Nishi FamilyCompare › Authorization and Permissions

Nishi vs the Field

Authorization and Permissions — mechanically measured, liar-killed, sovereign.

One sovereign ReBAC plane -- relationship tuples with userset rewrites over an append-only store, bound to OPAQUE-PAKE identity and Nishi HR -- vs SpiceDB and OpenFGA and AWS Cedar and Ory Keto

How this is scored. Every Nishi cell is measured: the generator reads the real organ source on disk and requires the implementing symbol to exist (no self-grading). Competitor cells record documented capability presence. Best=leads this axis, Yes=present, Part=partial, No=absent. This is capability presence, not depth or scale: the majors lead on index size and neural ranking. Nishi's genuine exceeds are the sovereignty / neutrality / determinism axes.

Feature matrix

CapabilityNishiSpiceDBOpenFGAAWS CedarOry KetoNotes
Relationship tuples object relation subjectYesBestYesPartYesSpiceDB and OpenFGA and Keto are Zanzibar tuple stores and Cedar models relationships via policy rather than native tuples; Nishi persists every tuple as an append-only seg_store record
Userset rewrites and computed relationsYesBestYesPartYesSpiceDB schema and OpenFGA models define computed usersets and Cedar uses policy conditions; the Nishi rb_expand rewrite table is data-driven config not buried logic
Bounded check with cycle terminationYesBestYesYesYesEvery engine bounds evaluation; the Nishi check terminates a member-of cycle by construction via RB_MAXDEPTH which the adversarial gate proves does not hang
Deny-by-default with tombstone revocationYesYesYesYesYesAll deny by default; Nishi revokes with an ADDITIVE tombstone that never deletes history and resolves latest-wins so the audit trail stays intact
Write authority with no self escalationYesYesYesYesYesOnly an owner or admin may grant and an unclaimed object bootstraps exactly once then closes so a member can never self-grant admin
Nested group and subgroup usersetsYesBestYesPartYesSharing with a group expands member usersets including nested subgroups which the gate proves end to end with a leads-inside-elders chain
Multi tenant wall enforced in the live appYesYesYesYesYesThe wall-beats-admin tenant model runs LIVE on nishifamily dot com slash relate not merely as a library selftest
Field level attribute maskingYesYesYesYesYesGiving amounts mask below manager role; SpiceDB caveats and Cedar conditions and OpenFGA contextual tuples also gate at the attribute grain
Capability path prefix ACL secondary engineYesYesYesYesYesLongest-prefix capability grants with explicit-deny-wins complement the relationship graph for per-record vault scoping
Additive-only audit trail of every grantYesYesYesYesYesEvery grant and revoke is an immutable seg_store record so the authorization history is tamper-evident by construction rather than a separate audit log
Unified identity roles and relationships in one planeYesPartPartPartPartThe incumbents are authorization engines that consume an external identity provider; Nishi composes the HR level and the relationship graph keyed by the same uid hash equal to sha256 of realm and handle
EXCEED authorization bound to OPAQUE-PAKE identityBestNoNoNoNoIncumbents authenticate the caller with bearer tokens or OIDC then authorize; the Nishi plane binds authorization to an OPAQUE-3DH session where the password never crosses the wire and the server stores no password-equivalent
EXCEED sovereign end to end with own TLS no vendorBestNoNoNoNoSpiceDB and OpenFGA and Keto and Cedar are services or libraries you run behind someone elses TLS and cloud; the Nishi plane terminates its own TLS 1.3 and runs on owned hardware from ClientHello to decision
Consistency tokens for snapshot readsNoBestBestYesBestSpiceDB zedtokens and OpenFGA consistency modes solve the new-enemy problem across caches; the Nishi check reads the current store with no snapshot token yet
Admin authored schema or policy languageNoBestBestBestBestSpiceDB schema and OpenFGA DSL and Cedar policy let an admin DEFINE the model; the Nishi rewrite table is compiled data not a user-authored schema yet
Reverse index and list objectsYesBestYesYesYesSpiceDB LookupResources and OpenFGA ListObjects are the reference; Nishi now enumerates via rb_list_objects_for_sub and the office shared-with-me view expands group usersets on the reverse side -- per-relation lookup is live, a fully precomputed reverse index across the whole graph is the remaining depth
Horizontal scale and distributed cacheNoBestYesYesBestSpiceDB and the original Zanzibar scale to billions of tuples behind a distributed consistent cache; the Nishi plane is a single-host seg_store walk today
coverage 823/1000EXCEEDS 2PRESENT 12ABSENT 3
Evidence for every claim. This is not an opinion matrix: each capability we mark present is grounded in real source and proven by a live-forked gate. See the autonomously-generated evidence page → (per-axis source lines + executed self-test verdicts) or the machine-readable evidence.json.
Honest verdict. The Nishi plane is a real Zanzibar/ReBAC engine -- relationship tuples, data-driven userset rewrites, nested-group expansion, deny-by-default with additive tombstone revocation, block-outranks consent, HR-level operator override, and no-self-escalation write authority -- all adversarially gate-proven across 28 checks. Two structural exceeds are unique to it: authorization is bound to an OPAQUE-PAKE session (the password never crosses the wire) and the whole plane terminates its own TLS on owned hardware with zero vendor dependency. It is honestly BEHIND the mature incumbents on four axes -- consistency tokens for snapshot reads, an admin-authored schema language, a reverse index for list-objects, and horizontal distributed scale -- which are the named next rungs, not hand-waved wins.

Generated by nx_swcompare_matrix (sovereign NishiLang organ) from knowledge/compare/authz.matrix — every Nishi cell verified against real organ source on disk. Zero JS, zero trackers.