
ZenStack enforces access control at the database layer, not scattered code
ZenStack manages at the ORM layer, right alongside the data model, instead of letting permission checks get scattered across . It runs on top of the Kysely query builder and applies role-based (RBAC), attribute-based (ABAC), or relation-based consistently to every query, whether that query was written by a human developer or generated by a . That matters because it's easy for a missing or incomplete permission check to slip through when code is agent-generated.
Postgres offers row-level security (RLS) as an alternative, but it's hard to maintain and locked to Postgres, whereas ZenStack works across different databases. MermaidChart, a team collaboration tool that adopted ZenStack for a team feature, said the approach was much cleaner and easier to maintain than hand-writing RLS policies or -level checks that tend to leak over time.
Key points
- ZenStack enforces RBAC, ABAC, and relation-based at the ORM layer
- Built on top of the Kysely query builder and works across different databases
- Applies the same permission checks whether code is human-written or agent-generated
- Positioned as easier to maintain than Postgres RLS and not locked to one database