TL;DR: Editing schemas, relationships, assertions, and permission checks in one browser view is now easier, with the same answers as a production SpiceDB cluster and shareable workspaces for team collaboration, according to Authzed. The change lowers friction for ReBAC modelling, but it also raises the bar for how teams validate access logic before moving it into production.
NHIMG editorial — what this means for NHI practitioners
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
- 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.
Questions worth separating out
Q: How should teams use a ReBAC playground to validate access changes before production?
A: Use the playground as a regression environment, not just a demo surface.
Q: Why do relationship-based access models need testing beyond role review?
A: Because ReBAC decisions depend on how entities relate to each other, not only on the roles they hold.
Q: What should IAM teams look for when sharing an access model with reviewers?
A: They should share the working model itself, including schema, relationships, and assertions, so reviewers can inspect the actual behaviour rather than fragments of it.
Practitioner guidance
- Use assertions as release gates Require schema changes to pass permission assertions before they are promoted into any shared or production authorisation model.
- Review schema and relationships together Avoid separate review tracks for schema changes and relationship data.
- Standardise a shareable review artefact Use the workspace link as the canonical review object for security, platform, and application owners.
What's in the full announcement
Authzed's full blog post covers the operational detail this post intentionally leaves for the source:
- The refreshed browser workflow and how the tab system was reworked for faster schema iteration.
- The full set of Playground capabilities, including schema editing, relationship editing, assertions, and permission checks.
- How the built-in zed CLI can be used inside the browser for hands-on model testing.
- The new example schemas that give teams more starting points for learning ReBAC patterns.
👉 Read Authzed's update on the refreshed SpiceDB Playground and ReBAC workflow →
SpiceDB Playground refresh: what it means for ReBAC workflows?
Explore further
SpiceDB Playground is really about authorisation confidence, not convenience. When access logic is relationship-driven, the hard part is proving that a schema change does not create unintended reach. A browser-based modelling loop helps teams reason about policy before it hardens into production, which is useful for ReBAC-driven NHI and service access programmes. The practitioner takeaway is that better iteration should lead to tighter review discipline, not just faster experimentation.
A few things that frame the scale:
- Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
A question worth separating out:
Q: How do organisations reduce policy drift in relationship-based authorisation?
A: By treating authorisation logic like code. Keep change control, test cases, and review artefacts tied to the model, then rerun the checks whenever the relationship graph changes. That makes drift visible and helps prevent silent permission expansion.
👉 Read our full editorial: SpiceDB Playground updates make ReBAC modelling easier in browser