Every day, my team and I talk to engineering leaders building the next generation of digital products. Those applications are increasingly complex, multi-tenant, collaborative and AI-enhanced. They’re running modern, scalable architectures – and, increasingly, they’re hitting a wall. That wall isn’t authentication. They have FusionAuth for that. The wall is authorization.
And with our acquisition of Permify, we’re tearing that wall down.
Authorization is Not Isolated: It’s a Natural Extension of Identity
Let’s keep it simple:
Authentication answers who a user is.
Authorization determines what they can do.
Modern CIAM must do both. But historically, developers have been forced to bolt together separate systems – one for AuthN, another for AuthZ – creating fragmentation, duplication, latency and audit complexity.
In our sales conversations over the last 18 months, the requirements for access control have gone from simple Role-Based Access Control (RBAC) to highly complex, contextual demands.
By unifying AuthN (who you are) and AuthZ (what you can do) into a single platform, FusionAuth expands the value we deliver while removing the complexity from your team.
What We Heard from Customers: AuthZ is a Bottleneck Now
Our team recently spoke with the VP of Engineering at a rapidly growing FinTech platform. They had successfully implemented FusionAuth for registration and login. That part ran beautifully. But their application permissioning needs were evolving daily.
- ABAC (Attribute-Based Access Control): Regional managers can view customer accounts only in their assigned geographic territory.
- ReBAC (Relationship-Based Access Control): A user can edit a document only if they were explicitly a member of the document’s sharing list or were an administrator of the parent organization.
The homegrown system designed to manage complex permissioning was quickly becoming a bottleneck and source of extensive maintenance. Far from the internal team’s core competency, the custom tool was a scaling bottleneck, and a point of friction that introduced performance risk and audit liability.
“FusionAuth solved login,” they told us. “Permissions are what’s killing us.”
Beyond FinTech: AuthZ Spans Industries
This story is just one of many. Across different industries, engineering teams are encountering similar complex authorization requirements that standard RBAC (Role-Based Access Control) or simple, local checks cannot handle. These are the conversations that made it clear our responsibility to the developer community has expanded:
1. The Healthcare Challenge (Contextual/ABAC)
The Need: “A nurse can only view a patient’s medical history after the patient has checked into their exam room, and only if that nurse is assigned to the current shift.”
The Problem: Simply checking the user’s role (“Nurse”) isn’t enough. The system needs to check the patient’s status (an attribute) and the nurse’s current context (another attribute, like shift assignment). This level of contextual authorization is almost impossible to maintain within an AuthN system like an ID token.
2. The Multi-Tenant SaaS Challenge (ReBAC & Hierarchy)
The Need: “A user can create a new project, but only if their current organization’s subscription tier allows for more than 10 active projects, and only within the specific ‘folder’ they have been granted creator access to.”
The Problem: The permission is dependent on a hierarchy (User→Folder→Project) and an attribute of the tenant (Subscription Tier Limit). When dealing with thousands of tenants, building and querying this organizational and policy graph becomes the primary performance bottleneck.
3. The Collaboration Platform Challenge (Delegated/Policy)
The Need: “A customer administrator must be able to delegate the ‘Billing’ permission to a specific internal finance team member without granting them all other administrator rights.”
The Problem: Simple RBAC forces permissions to be bundled into broad roles. Modern systems require fine-grained permissions where access is granted not just by a fixed role, but by a flexible policy (e.g., Allow user X to Action Y on Resource Z) that can be easily updated or delegated via an API.
We realized that developers don’t just need to know who is logging in; they need a high-performance, auditable, and scalable way to determine what that person can do across every microservice and resource. We needed to simplify the entire journey from Identity to Fine-Grained Authorization. That’s why we acquired Permify.
Authorization Becomes Mission-Critical in the AI Era
AI agents move faster than humans and behave non-deterministically. That means:
- They access more data
- They take more actions
- They operate at machine speed
Without fine-grained authorization as a control plane, AI systems can overstep quickly – exceed permissions, expose data, or perform unintended operations. Fine grained authorization (FGA) allows safe AI enabled workflows. FGA is important for human/CIAM authorization, but becomes even more important when you introduce non-deterministic behavior at software speed. Agentic behavior further underlines the critical nature of authorization in the era of AI.
The Better Together Story: Outsized Value and Industry Leadership
The combination of FusionAuth and Permify is not a simple bolt-on. When the technologies are fully integrated the combined product is a strategic unification that delivers outsized value and positions FusionAuth to lead the industry forward by solving the AuthN/AuthZ problem with a single platform:
| Capability | FusionAuth Today | FusionAuth + Permify | Why it Matters |
|---|---|---|---|
| Identity Core (AuthN) | World-class, deployable CIAM. | Same world-class CIAM, now deeply connected to authorization | Cohesion: Your identity data is now immediately leveraged to drive authorization decisions. |
| Permissions (AuthZ) | Basic Role-Based Access Control (RBAC). | Fine-Grained Authorization (FGA), including Hierarchies, ABAC and ReBAC. | Flexibility: Build complex B2B features like secure collaboration and delegation, natively and securely. |
| Performance & Scalability | Horizontally & vertically scalable identity service. | Zanzibar-inspired authorization engine optimized for large, complex permission graphs | Performance: Get sub-10ms latency on permission checks, even with billions of users and resources. |
| Control | Full control over user data and deployment. | Full control over authorization logic and policies. | Unification: One platform for all identity and permission controls, simplifying compliance and audits and accelerating development. |
For our customers, this integration means you can accelerate your product roadmap by offloading the security and complexity of permissions to a solution built specifically to handle it. You can finally stop worrying about the performance cost of permission checks and start building the nuanced, highly collaborative features your users are demanding.
The Path Forward
We are laser-focused on integrating Permify’s technology seamlessly into the FusionAuth platform in the coming months. Two Permify team members are joining us as contractors, and we are committed to continuing investment in the open-source community.
The next step in the evolution of CIAM is the unified control of Identity and Authorization. By combining FusionAuth’s best-in-class identity provider with Permify’s cutting-edge authorization engine, we are uniquely positioned to lead that charge and deliver the comprehensive, developer-first platform you need to scale securely.
Look for a formal announcement of the fully integrated offering and streamlined pricing model in early 2026. Until then, we encourage you to check out the power of Permify’s technology and see why we believe this is the most powerful combination in the identity space today.
Reach out to us if you have a complex or nuanced access control challenge, we are here to help.
