Spreetail manages user permissions and authorizes every service request with Aserto
5% of the cost of building / maintaining an in-house system
Better security posture via policy change & decision log audit trail
Sidecar deployment provides big speed and availability gains
"Authorization involves really hard problems that I want experts to solve. We like to focus our internal engineering efforts on our customers and their problems. Aserto allows us to do just that, at a small fraction of the cost it would take to build and maintain it ourselves, not to mention the opportunity cost."
With well over $1b in annual revenue, Spreetail is the largest end-to-end ecommerce partner in the US. It connects over 600 vendors with 18 online marketplaces, including Amazon, Walmart, eBay, Target, and many others. Spreetail buys, stocks, sells, ships, and supports its customers’ products anywhere online. With 8 fulfillment centers, Spreetail can reach 95% of US households with 2-day delivery, and 80% with next-day delivery.
Over its 14 years of operation, Spreetail has built many internal systems, but the Vendor Portal is its first customer-visible piece of software. The portal gives vendors and partners a self-service experience for managing aspects of their product portfolio, and provides insights into how products are performing and where opportunities exist to improve performance.
To get the initial product out the door, Spreetail built a homegrown system called “authz” that provides a solid authorization model, but didn’t address many use-cases. For example, vendor managers, who support multiple vendors in a particular segment or geography, should be able to access information only for those vendors. A fine-grained authorization model that incorporated both user- and resource-context was necessary to achieve these goals.
Spreetail considered extending “authz” and going down a path of making authorization a core competency of its engineering organization, but its engineering leaders recognized that building this expertise wasn’t going to generate additional customer value or revenue - it was the “cost of doing business” without being a source of differentiation.
Spreetail uses Okta as its identity provider, but didn’t want to manage fine-grained attributes and permissions in Okta, since this would require granting operational access to a system that should be locked down. Instead, Spreetail uses Okta as the “source of truth” for core identity data, and syncs this data into the Aserto directory, which is the operational system for managing permissions for users.
Instead of creating static roles, Spreetail defines permissions and permission sets, which are dynamically assigned to users based on attributes. The system defines “smart groups”, which pre-seed some permissions based on user attributes such as "title". An additional mechanism called “dimensions” allows defining access to a subset of vendors, based on properties such as country, region, and vendor type. This authorization model provides the flexibility in granularity that Spreetail was looking for.
Doug Dawson, Spreetail’s engineering manager, describes how things used to be:
“In the past, when you’d hire an employee, you’d give them a job title, and then request and grant access during the onboarding process. For a company our size, some IT people's primary job is going into AD and setting up this stuff. We didn’t want to repeat that pattern.”
Spreetail has built an authorization portal which allows admins to manage users, groups, permissions, and dimensions. These are stored in the Aserto directory, and changes are automatically pushed to the edge, where the Aserto authorizer is deployed. The authorizer is able to use these extended properties in Spreetail’s authorization policies.
Dan Kuyper, Spreetail’s director of software engineering, describes the long-term benefit of using Aserto:
“As we mature, and become a bigger international company, our strategy is to move away from non enterprise-grade systems. Adopting Aserto checks that box for authorization.”
Spreetail now has a flexible fine-grained authorization system that can handle their sophisticated use cases. Authorization changes can no longer be made by editing rows in a database table - instead, they are made through a policy-as-code workflow, with each change being part of an audit trail.
Dave Kerber, Spreetail’s VP of Engineering, estimates that enhancing and maintaining Spreetail’s internal “authz” system would have cost more than 20 times the overall subscription costs for Aserto during the same period of time.
Spreetail also finds the sidecar deployment model to produce very fast authorization decisions for their API requests, as well as insulating the performance and availability of the vendor portal from any potential Aserto availability or outage issues.
Over the first half of 2022, the Spreetail engineering team plans on having every internal service migrate to using the new Aserto-based authorization system.
- 5% of the cost of building / maintaining an in-house system
- Better security posture via policy change & decision log audit trail
- Sidecar deployment provides big speed and availability gains