ZenStack enforces access control at the database layer, not scattered code

ZenStack enforces access control at the database layer, not scattered code

ZenStack manages at the ORM layer, right alongside the data model, instead of letting permission checks get scattered across . It runs on top of the Kysely query builder and applies role-based (RBAC), attribute-based (ABAC), or relation-based consistently to every query, whether that query was written by a human developer or generated by a . That matters because it's easy for a missing or incomplete permission check to slip through when code is agent-generated.

Postgres offers row-level security (RLS) as an alternative, but it's hard to maintain and locked to Postgres, whereas ZenStack works across different databases. MermaidChart, a team collaboration tool that adopted ZenStack for a team feature, said the approach was much cleaner and easier to maintain than hand-writing RLS policies or -level checks that tend to leak over time.

Key points

  • ZenStack enforces RBAC, ABAC, and relation-based at the ORM layer
  • Built on top of the Kysely query builder and works across different databases
  • Applies the same permission checks whether code is human-written or agent-generated
  • Positioned as easier to maintain than Postgres RLS and not locked to one database
Read original