- FGA
- Fine-Grained Authorization
Honeycomb - A Case Study in Fine Grained Authorization
Externalizing FGA allows developers to focus on core application features while ensuring secure authorization - A case study of Honeycombs’ experience with FGA
Daniel Bass
Managing permissions for a complex user ecosystem is not an easy task - especially when you are dealing with sensitive data like insurance policies. Honeycomb Insurance, a company managing millions of dollars in commercial property insurance across U.S. real estate, encountered this exact challenge.
Honeycomb needed an authorization system that could ensure proper access control for a wide range of users, including underwriters, customer success teams, agents, and third-party agencies.
However, building an efficient access control system from scratch in-house means diverting valuable time and resources away from the core product.
This case study explores how Honeycomb Insurance implemented Fine-Grained Authorization (FGA) with Permit.io to solve their permission and authorization challenges, enabling them to concentrate on building their product without compromising on security.
Watch the full case-study video here:
The Challenge: Managing Complex Permissions at Scale
It is not uncommon for companies experiencing rapid growth to realize that their in-house authorization system just can't keep up with the demands of their rapidly expanding platform. Authorization rules grow more complex every day, and classic access control models like Role-Based Access Control (RBAC) are not enough to support the complexity most modern applications require. In more extreme cases, companies even find themselves having to refactor huge segments of authorization code that are mixed in with their application’s logic.
The insurance field also poses a unique set of authorization challenges - Given the high stakes in managing millions of dollars worth of property insurance, it was critical to ensure compliance while enabling secure access to sensitive data, such as policy details, claims, and underwriting reports. Honeycomb needed to manage a diverse ecosystem of users, from underwriters evaluating complex risk profiles to agents and third-party brokers with varying access needs. Additionally, quick scalability during peak times required precise, automated role adjustments.
As Honeycomb scaled its operations, it became evident that its in-house authorization system could not keep up with the demands of its rapidly evolving platform. They needed to manage dozens of roles, including internal teams, partners, and direct customers, all while ensuring that only authorized personnel could access specific data or perform certain actions.
Every time they needed to make a small change or add new functionality to their platform’s permissions, they had to assign their developers to write custom code - a cumbersome and time-consuming process. Their homemade solution lacked the flexibility they required and demanded excessive developer time for maintenance. It was clear to the Honeycomb team that this wasn't a sustainable long-term strategy.
Their system was based on complex role structures, requiring them to dynamically adjust permissions as new users, features, or resources were added. The challenge was made even bigger by the large number of permissions required for each user type, which further strained their internal teams. After months of trying to maintain this system, the team sought other solutions.
The Solution: FGA with an Authorization-as-a-Service Provider
It was evident that the Honeycomb needed to handle three main issues:
- Implementing a system that supports more complex roles than the one they currently have. This authorization system mustn’t rely solely on RBAC to avoid a ‘Role Explosion’ caused by an ever-growing number of complex authorization rules required by their platform.
- Having a way to easily make frequent changes to this system without having to manually write code whenever authorization requirements need to be modified.
- Achieving both these goals without sinking too much expensive development time into the process, so they can focus on evolving their application and its features.
To address these challenges, Honeycomb sought out authorization-as-a-service solutions that would support implementing FGA, provide a way for their development team to easily control the authorization system, and not build all this functionality in-house.
For this purpose, Honeycomb chose to implement FGA with Permit.io.
It took a single developer from the Honeycomb team two weeks to move from their in-house authorization solution to production with Permit.io. The back-office interface made it easy for their team to manage permissions, allowing quick adjustments as their system evolved. Whether adding new roles or editing existing ones, they could do so within minutes through Permit’s no-code UI.
They were able to quickly develop more than 20 role types that considered attributes and relationships, managing permissions for thousands of users and machine identities across dozens of resources.
Permit.io also enabled Honeycomb to easily integrate its existing tech stack, which includes machine learning and computer vision technologies.
The Impact: Efficiency and Focus on Core Development
This implementation resulted in efficient, scalable permissions management, which allowed the team to focus on core product development.
One Honeycomb developer noted, "Using Permit, the amount of time it takes to develop and maintain our product's permissions is a tiny fraction of what it would have been building it on our own.”
Instead of dedicating valuable resources to maintaining and upgrading their homebrew system, Honeycomb's development team was able to focus on what mattered most—continuing to innovate and expand their platform. Permit.io allowed them to seamlessly manage permissions for internal and external users alike while maintaining strict security and compliance standards.
Honeycomb’s team no longer had to spend hours writing and managing permission logic manually. Instead, they could make changes in minutes using the no-code interface, streamlining their operations and allowing the team to maintain the flexibility and fine-tuning their platform required.
Conclusion: Simplifying Permissions, Empowering Innovation
It’s been almost two years since Honeycomb chose to implement FGA with Permit.io, and the impact on their operations is undeniable. While the complexity and scale of Honeycomb's platform had grown immensely, they were able to easily adapt their authorization system to fit the new requirements.
The decision to externalize authorization continues to save Honeycomb significant development time. Their experience of externalizing Fine-Grained Authorization through Permit.io demonstrates the power of adopting Fine-Grained Authorization via an authorization-as-a-service provider. By removing the burden of building and maintaining complex permission systems, Honeycomb has been able to focus on its core mission: providing cutting-edge insurance solutions to its clients.
In the words of one Honeycomb developer: "Permit.io allowed us to focus on our core development work and keep building our great product."
If you want to learn more about the best ways to implement FGA, make sure to join our Slack community, where there are hundreds of devs building and implementing authorization.