Why we built our own permission system
Trade-offs behind a custom RBAC vs. OPA or Casbin
When we started multi-tenanting Takonaut, the first design call was the authorization model. We considered OPA, Casbin, and rolling our own. Here's why we rolled our own — and what we'd reconsider now.
The shape of our access checks
Most checks are scoped: "can this user do X on this project/team/department?" The scope chain matters because grants cascade…