Rootconf 2025 Annual Conference CfP

This is a journey through distributed auth, graph indexing, and the rising role of ML in access control .
Description

Modern access control has evolved far beyond roles and spreadsheets. In this talk, we’ll trace the evolution of authorization systems — from hardcoded logic and RBAC policies to more flexible, scalable models like ABAC and Relationship-Based Access Control (ReBAC). We’ll explore how real-world systems often outgrow traditional models, and how relationship graphs now define who can do what in distributed applications.

We’ll take a deep dive into Google’s Zanzibar - the distributed authorization system behind products like Drive and YouTube, and unpack the architecture , the entire workflow and the way data is modelled . we wil explore how it uses concepts like zookies (Zanzibar tokens) to manage consistency and caching in a globally distributed environment. We’ll discuss how Zanzibar decouples policy evaluation from application logic and also take a peek into their state fo the art leopard indexing system! We’ll look into how Zanzibar acheives reverse indexing ( questions like - “what resources does this user have access to”) and look into how Zanzibar ensures correctness using global snapshot timestamps ( even mid-failure!). We’ll also talk about how open-source implementations like SpiceDB are making these ideas more accessible.

A significant takeaway from this talk is the extended discussion on indexing for graph-based auth systems. We will explore dynamic transitive closures, that enables real-time indexing of these auth graphs, ensuring that auth checks happen quicker ( espicially for deeply nested queries ) and changes in the underlying access relationships are rapidly and accurately reflected in authorization decisions. I’ll also propose an approach that leverages adaptive indexing algorithms to compute these closures dynamically, discussing the trade-offs between consistency, latency, and the freshness of policy evaluation in large-scale distributed systems.

To conclude, we’ll look at how Machine Learning is changing access control , look into approaches like ML-Based Access Control (ML-BAC), where models trained on historical usage patterns evolve or override static policies , helping detect anomalous access or even predict intent.

Takeaways

Understand how and why companies move from RBAC to ABAC to ReBAC — and what makes each model succeed (or fail) at scale.

Detailed understanding of Google Zanzibar and its pros and cons

Learn the trade-offs of decoupling auth into a distributed service, including consistency levels, caching, and performance considerations.

Indexing in graph based auth systems

Rising role of ML in Access Control

Which audience segment is your talk/session going to beneficial for?

This talk is aimed at backend engineers, platform engineers, infra/SRE folks, and technical leads who are building or managing access control platforms .

Bio
Varuni H K - SWE Intern at Couchbase | Senior at PES University