Back to Blog
9 min readBy Marxmine Cherian

CRAFT: Custom Rules for Authorization in Fintech

Reinventing Policy Management - The No-Code Revolution

AuthorizationABACSecurity

The gold standard in security and compliance in the world of Cloud Native platforms has always been "Policy as Code" (PaC). However, as the complexity and scale of these platforms grow, a critical problem arises, the disconnect between developers writing code and the product team writing rules.

Why Modern Authorization Falls Short

In the world of Cloud Native platforms, the question of "who can access what" is no longer a simple one. Whether you are managing user permissions, gating feature access, or meeting the most stringent regulatory requirements, as systems grow into complex webs of microservices, traditional access control is hitting a wall, creating a complexity crisis that puts both speed and security at risk.

The Hidden Cost of Hard-Coded Rules

For many teams, the rules and logic for authorization are still hidden away in the code. This creates manual bottlenecks where every new permission request or compliance update requires a developer to write, test, and deploy new code. The "hard-coded" approach has several critical points of failure:

  • Fragmented Security Gaps : With logic spread out over dozens of microservices, it's impossible to guarantee consistency. One oversight in a single service can create huge vulnerability.
  • The Compliance Lag : Regulated industries change their rules overnight. When your security approach has a two week deployment cycle, you'll never be caught up, and perpetually at risk.
  • Zero Visibility : Without a centralized view, the security team and the audit team are always in the dark about who actually has access to what in real-time.

The Non-Technical Barrier

Perhaps the greatest challenge is the lack of flexibility. This is because, when authorization is a purely technical task, the people who understand business rules best, compliance officers, product owners, etc., may get excluded from the process. This is a recipe for slowing down innovation and increases the likelihood of human error while translating "policy" to "code."

For an organization to survive the complexity crisis, it needs to shift from static, hard-coded rules towards a more agile, policy-driven future.

Introducing the Visual Policy Builder

CRAFT is a centralized framework designed to break down authorization bottlenecks once and for all. It provides a no-code, web-based interface that sits on top of OPA(Open Policy Agent), enabling you to manage and enforce complex policies across your entire ecosystem without the need to write a single line of code.

By empowering non-technical stakeholders to modify policies in real-time, CRAFT helps ensure your security posture adapts to the pace of your business.

"Policy-as-Code" to "Policy-as-Interface"

By shifting from "Policy-as-Code" to "Policy-as-Interface", CRAFT introduces a whole new level of operational flexibility:

  • Democratized Security : For the first time, non-technical stakeholders, like compliance teams and product managers are able to modify security policies in real-time.
  • Instant Evolution : No more waiting around for the next sprint or deployment cycle. If business needs change, policy can be updated instantly via the dashboard.
  • Total Ecosystem Control : CRAFT offers a unified "command center" for your entire security posture, ensuring that rules are consistent across every service, platform, and user.

How CRAFT Control Access with Precision

The secret sauce to CRAFT's precision is Attribute Based Access Control (ABAC).

In our effort to deliver a more granular, flexible, and scalable system, CRAFT breaks away from traditional "roles" and instead embraces the precision of Attribute Based Access Control (ABAC). This is a security model that determines who can access what based on a wide range of dynamic attributes rather than fixed, static lists and makes an instant, informed authorization decision. It examines each request along these three key attributes:

Subject AttributesObject AttributesAction Attributes
Who is making the request?What is being accessed?What is being done?
User's role, department, security clearance, job title, and physical locationData type, sensitivity level, resource owner, and classificationRead, Write, Approve, or Delete operations

From Concept to Compliance: The 4-Step "CRAFTing" Process

The power of Attribute Based Access Control may seem complicated, but it does not have to be. CRAFT was designed with speed in mind, so you can go from a security requirement to a live policy in 4 simple steps.

  1. Create Your Workspace This is where you set up a dedicated workspace. This allows you to group related applications together for streamlined management and a bird's eye view of your security landscape.

  2. Define The Components Who is requesting access? To which "object" does this policy apply? What is the user trying to accomplish? Define all three components: subject attributes, resource targets, and action types, to build the complete authorization logic.

  3. Build the Policy No coding required. Use our intuitive policy wizard to snap your subjects, resources, and actions together into a robust, human readable policy.

  4. Publish & Monitor Go live with confidence. Instantly activate your policies across environments and track access patterns in real-time through a centralized monitoring dashboard.

Confidence Through Clarity: Policies Written in Plain English

The true power of CRAFT, however, is that we can finally bridge the gap between complex logic and human understanding. Rather than staring at a "wall of code," CRAFT translates the depth of Attribute Based Access Control (ABAC) into a clear, Plain English interface.

Real-Time Policy Creation

As you choose your Subject, Resource, and Action, CRAFT works behind the scenes to create the rule in real-time. There is no 'code speak' or guessing what's going to happen; you can see exactly how a rule works before you ever press 'Publish.'

Create Craft Policy

Why Readability Matters

This "Plain English" approach guarantees that your security is strong, and also that it's easy to understand throughout your organization:

  • Empower Non-Technical Users: Compliance and product teams can validate a policy works exactly as desired without needing a developer.
  • Total Correctness: Guarantee logic is flawless and consistent across all environments.
  • 100% Confidence: Push new rules to production knowing they align perfectly with your business requirements.

By combining sophisticated logic with a simple interface, CRAFT ensures that clarity is your greatest security asset.

Security at the speed of thought: Meet the CRAFT AI Agent

Admittedly, even four steps can sometimes feel like a hurdle when you're moving at the breakneck speed of business. We've considered that too. If you're in a hurry or simply prefer a conversation over a form, you can skip the steps altogether.

"Allow any manager in the Finance team to approve transactions over $10,000 only during business hours."

Create Policy using Agent

Our AI Agent will understand your request, map the attributes, and create the policy for you instantly. It's 'Security at the speed of thought'.

Verify Before You Fly: Testing and Versioning Made Simple

In the world of software, building a rule is only half the battle; knowing it works and safely deploying it into production is where the stress really is.

Interactive Policy Testing

CRAFT includes a built-in testing sandbox where you can simulate real-world scenarios. Before you deploy, you can:

  • Toggle Input Values: Manually alter user attributes, resource types, or environmental factors (like time or location)
  • Instant Validation: Instantly see exactly how the policy reacts to those changes. If the output isn't what you expected, simply tweak the logic and re-test, all within seconds!
  • Eliminate Guesswork: Have 100% confidence that your "Plain English" rule translates perfectly into technical enforcement

Seamless Versioning and Promotion

Modern fintech environments require strict governance. CRAFT handles this with a robust versioning system instead of simply overwriting security logic:

  • Automatic Versioning: Every time you update a policy, CRAFT generates a new version. This creates a clear audit trail of who changed what and when, making compliance reporting a breeze.
  • Effortless Promotion: With CRAFT, promoting a specific version of a rule between environments is as simple as a few clicks. There's no need to worry about manually migrating a rule from Development to Staging and then to Production. This ensures that exact rule you tested in dev is the same one protecting your live data.

By combining real-time testing with automated version control, CRAFT speeds up authorization and also makes it safer.

Experience the No-Code Revolution

By moving to CRAFT, you gain a business edge: You reduce engineering debt, eliminate compliance lag, and empower your product teams to move faster.

Ready to revolutionize your access control? Stop hard-coding your future and start CRAFTing it.

Share this article

Share on XShare on LinkedIn

About the Author

M

Marxmine Cherian

Marxmine is a Senior Software Engineer on the Application Engineering Team at Zero Pixels, where she oversees the development of multiple projects combining technical expertise and a passion for secure and scalable software

More Articles

5 min read

AIDO: Our Autonomous End-to-End Developer in Azure DevOps

A coding agent that works as any developer on the team.

AIAzure DevOps
5 min read

Ditching next-intl: Building a Lightweight i18n System for Multi-App Next.js Monorepos

How we built a custom internationalization system that handles multiple applications and hundreds of translation files without the bloat of third-party libraries.

Next.jsWeb Development
View All Posts