Authorization at scale breaks long before logic becomes complex.
It breaks because the data model collapses:
roles, groups, permissions, inheritance, exceptions, conditions β they all stack.
Enma is a 12-part series where I rebuild authorization from scratch, step-by-step, ending with a production-ready Zanzibar-style engine.
This page is the master index for the full series.
βοΈ Published Parts (12/12 Complete)
Why simple SQL permission tables collapse once you introduce teams, hierarchies, and conditional access.
2. Part 2 β Modeling Roles & Memberships (RBAC v1)
How roles actually work, and the hidden assumptions that cause them to fail as systems grow.
3. Part 3 β From Roles to Relationships (ReBAC v1)
How relationship tuples replace global roles and enable access flows like Google Docs.
Introduces boolean algebra for relationships (UNION, INTERSECTION, EXCLUSION).
4. Part 4 β Hierarchies & Inheritance (ReBAC v2)
Modeling "owner β editor β viewer", multi-level inheritance, and cross-object permission propagation.
Documents inherit viewers from parent folders.
5. Part 5 β Conditional Access (ABAC v1)
Making permissions depend on context: time, IP, device, deadlines, and runtime caveats.
Introduces tri-state logic (TRUE, FALSE, REQUIRES_CONTEXT).
6. Part 6 β Organization-Scoped Conditions
Wildcard subjects with scoped caveats: "Any user can view HR docs if department = HR."
Introduces namespaced parameters (principal.*, resource.*) for attribute matching.
7. Part 7 β Complex Boolean Logic (ABAC v2)
Multi-predicate conditions with Boolean algebra in caveats (AND/OR/NOT).
Introduces function calls (now(), contains(), startsWith()) for expressive policies.
π Part 7A β Boolean algebra + deterministic function calls inside caveats (ABAC v2) π https://submicro.beehiiv.com/p/post-7a-complex-boolean-logic-abac-v2
π Post 7B β Composite Caveats and Safety Measures (ABAC v2) π https://submicro.beehiiv.com/p/post-7b-composite-caveats-and-safety-measures
8. Part 8 β Schema-Level Safety Nets
Enforcing required caveats and subject constraints at the schema level.
Ensures all tuples obey mandatory business rules (e.g., "all users must have business_hours caveat").
9. Part 9 β Determinism and Tie-Breaks
Ensuring same inputs always produce same outputs across all evaluators.
Canonical signatures, ordering rules, and tri-state algebra for production safety.
10. Part 10 β Unknowns, Duplicates, and Fail-Safe Defaults
Handling schema changes, duplicate grants, and DoS protection with evaluation budgets.
Unknown caveats β FALSE, cycles β FALSE, budget exceeded β FALSE.
π Post 10A β Fail-Safe Defaults: Unknown Caveats and Duplicates
π Post 10A β Fail-Safe Defaults: Unknown Caveats and Duplicates
π https://submicro.beehiiv.com/p/post-10b-budget-limits-and-dos-protection
11. Part 11 β Consistency and Revisions
π Post 11A - Revision-Based Snapshots
π https://submicro.beehiiv.com/p/post-11a-revision-based-snapshots
π Post 11B β Production Deployment: Revisions at Scale
12. Part 12 β Final Model and Invariants
Complete specification of Enma Core Semantics with all invariants (INV-1 β INV-16).
Defines minimal interface surface for production-ready, verifiable implementations.
π¬ Subscribe
Get notified when new parts are published:
π Subscribe to SubMicro
ποΈ What You'll Build
By the end of this series, you'll understand:
β Why traditional authorization models break at scale
β How Google Zanzibar works (relationship-based access control)
β How to model roles, hierarchies, and conditional access
β How to build a production-ready authorization engine
β How to ensure determinism, consistency, and safety
Let's build it together.
π Series Structure
Phase | Posts | Theme | Difficulty |
|---|---|---|---|
Phase I β Groundwork | 1β2 | Simple tuples and roles | π’ |
Phase II β Graph Logic | 3β4 | Relationships and hierarchy | π‘ |
Phase III β Attributes & Conditions | 5β7 | Context-aware caveats | π‘π΄ |
Phase IV β Determinism & Safety | 8β10 | Constraints, ordering, protection | π΄ |
Phase V β Consistency & Finalization | 11β12 | Revisions and invariants | π΄ |
π― Who This Is For
Backend engineers building authorization systems
Engineering managers evaluating authorization solutions
Staff/Principal engineers designing distributed systems
Startup CTOs choosing between build vs. buy
Anyone curious about how Google Zanzibar works
Google Zanzibar Paper: Zanzibar: Google's Consistent, Global Authorization System
Auth0 FGA: Open-source Zanzibar implementation
SpiceDB: Production-ready authorization system
Ory Keto: Cloud-native permission system
Start with Part 1 β Why Traditional Authorization Breaks at Scale
