Securing the Future of Master Data
Founded in 2013 and rooted in the research of Turing Award winner Mike Stonebraker at MIT’s Computer Science and AI Lab, Tamr offers an AI-native Master Data Management (MDM) solution designed to deliver real-time, high-quality “Golden Records” for use across dashboards, applications, and business users.
The company’s patented approach blends machine learning with human-in-the-loop refinement to accelerate the discovery, enrichment, and ongoing maintenance of master data—powering both analytical and operational use cases at scale. Tamr is trusted by enterprises such as Old Mutual, CHG Healthcare, Santander, Toyota, and Western Union.
Tamr’s global cloud service for MDM requires both robust security and high-performance infrastructure. Leading the charge is Nick Laferriere, Tamr’s Head of Engineering. “I’m responsible for our cloud product offering, the execution of our engineering organization, and our technical operations, which includes security processes and systems,” Nick explains.
This means ensuring that Tamr’s platform—handling highly sensitive data for its customers—is protected by rigorous authorization controls. |t’s critical that those controls scale with customer expectations while supporting the development velocity needed to ship new features quickly. That is why Tamr turned to Oso.
Enterprise-Grade Authorization for PII, Golden Records, and Regional Compliance
Tamr’s platform handles some of the most sensitive and business-critical data within large enterprises—everything from customer, supplier, and employee records to product data. Often referred to as “golden records,” these represent the definitive source of truth for many organizations. Much of this data is commercially sensitive, and some of it constitutes personally identifiable information (PII) regulated by frameworks like GDPR in Europe and CCPA in California. In practice, that means Tamr acts as a data sub-processor for its clients, bearing an immense responsibility to enforce precise controls around who can view, edit, and share specific data.
Within this environment, authorization must be not only robust but also configurable at a granular level. “For example,” Nick Laferriere explains, “Toyota Motor Group Europe is almost fully independent from Toyota Motors US, and then from Japan. You can’t take a role from one region and map it directly to a role in another. They have very sensitive and regulated permissions around their users which can also vary by country.”
This level of complexity demands more than just static role-based access; Tamr is increasingly leveraging attribute-based access control (ABAC) to handle fine-grained requirements like restricting PII or allowing specific users only partial visibility. In Nick’s words, “Some people can see almost nothing—they can set up a connection to a data warehouse without being able to see any underlying data.”
Consequently, Tamr required an authorization solution that could handle flexible, fine-grained roles, resource hierarchies, field-level permissions, along with role-based access control (RBAC) and attribute-based access control (ABAC) — ultimately leading them to seek out a more flexible, modern approach.
The Hidden Cost of DIY Authorization
Prior to adopting Oso, Tamr relied on a self-hosted deployment of the open-source platform Keycloak to manage authorization, layered with custom role-based rules. But as customer demands grew more complex and the platform scaled, the limitations of this approach became increasingly apparent. While Tamr needed a system capable of handling fine-grained access control—such as assigning permissions based on both user roles and specific attributes—Keycloak lacked the flexibility to support these patterns effectively.
As the number of resources we had to track went up, it was not performing as well as we’d like. What had initially served us well gradually became less effective—we noticed decreasing performance, rising infrastructure costs, and administrative overhead started to pile up.
- Nick Laferriere, Head of Engineering
Tamr had already taken steps to modernize authentication by switching to Auth0. The next logical step was to replace Keycloak with a system purpose-built for scalable, expressive authorization.
We needed a more modern approach—something that could evolve with our product and support real-world enterprise use cases.
- Nick Laferriere, Head of Engineering
From Bake-Off to Buy-In: Oso’s Path to Selection
Tamr performed a thorough evaluation of industry options for flexible, fine-grained authorization. Nick and his team ran a “bake off” between SpiceDB, OpenFGA, and Oso. A significant differentiator was developer experience: measured by how quickly and smoothly the Tamr engineering team could get a sample app up and running with fine-grained authorization permissions.
We were able to build and deploy a sample app with Oso in an afternoon versus several days for the others. It was significantly faster to get started out of the box.
- Nick Laferriere, Head of Engineering
Beyond time to value, the engineering team immediately saw advantages in Oso’s Polar programming language. Polar made it far easier for them to express complex authorization logic and policies clearly and concisely, resulting in cleaner, more maintainable policies.
Nick said “This was especially important for a team constantly shipping new features—authorization requirements evolve with every product change, and Oso’s design made it simple to extend and adapt policies over time.”
The clarity of the syntax also meant that new developers could ramp up quickly, reducing onboarding friction and accelerating team productivity.
Additionally, the desire for a managed service was paramount: Nick’s team has a dozen environments—production, dev, test, staging—used by different teams. Trying to coordinate all of those with a self-hosted open source solution would have been very complex and expensive.
Once you factor in engineering time, Oso ends up being far more cost effective.
- Nick Laferriere, Head of Engineering
Geo-Replicated, Always Up and Always Fast For Any Microservice
Tamr went live with Oso in mid-2024. Nick’s team has mapped Oso Cloud into their Google Cloud Platform (GCP) regions around the world, ensuring the authorization service was close to the Tamr platform.
Tamr’s microservices, mostly Java with some Spring and heavy gRPC usage, call Oso through a lightweight wrapper that populates user session data.
Oso handles our queries with consistent sub-10ms latency no matter where our users are in the world, and all with no downtime.
- Nick Laferriere, Head of Engineering
To further enhance resilience and performance, Tamr engineers take advantage of the Oso-provided fallback node, enabling continued authorization checks even if connectivity to Oso Cloud is temporarily disrupted. “Our SRE team really likes this as a mitigation,” says Nick.
From Overhead to Velocity: How Oso Transformed Tamr’s Authorization
Adopting Oso has delivered Tamr a step-function improvement in how they manage authorization across their platform. By moving away from a brittle, self-hosted Keycloak deployment, Tamr dramatically reduces operational overhead
With Keycloak, we were spending 25–30% of a full-time DevOps engineer’s time just keeping the system running—upgrades, scaling, monitoring across all our environments. With Oso, that overhead has essentially gone to zero.
- Nick Laferriere, Head of Engineering
Oso Cloud allows the team to scale authorization seamlessly across a dozen environments, eliminating the pain of managing upgrades, infrastructure, and monitoring across dev, test, staging, and production. Latency and reliability are exceptional, with sub-10ms response times and no downtime since going live.
Beyond infrastructure savings, Tamr has seen a significant boost in engineering velocity and cross-team collaboration. Developers can now express complex authorization rules more clearly using Polar. This has made policies easier to read, extend, and maintain—crucial for a team constantly shipping new features. It has also created a shared language between product and engineering, replacing spreadsheets and diagrams with policies and authorization logic declared as code. This makes defining new products and services faster and more efficient.
The benefits of Oso will continue to be realized into the future. Nick believes global roles will no longer be a pattern for enterprise software. Instead every new feature we add will have its own permission model.
Oso gives us the flexibility and scalability we need to meet enterprise-grade security and compliance requirements. As we layer on more fine-grained, attribute-based permissions, we know Oso can evolve with us.
- Nick Laferriere, Head of Engineering
Key Lessons for Engineering Leaders to Get Started
One of the biggest takeaways from Tamr’s journey is simply awareness: many engineering leaders don’t realize that fine-grained authorization is no longer the hugely complex problem it once was.
Discovering Oso is a big part of the battle. A few years ago, the options were limited—teams either built homegrown systems or made do with whatever limited authorization capabilities were bundled into their web frameworks. That’s no longer the case. Modern, purpose-built solutions like Oso now exist—and they scale.
- Nick Laferriere, Head of Engineering
For Nick, the calculus is simple: engineers should focus on core business value, not reinventing infrastructure primitives. “I don’t want my team spending time writing code and managing systems that aren’t central to what we do,” he explains. With Oso in place, Tamr can confidently offload the complexity of authorization and move faster on what matters most—shipping features, improving UX, and securing sensitive customer data.
The lesson for other technical leaders? Take a hard look at how much time your engineers are spending on non-differentiated work. Authorization is critical, but it doesn’t need to be built from scratch. With the right foundation, you can model permissions the right way from the start—and unlock long-term agility, security, and operational leverage.
What’s the best way to get started? Book a meeting with an Oso engineer.
At a glance
- Industry
- Technology, SaaS
- Use Case
- AI-native Master Data Management
- Region
- Global
CHALLENGE
- Struggled to scale authorization for sensitive, regulated enterprise data, due to rigid, role-based models that couldn’t support the fine-grained, attribute-based permissions required to meet customer expectations or compliance requirements.
- Authorization infrastructure consumed significant DevOps capacity, with Keycloak requiring 25–30% of an engineer’s time for maintenance, upgrades, and monitoring.
- No commercial support or best practices created risk and inconsistency, with internal teams left to troubleshoot complex policy logic on their own.
SOLUTION
- Replaced Keycloak with Oso Cloud, a fully managed authorization service, eliminating infrastructure overhead and enabling consistent access control across global environments.
- Enabled fine-grained RBAC and ABAC using Polar, giving engineers a rich, expressive language to model complex, real-world access patterns.
- Used geo-replicated Oso environments for low-latency, high-availability access, with a failover node to ensure resilience and uninterrupted service.
RESULTS
- Cut time-to-deployment compared to other vendors, allowing the team to stand up a working sample app in a single afternoon. In production, Oso is operating with zero downtime and consistent sub-10ms latency anywhere in the world
- Reduces overhead from 30% of DevOps engineer time to near-zero, freeing up engineering time by eliminating the need to maintain a self-hosted authorization stack.
- Positions Tamr to scale securely into the future, with an authorization foundation built for evolving compliance, feature growth, and customer demands.