested Group Hierarchies

The ReBAC Architecture Matrix

Section titled “The ReBAC Architecture Matrix”

Designing for ReBAC requires moving from “Roles” to “Tuples” and “Relationship Chains.”

Strategic Architectural Pillars

Section titled “Strategic Architectural Pillars”
PillarStrategic ResponsibilityIAM Implementation
Object-Relationship TuplesThe Atom of Trust.Storing data as (object, relation, user)—e.g., (doc:1, editor, user:123).
Recursive ExpansionDynamic Authority.Calculating access by traversing relationship paths (e.g., user is member of group, group is owner of folder).
Zookies (Consistency)Global Sync.Using consistency tokens to ensure an authorization check is always evaluated against the latest transaction.
Unified SchemaCentralized Logic.Defining a single, enterprise-wide schema for all application relationships.

The Zanzibar Authorization Handshake

Section titled “The Zanzibar Authorization Handshake”

Evaluating access in a ReBAC system follows a “Tuple-Expansion-Result” path.

graph LR
    Check[Check: Is User U Editor of Doc D?] --> Expand[Expand: Traverse Relationship Graph]
    Expand --> Match[Match: Find Valid Path]
    Match --> Result[Return: PERMIT / DENY]
1

Subject-Object Identification

The application asks the "Sovereign Engine" (Zanzibar Service) for a check. It provides the **Subject ID**, the **Relation**, and the **Object ID**. The engine looks up the "Schema" to understand what "Editor" means for a "Document" object.

2

Graph Expansion & Traversal

The engine performs a recursive search. It doesn't just look for a direct `editor` tuple. It checks if the user is part of a **Group** that is an `editor`, or if the user is an `owner` (which implies `editor` rights). It traverses the "Relationship Fabric" at lightning speed to find any path that grants access.

3

Consistency-Aware Result

Crucially, the engine uses **Zookies** (consistency cookies) to ensure that if a user was JUST added to a group, the authorization check sees that change. Once a path is found or the search is exhausted, it returns a binary **PERMIT** or **DENY** response to the application, which then enforces the decision.

Technical ReBAC Implementation

Section titled “Technical ReBAC Implementation”

Defining a ReBAC schema (using an OSO or OpenFGA-like DSL) allows for “Authorization-as-Code.”

ReBAC Schema (Example DSL)

Section titled “ReBAC Schema (Example DSL)”
# Defining document relationships in a ReBAC schema
type user


type folder
  relations
    define viewer: [user] or owner
    define owner: [user]


type document
  relations
    define parent: [folder]
    define viewer: [user] or parent->viewer
    define editor: [user] or parent->owner

ReBAC Implementation Guides

Section titled “ReBAC Implementation Guides”

Master the technical ceremonies of relationship-based access control and Zanzibar-scale authorization.

Fine-Grained Design

Designing the atomic tuples required for surgical-precision security.

Hybrid Auth Logic

Combining ReBAC relationships with ABAC attributes for real-time contextual decisions.

Universal Governance

Integrating a centralized ReBAC engine into your global identity fabric architecture.

FGA Security Testing

Tools and patterns for verifying the integrity of complex relationship graphs.

Next Steps

Section titled “Next Steps”