I'm currently exploring a lightweight approach to access control in an event sourcing database (Genesis DB): https://www.genesisdb.io. Authentication is handled via Bearer tokens atm. In the future, authentication and authorization could be entirely declarative, through a policy.json that defines privilege targets, roles, and grants/denies.

Here's a simplified example: https://gist.githubusercontent.com/patriceckhart/ec6f90e80e4dba3c500564fe96101621/raw/ac495628a37a8ab9c60edff7af1015cb1a9f96ae/gistfile1.txt

The idea is that this policy.json can be injected via an environment variable or mounted into the container meaning policies stay versioned, declarative, and inspectable. Every request goes through the same decision layer, with default-deny semantics and clear role separation.

It's not meant to replace external IAM systems, but to give small self-contained deployments a simple, auditable policy mechanism.

I'm curious how others view this approach:

• Is injecting a policy file like this too static for real-world setups?

• Would you prefer a dynamic store or API for policies instead?

• Any pitfalls you’ve seen with file-based or declarative access-control systems?

Thanks! I'd really appreciate feedback from anyone who's built fine-grained access control before.