Ask HN: Genesis DB: Thoughts on fine-grained access control
I'm currently exploring a lightweight approach to access control in an event sourcing database (Genesis DB): https://www.genesisdb.io. Authentication is handled via Bearer tokens atm. In the future, authentication and authorization could be entirely declarative, through a policy.json that defines privilege targets, roles, and grants/denies.
Here's a simplified example: https://gist.githubusercontent.com/patriceckhart/ec6f90e80e4dba3c500564fe96101621/raw/ac495628a37a8ab9c60edff7af1015cb1a9f96ae/gistfile1.txt
The idea is that this policy.json can be injected via an environment variable or mounted into the container meaning policies stay versioned, declarative, and inspectable. Every request goes through the same decision layer, with default-deny semantics and clear role separation.
It's not meant to replace external IAM systems, but to give small self-contained deployments a simple, auditable policy mechanism.
I'm curious how others view this approach:
• Is injecting a policy file like this too static for real-world setups?
• Would you prefer a dynamic store or API for policies instead?
• Any pitfalls you’ve seen with file-based or declarative access-control systems?
Thanks! I'd really appreciate feedback from anyone who's built fine-grained access control before.
Like AWS, json is OK for me
Thanks! Are you using Genesis DB yourself at the moment, or just speaking from general experience with JSON-based policy systems?