Salt Security: Enterprise-Grade API Security with Fine-Grained Authorization
- Share:
Salt Security just took enterprise API protection one step further with Fine-Grained Authorization Powered by Permit.io!
A leading API security company serving Fortune 500 enterprises and large-scale technology companies, Salt Security’s platform provides security teams with real-time API visibility, risk assessment, and attack prevention. That makes authorization a critical part of their infrastructure.
As Salt grew, its customers demanded more control over roles, permissions, and integrations with identity providers. To meet these expectations, Salt’s engineering team needed a flexible and scalable authorization system.
This case study explores how Salt’s Platform Engineering Team turned to implementing Fine-Grained Authorization (FGA) with Permit.io to handle dynamic roles, policy-based access, and large-scale identity integrations rather than building a complex access control system from scratch.
Here’s how Salt Security transformed its platform to deliver enterprise-grade flexibility, speed, and compliance—and what your organization can learn from its journey.
Watch the full case study here:
The Challenge: Enterprise-Level Authorization Demands
For security companies, the main focus of authorization is enabling customers to confidently manage their own security policies.
As Salt Security’s enterprise customer base expanded, they needed to scale their role-based access control (RBAC) system to support:
- Custom role definitions, so customers could map permissions to their own teams.
- Seamless identity provider integration, enabling customers to sync roles with their existing authentication systems.
- Granular authorization policies that allow flexible access control at the tenant, team, and environment levels.
Initially, Salt relied on a basic role-based access system with predefined roles that were hardcoded into the system. While this worked at first, it quickly became a bottleneck as customers demanded more control over how access was managed.
As Omri, a software architect at Salt Security shared:
“Once a startup grows, it starts to have bigger and more demanding customers. Enterprise customers expect better integration with dynamic roles, external identity providers, and the ability to bring their own authorization mechanisms into our product.”
The team considered several approaches, including building a custom solution and testing open-source frameworks like OpenFGA and OPA. However, they quickly realized that managing dynamic role creation, policy enforcement, and scalability in-house would be a massive engineering investment.
"Doing RBAC is relatively simple, but implementing ABAC and ReBAC at scale is where things become really complex. We needed a system that would allow us to expand seamlessly as our requirements evolved."
This led them to Permit.io, which offered the flexibility, scalability, and hybrid deployment model they needed.
The Solution: Implementing Fine-Grained Authorization with Permit.io
When evaluating authorization providers, Salt Security prioritized:
- Custom Role Management – Customers needed complete flexibility in defining roles, permissions, and access control policies.
- Hybrid Deployment for Performance – A local Policy Decision Point (PDP) was critical to ensure fast authorization decisions without relying on external services.
- Enterprise-Ready Identity Integration – The system had to seamlessly connect with SSO providers and existing enterprise authentication systems.
After testing multiple options, Salt Security chose Permit.io, as it provided the most balanced solution for their immediate needs and future scalability.
Yakir, a Team Lead at Salt Security, shared his reasoning for this choice:
"One of the main reasons we chose Permit was its ability to support different authorization models. We started with RBAC, but we knew we’d eventually need ABAC and ReBAC as well."
The integration process was straightforward—Salt Security quickly incorporated Permit’s API into their backend, allowing customers to define and manage roles directly through the Salt dashboard.
"We built a UI on top of Permit’s API, allowing our customers to configure permissions in a way that makes sense to them. Instead of forcing them into predefined roles, they can now map access controls to their own organizational structure."
Additionally, Salt deployed Permit’s PDP within its infrastructure, enabling low-latency authorization checks while maintaining full control over uptime and security policies.
"We needed an offline-first approach—something that wouldn’t make us dependent on an external vendor’s availability. With Permit, we could manage roles and policies in the cloud while enforcing decisions locally."
The Impact: Scalable, High-Performance Access Control
By adopting FGA, Salt Security successfully transformed its access control system into a scalable, enterprise-ready solution.
This allowed them to:
- Enable enterprise customers to define and manage custom roles independently.
- Seamlessly integrate with existing identity providers (SSO, IDP mapping).
- Ensure fast authorization decisions with a hybrid PDP deployment.
- Reduce engineering overhead by offloading policy management to Permit.io.
Bar, a member of Salt Security’s Platform Team, mentioned -
"Authorization is critical to everything we do, and Permit made it possible to deliver a highly scalable, flexible solution without slowing down our development roadmap."
One of the most important technical improvements was the drastic reduction in authorization response times. By running local PDPs within Salt’s infrastructure, they were able to handle thousands of authorization requests per second while keeping latency below 20ms.
"We tested and measured it extensively, and the performance improvements were incredible. Having the PDP run alongside our applications allowed us to maintain sub-millisecond response times—even under high load."
Beyond performance, Permit.io also helped improve Salt Security’s ability to audit and monitor access control decisions, providing customers with better visibility into who has access to what—a crucial requirement for security-conscious enterprises.
"We’re a security company, which means we can’t afford to get access control wrong. Permit gave us the confidence that our authorization model is secure, scalable, and future-proof."
Conclusion: Future-Proofing Access Control for Enterprise Growth
For security companies, authorization isn’t just a backend feature—it’s a fundamental requirement for compliance, scalability, and customer trust.
Salt Security’s journey with Fine-Grained Authorization (FGA) demonstrates how externalizing access control can be a strategic decision that streamlines security without adding unnecessary complexity.
By partnering with Permit.io, Salt Security was able to meet strict enterprise security and compliance requirements while avoiding the costly and time-consuming development of an in-house solution.
Customers gained greater flexibility in defining roles and managing permissions, ensuring they could tailor access control to their unique organizational structures. Additionally, by deploying a hybrid authorization model with a local Policy Decision Point (PDP), Salt maintained high performance and low latency, ensuring security decisions never became a bottleneck.
With Permit.io handling authorization, Salt’s engineering team remained focused on their core mission—securing APIs—while delivering a scalable, enterprise-grade access control system.
"The ability to integrate authorization seamlessly, scale dynamically, and ensure high performance—without building everything from scratch—made Permit the right choice for us."
Want to see what FGA with Permit.io could do for your application? Get started now (It’s free), check out the Permit.io docs, and feel free to reach out to us in our Slack community.
Written by
Daniel Bass
Application authorization enthusiast with years of experience as a customer engineer, technical writing, and open-source community advocacy. Comunity Manager, Dev. Convention Extrovert and Meme Enthusiast.