FineGuard

FineGuard (Fine-Grained Authorisation with Policy Engine Sidecar)

Business Requirements impact.com is a partnership management platform that helps companies manage a variety of partnerships. Their platform offers an automated system that simplifies the lifecycle of a partnership and facilitates intricate user relationships, with each user having roles that require specific access permissions.   Currently, the system uses a static Role-Based Access Control (RBAC) model embedded in the business logic. This approach has become difficult to maintain due to tight coupling between business and security logic, scaling issues as new roles and relationships emerge, and the difficulty of adding new features, which requires code changes, testing, and redeployment. These limitations lead to scattered logic, reduced modularity, and high maintenance costs.   Proposed system   To address these challenges, the project proposes introducing a fine-grained authorisation model using a policy engine sidecar called OpenFGA (Open Fine-Grained Authorisation). The new system decouples authorisation from the core application logic, allowing access control decisions to be handled externally by the policy engine. This enables relationship-based access control (ReBAC), where access is defined by flexible user–role–resource relationships rather than static roles.   System design architecture   The architecture follows a sidecar model, with OpenFGA running as an external service that the backend queries via REST APIs for /check and /write operations. The backend is built with Java Spring Boot, uses MySQL for data storage, and integrates OpenFGA to manage and evaluate authorisation policies dynamically.   Major features and findings

• · Fine-grained permissions supporting complex user–resource relationships.
• · Dynamic policy updates without backend redeployment.
• · Separation of concerns for improved maintainability and scalability.
• · Simplified testing, auditing, and policy management.

By introducing OpenFGA as a policy engine sidecar, authorisation becomes fully externalised and dynamic, reducing complexity and improving modularity. This design enhances security, flexibility, and scalability, positioning the system to support the growing complexity of relationships within the impact.com platform.