Expressing fine grained access control policy is a must in the enterprise. With this opportunity, we’re laying the foundations of a relationship-based access control (ReBAC) system using SpiceDB within System Initiative. In our first iteration of ReBAC, the outcome we want is to require any Change Set to be approved by a defined set of users before it is applied (and, therefore, before making any changes to real infrastructure). This post will fill you in on the details, and you can always watch the readout of the opportunity on YouTube.

If this is your first exposure to how we communicate about the on-going development of System Initiative, welcome! You can learn more about what opportunities are, and how we work on System Initiative on our docs site. You might also find our vocabulary page useful.

Approving every Change Set

Many enterprise teams, particularly those with regulatory requirements, often require that multiple stakeholders review every change to production. This opportunity will focus on allowing workspace owners to designate a set of Approvers for their workspace and then requiring that one or more of those people approve of a change set before it can be applied (and therefore make any changes to real infrastructure).

This is frequently accomplished today by requiring a certain number of approvers in your PR workflow or using a particular cloud provider (such as HCP or Pulumi) approval flow. We can do better. One way is by integrating approvals directly into the core product, making it easy to implement. The other is by incorporating a powerful authorization primitive, and eventually making the entire policy customizable. Today it’s a simple approvals setting - tomorrow it’s dynamic authorization that’s custom-fit to your organization and applications.

Here’s the implementation plan in a nutshell:

• We will use SpiceDb as a ReBAC tool
• A user can be invited to a workspace via the Auth Portal, which is current functionality in the product
• A user can be designated as a workspace approver
• If there is an approver in the workspace, all Change Sets require approval
• Users will see a ‘Request Approval’ button rather than apply, which will notify the approvers that they need to review the change set
• Once the approvers approve, anyone can apply the change set as normal

When can I expect this to land?

This opportunity has a budget of three weeks, ending October 29th, 2024. You can follow our progress by watching our weekly demos, posted every Monday on Discord, YouTube, and our Changelog. You can always find this, and every other active opportunity, in our Road map.