Authorization Overview
Full authorization-as-a-service with RBAC, ABAC, ReBAC, and Federation.
The PlatformXe Authorization Engine is a full authorization-as-a-service offering that combines four models into a single, layered evaluation pipeline. Unlike PlatformXe's messaging and storage services (which act as dumb pipes), the Authorization Engine is a domain service that tenants configure directly.
Four authorization models
| Model | What it does |
|---|---|
| RBAC (Role-Based) | Assign roles with capabilities or module permissions to users |
| ABAC (Attribute-Based) | Evaluate conditions against request context using 13 operators with all/any/not combinators |
| ReBAC (Relationship-Based) | Zanzibar-style tuple store with graph traversal (max depth 5, cycle detection) |
| Federation | Multi-app permission orchestration — link apps into shared namespaces (Enterprise only) |
How evaluation works
When you call the permission check endpoint, the engine evaluates in a fixed order:
- Admin overrides — explicit grant or deny for a specific user, checked first
- Role capabilities — does the user's role include the requested capability?
- ABAC conditions — do attribute-based conditions on the role apply?
- Resource policies — does a resource policy grant or deny access?
- ReBAC graph — does a relationship path exist between the user and the resource?
The first layer that produces a definitive result wins. Explicit denies always take priority over grants.
How it compares
| Feature | PlatformXe | Auth0 FGA | SpiceDB | Permit.io |
|---|---|---|---|---|
| RBAC | Yes | Yes | Via schema | Yes |
| ABAC | Yes (13 operators) | Limited | No | Yes |
| ReBAC | Yes (Zanzibar) | Yes (Zanzibar) | Yes (Zanzibar) | Yes |
| Federation | Yes | No | No | No |
| Audit logs | Yes (90-day) | Limited | No | Yes |
| Nigeria-first pricing | Yes (NGN) | No | No | No |
Federation is PlatformXe's unique differentiator. Enterprise tenants can link multiple applications into shared authorization namespaces, pull modules across apps, and push resolved permissions — no other authorization service offers this.
Access methods
- REST API — full CRUD for roles, policies, relationships, and permission checks
- TypeScript SDK — typed client with retry, timeout, and circuit breaker
- Tenant Portal — 8 management pages for roles, editor, relationships, audit, overrides, policies, federation, and federation detail
Audit trail
Every permission decision is logged immutably:
- Decision logs — who checked what, when, and the result (allowed/denied with source)
- Change logs — every mutation to roles, policies, overrides, and relationships
- 90-day retention — logs are retained for 90 days, with automated cleanup via cron
- Export — query and export audit logs via the API (
permissions:auditscope)
Next steps
- Authorization Quick Start — create a role and check a permission in 3 steps
- Permission Check API — full API reference for permission checks