Open Policy Agent (OPA): General-Purpose Policy Engine
AWS Cedar: Application-Level Authorization Focus
Google Zanzibar: Graph-Based Relationship Modeling
In this analysis, we'll examine three leading policy engine approaches: Open Policy Agent (OPA), AWS Cedar, and Google Zanzibar. Each tool features a different authorization approach, spanning general-purpose policy enforcement to application-specific design to relationship-based modeling. We'll also explore the benefits of Authorization as a Service (AaaS) platforms (like Oso) that shift your permissions logic into its own layer, creating a single source of truth for access control.
Here's what we'll examine to help you evaluate authorization solutions:
Let's dive into how these approaches handle real-world authorization challenges.
Open Policy Agent is an open-source policy engine for policy enforcement across your stack. With OPA, you use the declarative Rego language to implement policy-as-code across microservices, Kubernetes, and other infrastructure components.
Policy-as-Code Implementation: OPA provides unified policy enforcement across the stack , enabling policies to be versioned, tested, and reviewed using standard development practices. This approach brings software engineering discipline to authorization logic.
Interoperability. OPA can process data from external systems in the data’s native format. Rego (OPA’s rules engine) can transform and inspect data as needed during evaluation to make authorization decisions. This design champions interoperability with third-party systems and makes OPA well-suited for machine-to-machine systems.
Open Source: For companies that prefer open source software, OPA is a strong fit with its Apache 2.0 license. OPA has fostered a strong open source community, with ample custom plugins available.
OPA's Implementation Challenges
Rego Learning Curve: The Rego language operates more like logical programming languages (Datalog, Prolog) than familiar imperative languages. This creates a significant learning curve for most development teams, requiring dedicated time investment to achieve proficiency.
A simple OPA policy looks like the following:
package authz
import rego.v1
allow if {
input.method == "GET"
input.path[0] == "users"
input.user.role == "admin"
}
allow if {
input.method == "GET"
input.path[0] == "users"
input.path[1] == input.user.id
}Operational Complexity: OPA deployments require careful consideration of data distribution, policy updates, and synchronization across instances. The challenge of keeping policy agents up-to-date is especially hard in applications where each user interaction may affect access-control decisions [3].
Real-Time Data Integration: Especially for products with dynamic authorization data, developers need additional infrastructure to handle real-time updates, adding operational overhead.
Performance. OPA can struggle with scaling, especially for applications with heavy clustering. To address this, OPA has documented work-arounds, but all of these add operational overhead.
Commercial backing: In August 2025, Apple hired the maintainers of OPA with plans to sunset the enterprise offerings. This has significantly raised doubts in OPA’s future, as OPA’s maintainers might not be able to pursue OPA’s roadmap without an underpinning financial incentive.
OPA works well for teams that:
AWS Cedar represents a newer approach to policy-as-code, specifically designed for application-level authorization with emphasis on readability and safety-oriented design.
Human-Readable Policies: Cedar was designed to allow defining fine-grained, role-based access control (RBAC) and attribute-based access control (ABAC) policies in a safe, fast, and auditable way [4]. The syntax aims to be more intuitive than Rego for application developers.
Here's a Cedar policy example:
permit (
principal == PhotoApp::User::"meghan",
action == PhotoApp::Action::"viewPhoto",
resource == PhotoApp::Photo::"vacationPhoto.jpg"
);
permit (
principal == PhotoApp::User::"stephie",
action == PhotoApp::Action::"viewPhoto",
resource
)
when { resource in PhotoApp::Account::"stephie" };Application-Specific Focus: Unlike OPA's general-purpose design, Cedar targets application authorization scenarios directly, providing relevant primitives and patterns for common use cases.
Cedar's Current Limitations
AWS Ecosystem Bias: AWS maintains Cedar as open source software. While open source, it’s designed to work within an AWS architecture.
Ecosystem Maturity: Cedar has limited tooling and smaller community support compared to more established alternatives. This means fewer integrations, tutorials, and community resources compared to alternatives like OPA.
Operational Requirements: Despite being application-focused, Cedar still requires teams to handle deployment, scaling, and synchronization concerns. You're responsible for the infrastructure that runs your authorization decisions.
Cedar fits well for teams that:
Google's Zanzibar paper introduced a relationship-based authorization model that excels at managing complex hierarchies and permissions through graph structures. However, while hypothetically versatile, implementing a Zanzibar-like system is difficult for the following reasons:
Hierarchical Permission Management: Zanzibar-inspired systems provide fine-grained authorization through relationship-based access control (ReBAC), designed for high-scale, low-latency access control [4]. By using a graph-based data structure, nested relationships could be captured alongside their inherited permissions.
The Zanzibar model represents permissions as relationship tuples such as the following:
document:budget.xlsx#viewer@user:10 such as the following, where Alice is user ID 10:
folder:reports#owner@user:bob
folder:reports#viewer@group:managers#memberThese tuples denote the asset, asset type, the relationship, the user, and the user’s groups.
Google-Scale Validation: Zanzibar powers authorization across hundreds of Google services, including Calendar, Drive, Maps, and YouTube, demonstrating its capability at massive scale. Zanzibar requires centralized enforcement, where a single policy engine handles authorization for the entire ecosystem.
Centralization Requirements: Zanzibar introduces system complexity by requiring centralization of all authorization data . This architectural decision works for Google's scale but creates significant infrastructure overhead for most organizations.
Performance Trade-offs: Because Zanzibar’s data is centralized, there are inherent performance overheads of keeping authorization strongly consistent across all nodes.
Implementation Expertise: Unlike straightforward policy approaches, Zanzibar requires understanding object hierarchies, relationship tuples, and graph traversal algorithms [5]. Teams need specialized knowledge in graph databases and distributed systems.
Zanzibar-inspired approaches work best for:
While traditional policy engines require significant infrastructure investment, authorization as a service platforms represent a different approach to solving authorization complexity. Platforms like Oso provide authorization as a service, making sophisticated access control accessible through simple API calls [6].
Infrastructure Elimination: Authorization as a service provides idiomatic SDKs, inline policy tests, logging, regression testing, and debugging built-in, removing the operational burden of managing policy engines, synchronization, and scaling within your code.
Performance Without Complexity: Platforms like Oso deliver sub-10ms latency through geo-replicated environments without requiring teams to become experts in distributed systems optimization.
Unified Access Models: Modern platforms unify RBAC, ReBAC, and ABAC into a single framework, allowing teams to start simple and add complexity as needed .
Here's how authorization as a service simplifies implementation:
# Traditional approach - custom authorization logic
def can_edit_document(user, document):
if user.role == "admin":
return True
elif user.id == document.owner_id:
return True
elif user.id in document.collaborators and document.allow_edit:
return True
# Handle team permissions, time-based access, etc.
return False
# Authorization as a service approach
result = oso.authorize(user, "edit", document)
return result.allowedEngineering leaders are adopting the as-a-service model for authorization, similar to how they've embraced services for feature flags and authentication [6]. Companies like Oyster, Webflow, and Duolingo use an Authorization as a Service model (via Oso).
Teams report implementing custom authorization solutions in minutes rather than weeks, choosing service-based approaches for developer experience, performance, and flexibility .
Each authorization approach offers distinct trade-offs:
Open Policy Agent provides maximum flexibility and works well for teams with policy engine expertise who need infrastructure-wide policy enforcement. The investment in learning Rego and managing OPA infrastructure pays off for complex, multi-service architectures.
AWS Cedar offers improved readability over OPA while maintaining policy-as-code benefits. It's suitable for teams comfortable with AWS ecosystem alignment and willing to invest in a newer technology.
Google Zanzibar excels at relationship-based authorization for large-scale applications but requires significant infrastructure investment and specialized expertise in graph-based systems.
Authorization as a Service platforms eliminate infrastructure complexity while providing enterprise-grade performance and flexibility. This approach is particularly well-suited for teams implementing application authorization models without the overhead of managing policy engines.
Access control is fundamental to application security and user experience. Investing time in choosing the right approach pays dividends throughout your application's lifecycle .
The key is matching the solution complexity to your actual requirements while considering your team's expertise and operational capacity. For many development teams, the operational simplicity and comprehensive feature set of authorization as a service platforms like Oso Cloud provide the best balance of capability and practicality.
Ready to explore how authorization as a service can simplify your implementation while providing enterprise-grade capabilities? Learn more about Oso Cloud and see how modern authorization can accelerate your development without the infrastructure overhead.
[1] https://anders-opa.netlify.app/docs/latest/policy-performance/
[2] https://pangea.cloud/blog/rbac-vs-rebac-vs-abac/
[3] https://docs.opal.ac/getting-started/intro/
[4] https://goteleport.com/blog/benchmarking-policy-languages/
[6] https://www.linkedin.com/company/osohq