The Authorization TCO Framework from Oso

Cut through the guesswork. This framework helps you calculate the real costs of building, self-hosting, or buying authorization.

Thanks – We'll be in touch soon!
Oops! Something went wrong while submitting the form.
SCROLL

Authorization is one of the hardest problems to scope—and one of the easiest to underestimate.

This framework helps you calculate its Total Cost of Ownership (TCO) across every phase of the authorization lifecycle, giving you the clarity to make smart, long-term decisions about whether to build, self-host, or buy a fully-managed solution.

Why a TCO Framework?

When you start building your apps and services, authorization requirements are typically easy to address. But over time, authorization questions and logic become more complex.

If you find yourself answering “YES” to any of the following, it's time to start evaluating what comes next.

Are you still relying on hard-coded roles buried deep in your app code?

Are business stakeholders frustrated by how long it takes to ship new features?

Do you need more than RBAC — e.g. ReBAC, ABAC, custom roles, field level access — to handle increasingly sophisticated needs?

Are you trying to integrate access controls across LLMs and vector databases?

Are you juggling access control across tenants, teams, and services?

Are you risking security due to fragile edge cases?

You’ll weigh technical and organizational tradeoffs based on your stack, your team, and your growth stage. But one factor cuts across every decision: total cost of ownership. Until now, there’s been no consistent, reliable way to measure it.

That’s why we built the Oso TCO Framework for Authorization—breaking TCO into clear, comparable categories across the full project lifecycle.


Comparing potential authorization options

There are four options most engineering teams consider as they plan their authorization strategy. Understanding the TCO of each option is a crucial factor in your decision making. Therefore we compare these options across each phase of the authorization lifecycle in the TCO framework below.

  1. Build it yourself

  2. Self-hosted solution

    These are packaged authorization offerings that are often loosely inspired by high-level ideas from Google Zanzibar.

  3. Hosted Zanzibar clone

    These are managed versions of the packaged authorization software above.

  4. Oso

    Use the fully-managed authorization service from Oso


Authorization Lifecycle Phases

The following tables estimate the full lifecycle cost of an authorization solution—spanning development, deployment, and ongoing operations.

These estimates are based on patterns the Oso team has observed across hundreds of customer engagements.

Lifecycle Phase: Development

The development phase covers the foundational work of designing and implementing the authorization system—defining the model (or building it from scratch for custom solutions), mapping query patterns, and ensuring data stays synchronized between the application and authorization layers.

The values in each Solution column represent engineering-months (number of engineers × months required to complete the activity).

Development activity & key considerations
Build it yourself
Self-hosted solution
Managed solution

Authorization model

  • Required authorization models
  • Common authorization patterns
  • Specialized authorization requirements
18
12
12
1

Data model

  • Schema design
  • Runtime data access
3
2
2
0

Query patterns

  • List filtering use cases
  • Authorization data source
  • Pre-defined and dynamic queries
9
6
6
0

Data sync

  • Volume of data to sync
  • Build vs buy a data sync solution
  • Required data consistency
13
8.5
8.5
1.5

Data reconciliation

  • Drift detection
  • Drift reconciliation
  • Performance implications
4
2.5
2.5
0.5
Total Engineering Months
47
31
31
3

Lifecycle Phase: Operational and Deployment Readiness

This phase accounts for the engineering effort required to make an authorization system production-ready. It includes building out performance optimizations, ensuring high availability, auditing activity in the system, and executing on a developer adoption strategy.

Development activity & key considerations
Build it yourself
Self-hosted solution
Managed solution

Performance optimization

  • Indexing strategy
  • Caching strategy
  • Load testing
12
8
1
0

Uptime and reslilience

  • Uptime target
  • Failure scenarios
  • Backup and DR
  • Observability
  • Upgrades
16
10.5
4
2

Auditing

  • Authorization patterns
  • Change controls
  • Audit log storage and query
9
6
2
1

Developer adoption

  • Engineer re/up-skilling
  • Debug and test
  • App changes and abstractions
  • Rollout strategy
8
5
2
1
Total Engineering Months
45
29.5
9
4

Lifecycle Phase: Ongoing Solution Effort

Ongoing costs capture the long-term investment required to operate, maintain, and extend the authorization system after initial deployment. This includes on-call support, handling internal developer requests, bug fixes, system upgrades, and the infrastructure required to keep the system performant and reliable at scale.

Cost metrics are expressed as the number of engineering FTEs required per annum, along with the annual recurring costs for systems infrastructure.

Development activity & key considerations
Build it yourself
Self-hosted solution
Managed solution

Maintenance and ops

  • Support
  • Remediation
  • Evolution and upgrades
2
2
1
0.5

Infrastructure

  • Compute and storage
  • Networking
  • Caching
  • Load balancer
  • Database
$ required
$ required
Included in service cost
Included in service cost

3-Year Authorization TCO Estimate

As the table below shows, compared to a custom solution…

Self-hosted solution is 68% of the cost
Managed solution is 39% of the cost
Oso is 17% of the cost

What's more, Oso requires 85 fewer engineering months over 7 years when compared to the custom solution!

The following table consolidates efforts and costs across each phase of the authorization lifecycle, normalizing them to 100% of the 3-year cost for the custom solution (the most expensive option).

Cost category
Build it yourself
Self-hosted solution
Managed solution

Development (eng-months)

47
31
31
3

Deployment (eng-months)

45
29.5
9
4

Ongoing (eng FTEs + infrastructure costs per annum)

2 FTEs + infrastructure costs
2 FTEs + infrastructure costs
1 FTE + service cost
0.5 FTE + service cost
3-Year Total Cost of Ownership
100%
68%
39%
17%

Why is Oso's TCO so much lower than other authorization solutions? The table below summarizes the key cost drivers for each solution.

Build a custom solution

Provides for maximum control—but expect high upfront costs, long timelines, and a growing support burden. It takes a dedicated team to build and maintain.

Self-host dedicated authorization software

Open source options— often loosely inspired by high-level ideas from Google Zanzibar—offer a starting point. But they still require significant custom development to get production-ready. You'll need to adapt to their ReBAC-only models, build around query limitations, and create your own data sync and drift-handling tooling. You’ll also need to build and manage all of the operational concerns in running the service for your apps.

Use a hosted service

These services, based on the loosely Zanzibar-inspired systems mentioned in option 2 above, reduce operational overhead compared to self-hosted solutions. But they still require custom development to match the ReBAC-centric design and overcome the list filtering limitations discussed earlier. As with any managed service, a third-party dependency is introduced on the application’s critical path.

Fully-managed authorization service

Purpose built for application authorization, it comes with native support for RBAC, ReBAC, ABAC models. Unlike the managed Zanzibar imitations, Oso allows teams to keep authorization data local to the application tier as needed, limiting and in many cases avoiding the need to centralize authorization data. It also supports the most complex queries and list filtering use cases natively. The third party dependency noted for the fully managed Zanzibar-like solutions also applies to Oso.