Google Zanzibar

Last updated January 06, 2026

Zanzibar is an authorization system developed by Google for managing access control. It was first described in a research paper presented at the 2019 USENIX Annual Technical Conference. Zanzibar supports authorization for several Google services, including Google Drive, Google Photos, and YouTube.^[1]

Overview

Zanzibar functions as an authorization service. It processes access control queries from client applications and stores access control lists (ACLs) expressed as relationship tuples under a relationship-based access control (ReBAC) model. Each tuple represents a subject, a relation, and an object. The system is designed to provide consistency, fault tolerance, and scalability for applications with large user bases.^[1]

Architecture

Zanzibar’s architecture includes several core components:^[1]

Distributed database: Built on Google Spanner to maintain data consistency across data centers.
Caching layers: Uses server-level and inter-service caching to reduce latency.
Global replication: Replicates authorization data across geographic regions to improve availability.
Namespace configuration: Client services define object types, relationships, and authorization rules.
Decoupled logic: Queries such as "Does user X have permission Y on object Z?" return Boolean results.
Zookies: Opaque consistency tokens used to ensure authorization checks are evaluated against a snapshot at least as recent as the version of the content being accessed.^[2]

Performance

The system uses techniques such as cache prefetching and selective invalidation of frequently accessed permissions to reduce latency.^[1]

Relationship to ReBAC

Zanzibar employs relationship-based access control (ReBAC), in which authorization decisions depend on relationships between entities rather than predefined roles. In contrast, role-based access control (RBAC) assigns permissions based on user roles. Zanzibar’s use of ReBAC enables dynamic access control in collaborative environments such as document-sharing systems.^[1]

Industry influence

The Zanzibar research paper has influenced the design of other authorization systems based on ReBAC principles. Examples include Airbnb’s internal system Himeji and several open-source projects that adopt similar models.^[1]

Limitations

Implementing a Zanzibar-like system requires substantial engineering and infrastructure resources. Maintaining replication, caching, and schema configurations adds operational complexity. The tuple-based relationship model may fail to capture certain policy logic, requiring integration with additional rule-based or policy engines.^[1]

References

1 2 3 4 5 6 7 Pang, Ruoming; Caceres, Ramon; Burrows, Mike; Chen, Zhifeng; Dave, Pratik; Germer, Nathan; Golynski, Alexander; Graney, Kevin; Kang, Nina; Kissner, Lea; Korn, Jeffrey L. (2019). "Zanzibar: Google's Consistent, Global Authorization System". 2019 USENIX Annual Technical Conference (USENIX ATC '19). Renton, WA.
↑ "What Is Google Zanzibar?". AuthZed. Retrieved 2025-11-09.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[pang2019-1] 1 2 3 4 5 6 7 Pang, Ruoming; Caceres, Ramon; Burrows, Mike; Chen, Zhifeng; Dave, Pratik; Germer, Nathan; Golynski, Alexander; Graney, Kevin; Kang, Nina; Kissner, Lea; Korn, Jeffrey L. (2019). "Zanzibar: Google's Consistent, Global Authorization System". 2019 USENIX Annual Technical Conference (USENIX ATC '19). Renton, WA.

[authzed_zanzibar-2] "What Is Google Zanzibar?". AuthZed. Retrieved 2025-11-09.

[1]

[2]