Access Control
LumoAuth supports three authorization models, each suited to a different class of access problem. This overview compares them so you can pick — or combine — the right one for your organization.
A quick recap of each model:
- RBAC (Role-Based Access Control). Users are assigned roles; roles hold named permissions. The simplest model — use when access is primarily a function of job title.
- ABAC (Attribute-Based Access Control). Policies evaluate attributes of the subject (user), resource, action, and environment (time, IP, device). Use when decisions depend on dynamic context.
- Zanzibar / ReBAC (Relationship-Based Access Control). Access is stored as relation tuples like
document:readme#editor@user:alice("alice is an editor of document readme"). The check engine walks the relation graph. Use when access is driven by hierarchy and sharing — folders, teams, ownership.
Authorization Models
| Model | Best For | Complexity |
|---|---|---|
| RBAC | Simple role-based access | Low |
| Groups | Organizing users by team/department | Low |
| ABAC | Context-aware, attribute-based decisions | Medium |
| Zanzibar | Relationship-based access for hierarchical resources | High |
| AI Policy Authoring | Generate policies from natural language | Low (input), High (output) |
How They Work Together
You can run one model or layer them:
- RBAC only — assign users to roles like
admin,editor,viewer. - RBAC + Groups — assign roles to groups; users inherit permissions via group membership.
- RBAC + ABAC — role gates the capability, ABAC adds conditions (for example, "editors can only edit during business hours").
- Zanzibar — model relationships directly (for example, "a user can edit a document if they own it or if it is shared with their team").
Quick Comparison
| Feature | RBAC | Groups | ABAC | Zanzibar |
|---|---|---|---|---|
| Role-based decisions | ✅ | ✅ (via groups) | ❌ | ❌ |
| Attribute conditions | ❌ | ❌ | ✅ | ❌ |
| Relationship-based | ❌ | ❌ | ❌ | ✅ |
| Hierarchical | ❌ | ✅ | ❌ | ✅ |
| Context-aware | ❌ | ❌ | ✅ | ❌ |
| Scales to many objects | ❌ | ❌ | ❌ | ✅ |
Permission Testing
The Permission Tester evaluates access decisions without affecting production data.
URL: /orgs/{orgId}/portal/access-management/permission-tester
The tester lets you:
- Select a user and a resource.
- Choose an action (read, write, delete, etc.).
- See which policies match and what the resulting decision would be.
- Debug why access was granted or denied.
Portal Locations
All access control features live under access-management:
In This Section
| Guide | Description |
|---|---|
| Roles & Permissions | Define roles, assign permissions, manage RBAC |
| Groups | Organize users and assign roles to groups |
| ABAC | Attribute-based access control policies |
| Zanzibar | Relationship-based access control |
| AI Policy Authoring | Generate policies from natural language |