Hanzo

Authz

Fine-grained authorization policies and access checks for Hanzo Cloud -- model-based access control powered by Hanzo Authz.

Authz

Hanzo Authz answers one question, fast: is this subject allowed to perform this action on this resource? Where IAM establishes who you are, Authz decides what you may do. It is a policy engine, not an identity store.

Policies and Models

Authz is built on the Casbin engine and its PERM metamodel (Policy, Effect, Request, Matchers). The access-control model is a small configuration, so you can adopt or combine strategies without rewriting application code:

ModelUse for
ACLDirect subject → resource → action rules.
RBACRoles that group permissions; users inherit them through role assignment.
RBAC with domainsPer-tenant role sets -- the right fit for multi-org Hanzo Cloud.
ABACAttribute-based rules (e.g. resource.owner == request.subject).
RESTfulMatch HTTP paths (/res/*, /res/:id) and methods.

Effects compose: deny-override lets an explicit deny win over any allow, and rules can be prioritized like firewall rules.

Checking Access

A check evaluates a (subject, resource, action) request against the active policy and returns an allow/deny decision. Checks are served under /v1/authz on the gateway.

curl -X POST https://api.hanzo.ai/v1/authz/check \
  -H "Authorization: Bearer hk-..." \
  -H "Content-Type: application/json" \
  -d '{
    "subject": "user:alice",
    "resource": "project:acme/models",
    "action": "read"
  }'
{ "allow": true }

Enforce the same decision at any layer -- gateway, service, or in-process -- so authorization is consistent everywhere. For the policy-management surface (add, remove, and list rules) and every request shape, see the API reference.

  • IAM -- organizations, users, and roles that Authz policies reference
  • Zero Trust -- network-layer policy for private service access
  • API Keys -- credentials for calling the Authz API
  • API -- the full REST reference

How is this guide?

Last updated on

On this page