Explora frameworks y librerías open-source para gestionar la autenticación de usuarios, autorización y sistemas de permisos granulares.
Casbin is an authorization library designed to manage application access control and permissions through a configurable model-based engine. It serves as a centralized system for verifying whether a user has permission to perform specific actions on a resource. The engine supports multiple access control models, including Role-Based Access Control, Attribute-Based Access Control, and Access Control Lists. It allows for the definition of role hierarchies and the evaluation of user, resource, and environment attributes to make access decisions. The library decouples authorization logic from dat
Casbin is an authorization library that provides a configurable model-based engine supporting RBAC, ABAC, ACL, and role hierarchies, making it a straightforward fit for policy-as-code and fine-grained access control; it covers most requested features out of the box and is a well-established solution in the space.
Casbin is an authorization library that provides a model-based engine for enforcing access control across diverse application environments. It decouples authorization logic from application code by using a configuration-driven approach, allowing developers to define access rules and evaluation logic independently. The system supports a wide range of access control models, including role-based, attribute-based, and relationship-based patterns, which are evaluated at runtime to determine if a subject is permitted to perform an action on a resource. The project distinguishes itself through a hig
Casbin is a model-based authorization engine that supports policy-as-code, RBAC, ABAC, and integrates with common identity providers, making it a strong fit for enforcing fine-grained access control across applications and APIs.
OpenFGA is a fine-grained authorization server and policy decision point that implements relationship-based access control. It serves as a centralized authorization service for evaluating access requests and managing relationship tuples across distributed microservices and multi-tenant environments. The engine combines relationship graphs with attribute-based access control, using the Common Expression Language to evaluate dynamic runtime attributes and conditional access rules. It handles complex hierarchies and nested permissions by traversing chains of associations and parent-child links t
OpenFGA is a fine-grained authorization server that implements relationship-based access control with policy-as-code, RBAC, ABAC via CEL, and multi-tenant support, plus audit logging and decision tracing—exactly the comprehensive policy engine this search is seeking.
Spring Security is a comprehensive security framework for Java applications that provides authentication and authorization for both web and non-web environments. It functions as an implementation of authentication and authorization logic integrated with the Java runtime environment to protect sensitive resources from unauthorized access. The framework includes toolkits for implementing OpenID Connect and OAuth 2.0 authorization servers and clients, as well as tools for integrating SAML 2.0 identity providers to enable cross-domain single sign-on. It utilizes a role-based access control system
Spring Security is a Java-based authorization and access control framework that supports RBAC and OAuth2/OIDC/SAML integration, but its policy-as-code and ABAC support are configuration-driven rather than declarative, and it lacks built-in audit logging and multi-tenancy.
Ory Keto is an open-source authorization server that implements Google Zanzibar’s relationship-based access control model. It stores every access relationship as a tuple in a SQL database and exposes a declarative TypeScript-like namespace language for defining object types, relations, and permissions. The service provides bidirectional permission resolution, configurable consistency levels for checks, and dual gRPC and REST APIs for broad integration. Keto extends the Zanzibar model with edge enforcement of access policies, structured compliance auditing of permission decisions, and infrastr
Ory Keto is an open-source authorization server that implements Google Zanzibar’s relationship-based model with a declarative policy language, fine-grained permissions, RBAC/ABAC support, and audit logging — directly matching your need for a policy-as-code access control engine with integration and multi-tenancy capabilities.
This project is a unified, cloud-native policy engine designed to decouple authorization and security logic from application codebases. It functions as a centralized authorization service that evaluates structured input data against declarative rules, enabling consistent policy enforcement across microservices, infrastructure, and continuous integration pipelines. The engine utilizes a specialized logic programming language to express complex constraints, which are compiled into an optimized intermediate representation for high-performance evaluation. By supporting both sidecar-based deployme
OPA is a dedicated, cloud-native policy engine that enforces authorization and access control via declarative policy-as-code (Rego), supporting RBAC, ABAC, audit logging, and multi-tenancy — directly matching the search for an open-source authorization and policy engine.
Kanidm is a centralized identity management server designed to handle authentication, authorization, and directory services across distributed infrastructure. It provides a comprehensive framework for managing human and service accounts, utilizing a schema-driven database to store identity records, group memberships, and system attributes. The platform supports a wide range of authentication methods, including passkeys, passwords, and standard protocols like OAuth2, OIDC, LDAP, and RADIUS. The system distinguishes itself through a granular access control engine that enforces security policies
Kanidm is an identity management server with a built-in granular access control engine that enforces authorization policies via RBAC, ABAC, and integration with identity providers like OAuth2 and OIDC, but it is a full IAM platform rather than a standalone policy engine and may not offer explicit policy-as-code or audit logging out of the box.
Casdoor is a centralized identity and access management platform that functions as an OAuth 2.0 authorization server. It provides a comprehensive suite of services for managing user identities, authentication sessions, and access policies across both web and machine-to-machine applications. Built with a decoupled frontend-backend architecture in Go, the platform supports high-concurrency environments and offers a web-based management interface for administrative tasks. The platform distinguishes itself through its extensive support for federated identity management, allowing integration with
Candidate is a centralized identity and access management platform that enforces access policies, integrates with identity providers, and provides audit logging—well suited for authorization needs, though its policy-as-code support is less explicit than a dedicated policy engine.
Authentik is a centralized identity and access management platform designed to serve as a unified authentication authority. It enables enterprise single sign-on across diverse applications and services, providing a cloud-native identity provider that manages user sessions and security protocols from a single location. The platform distinguishes itself through a policy-driven flow engine and a visual orchestration interface. This allows administrators to design complex, custom authentication workflows by chaining modular verification stages and conditional logic. These workflows can be further
Authentik is a full-featured identity and access management platform with a policy-driven flow engine that directly handles authorization, access control, and policy enforcement for applications and APIs, supporting policy-as-code, RBAC, multi-tenancy, identity provider integration, and audit logging — fitting the search for an open-source authorization policy engine.
Cerbos is the open core, language-agnostic, scalable authorization solution that makes user permissions and authorization simple to implement and manage by writing context-aware access control policies for your application resources.
Cerbos is a language-agnostic, open-core authorization engine that lets you write context-aware access control policies as code, directly matching the need for a policy-based access control tool with RBAC, ABAC, fine-grained permissions, and audit trail support.
Keycloak is an open-source identity and access management server that provides a centralized platform for user authentication, authorization, and identity federation. It functions as a standards-compliant identity provider, utilizing a centralized engine to validate credentials and issue cryptographically signed tokens based on industry-standard protocols like OpenID Connect and SAML. This enables organizations to secure diverse applications and services through a unified authentication layer. The platform distinguishes itself through its cloud-native orchestration and high-availability capab
Keycloak is an open-source identity and access management server that includes a full-featured authorization service with fine-grained role- and attribute-based permissions, multi-tenant realms, and built-in audit logging, making it a strong fit for your authorization and access control needs even though it also covers broader IAM use cases.
Pundit is a Ruby authorization framework that implements policy-based access control. It maps domain models to dedicated logic classes that determine whether a user is permitted to perform specific actions on data objects. The framework utilizes plain Ruby objects to decouple authorization logic from the model. It includes mechanisms for data query scoping to filter record collections based on user permissions, as well as attribute-level permission control to restrict which specific model fields a user can modify. The system provides tools for authorization coverage verification to ensure se
Pundit is a Ruby authorization framework that uses plain Ruby objects to define per-model policies, providing fine-grained attribute-level and record-level access control; it fits the search for a policy-as-code engine for applications, though it lacks built-in multi-tenancy or audit logging and is Ruby-specific.