GitHub permissions and ReBAC: what IAM teams should model first

TL;DR: GitHub-style authorization can be modeled with SpiceDB and relationship-based access control, reducing complex org, team, and repository permissions to schema-driven checks that update as relationships change, according to Authzed. The practical lesson is that authorization design should be expressed in relationships and inheritance rules, not scattered across application logic.

NHIMG editorial — based on content published by Authzed: modelling GitHub-style authorization with SpiceDB and AuthZed Cloud

Questions worth separating out

Q: How should security teams model nested application permissions without hardcoding every rule?

A: Use relationship-based access control to represent users, groups, teams, and resources as linked objects, then derive permissions from those links at query time.

Q: Why do inherited permissions create more risk than direct role assignments?

A: Inherited permissions can expand access through parent objects, team membership, or ownership links without a new direct grant being obvious to reviewers.

Q: How do organisations prevent stale access when teams or repositories change?

A: Tie access updates to relationship writes and deletes whenever the underlying business state changes.

Practitioner guidance

• Model authorization as relationships, not only roles Map the real subject-to-resource paths in your application, including team membership, parent object traversal, and ownership inheritance.
• Trace every inherited permission path Inventory which upstream objects can grant access to downstream resources, then test the effective permission set after every schema change.
• Write and delete tuples on every state change Create the relationship record when access is granted, and remove it when access is revoked, a team changes, or a resource is created under a parent object.

What's in the full article

Authzed's full article covers the operational detail this post intentionally leaves for the source:

• Complete SpiceDB schema examples for users, organisations, teams, and repositories
• Concrete relationship tuples and permission checks for GitHub-style operations
• AuthZed Cloud setup steps for deploying and testing the permission system
• CLI examples that show how permission checks behave in practice

👉 Read Authzed's article on modelling GitHub-style authorization with SpiceDB →

GitHub permissions and ReBAC: what IAM teams should model first?

Explore further

View Full Forum →  |  NHI Foundation Course →