IDSync — identity software buyer platform
Run Stack Finder

Authorization

Relationship-Based Access Control (ReBAC)

ReBAC models authorization as a graph of relationships — *user is editor of document, document is in folder, folder belongs to team* — making it ideal for collaborative products like Google Docs, Notion, GitHub, and Figma.

Last reviewed 5/30/2026

Key points

  • Popularized by Google's Zanzibar paper (2019)
  • Native fit for collaboration, sharing, and hierarchical resources
  • Decision = graph traversal over user-resource relationships
  • Open-source implementations: SpiceDB, OpenFGA, Ory Keto, Warrant
  • Coexists with RBAC and ABAC — not always a replacement

What it is

Relationship-Based Access Control (ReBAC) describes authorization in terms of relationships between subjects and resources, not just roles or attributes. Alice is an editor of doc:123. Doc:123 is in folder:42. Folder:42 is owned by team:design. Whether Alice can edit doc:123 is a graph traversal.

ReBAC was popularized by Google's 2019 Zanzibar paper describing the system that powers sharing in Google Docs, Drive, Calendar, and YouTube.

How it works

You model a schema of object types and relations (document { editor, viewer, parent: folder }). You write relationship tuples (document:123#editor@user:alice). At check time the engine answers check(user:alice, edit, document:123) by walking the relationship graph.

When buyers care

  • Building B2B SaaS with sharing, collaboration, or multi-tenant hierarchies
  • Replacing tangled application-level permission code
  • Anyone whose current authorization is a bug factory of if user.role == ... and resource.team_id == ...
  • Centralizing authz across many services (the Zanzibar pattern)

ReBAC vs RBAC vs ABAC

  • RBACwhich role do you have?
  • ABACwhat attributes do you, the resource, and the environment have?
  • ReBACwhat is your relationship to this specific resource?

Real apps usually combine all three.

Tools

  • SpiceDB (Authzed) — open-source Zanzibar implementation, hosted offering available
  • OpenFGA (Okta/Auth0) — CNCF Sandbox project
  • Permit.io, Warrant, Cerbos — broader authorization platforms with ReBAC support
  • Ory Keto — open-source Zanzibar-inspired engine

FAQ

Should I move all authz to ReBAC?

Not necessarily. ReBAC shines for resource-graph problems (sharing, hierarchies, multi-tenancy). Coarse role checks are fine in RBAC. Most mature systems use ReBAC for resource permissions and RBAC for org-wide roles.