Today, the threat of misconfigured permissions is significantly greater. Why? Two words: artificial intelligence or AI.
Enterprise organizations have always cared about permissions in order to protect resources, meet compliance rules, and honor customer contracts. A user might be over-permissioned and gain access to [add example]. But once teams catch these mistakes, they quickly rectify them, and business moves on as usual.
Everything changes when you’re using AI. AI agents are accessing data, sending emails, and making changes. But AI agents aren’t humans—they’re faster and riskier. With humans, a mistake is a mistake. With AI, a single mistake can quickly cascade into a litany of mistakes. This is due to three traits:
Multi-System. Agents rarely query a single system. They assemble responses by pulling data from CRMs, file stores, and databases in parallel. This includes read and write access. If an agent makes a bad request for one piece of data, it can contaminate multiple data stores. Even worse, with write access an agent can carryout destructive actions, deleting or overwriting data.
Scale. An analyst might run five queries in an afternoon. An agent might issue thousands in seconds. We’ve long accepted some over-permissioning of humans, because humans are limited by time. But with an agent, even a little over-permissioning can snowball into a volume of exposure that security teams cannot reasonably review in time.
Blind Execution. Once an agent has a token, it keeps going until expiration. It does not ask whether the user has been off-boarded or whether the device posture has changed. The system “just works”. But that seamlessness conceals a gap. Each request may quietly bypass risk signals that a human would recognize.
Given these risks, I’d describe agents as powerful, but precarious entities. They amplify a user’s capacity, but they also accelerate the consequences of bad assumptions. The solution—which is more of a precaution than a cure—is context-aware permissions. Instead of binding an AI agent’s access to a static role, it double-checks every decision to the live state of the request. For example, a conventionally day-time access financial application might gate access if sudden requests are made at 3am.
As a player in the authorization space, we wanted to write a piece on this growing issue. In this article, we’ll take a look at how context-aware models work and what patterns are gaining adoption. Then, we’ll also go over some of the challenges to consider when these practices are implemented at scale.
Understanding the Risk
While context-aware permissions undoubtedly reduce risk in practice, what exactly is the risk? In other words, without these safeguards, what is the worst that can happen? The answer: a lot. Let’s walk through three examples.
Customer Data Exposure
An AI support bot might be tasked to pull information from a CRM to load it into another system (e.g. Snowflake) or dispatch emails. However, if this AI support bot has a stale token and therefore outdated permissions, it might end up sharing customer information that it wasn’t delegated to access. While perhaps benign in theory, this is dangerous in practice because it might violate customer data custody contracts, posing legal risks.
Information Misconfiguration
If an AI agent routinely pulls information from databases, but has mis-scoped access, then it might pull excessive information into a query that wasn’t supposed to be aggregated. For instance, imagine if an AI agent strictly is supposed to pull information about test accounts from a database, but poor access controls enable it to pull information about any accounts. Suddenly, the agent might leak customer data.
Uncontrolled Bulk Actions
An AI agent might be tasked to clean-up accounts that were strictly cataloged for deletion. However, if the agent has too broad access, the agent might accidentally delete every account because of the model’s non-deterministic nature (or, just as likely, a poorly worded prompt). More generally, if teams fail to control an AI agent, it could wipe out terabytes of information in minutes.
Evaluating Access Against Live Signals
Context-aware permissioning evaluates each request against signals. The authorization server draws these signals from the environment surrounding the request. For example, certain signals might mark a managed laptop with recent patches as a lesser risk profile than a personal smartphone on public Wi-Fi.
Network matters too. Traffic over a corporate VPN is treated differently than the same query routed through public wifi. Time, too, can shift risk scores. A lookup at 2 p.m. on a workday looks normal, but a sudden surge of queries at midnight can raise suspicion. In other words, context isn’t fixed. It moves with the user, the device, and the workload.
The responses could be just as dynamic. Instead of a binary yes/no, agents adapt to risk. In a low-risk context, results return in full. The same query, issued from a higher-risk environment, might be trimmed to read-only or have sensitive fields masked.
This adaptability is what keeps resilient AI systems going. Agents can run continuously across multiple sources without pausing for manual checks. Yet, their reach is always bounded by the live signals surrounding the request. Context-aware permissioning doesn’t just check who the user is. It also checks whether the system should grant access in this specific time, place, and condition.
How Teams Put Context-Aware Models into Practice
What makes context-aware permissioning challenging is the trade-offs. Every approach buys security at the cost of latency, complexity, or integration overhead. The patterns below demonstrate some common benefits of context-aware permissioning alongside their caveats.
Conditional Delegation with Context Scoping
Traditional delegations work on a simple premise: The agent inherits a human user’s identity and its scope of access stays fixed until the token expires. While a good start, this approach doesn’t factor the risk of human error or a user being over-permissioned.
Conditional delegation replaces that static inheritance with a dynamic exchange. Each time the agent presents a user token, a policy decision point (or PDP) evaluates the surrounding signals. Then, it issues a downstream credential trimmed to fit these conditions.
The effect is finer-grained control. A developer role may keep write privileges in staging, but if the same developer’s laptop starts to drift out of compliance, the PDP can automatically downgrade production access to read-only.
There is a catch, however: operational overhead. PDPs need real-time feeds from these downstream services. Teams face messy work when they stitch those signals together across their ecosystem.
Mid-Session Risk Re-Evaluation
Systems that rely on static tokens (e.g., JWTs) assume that an issuer’s status never changes during the token’s lifetime. But the reality is that a user may be off-boarded mid-shift or a device could fall out of compliance. The chances are (fairly) low, but the consequences can be damaging, such as a user accessing a bank account that they’ve been removed from.
Mid-session risk re-evaluation removes that blind spot by treating tokens as ephemeral. Systems modeled after Continuous Access Evaluation (CAE) don’t wait for expiration. Instead, they use revocation channels to terminate sessions when token permissions change.
The trade-off is latency and coordination. Each re-check adds a performance hit, and revocation requires tighter integration across downstream services. But for workloads where a single unauthorized request can expose extremely sensitive info—such as patient data in a healthcare application where access is ephemerally granted to care providers—the cost of stale permissions might be worth the cost of extra milliseconds.
Adaptive Responses
Most enterprises treat access as a binary switch: grant or deny. That rigidity often hinders AI agents that operate in workflows with many un-deterministic steps. A deny blocks all data, but it also stops the agent from moving forward.
Adaptive responses offer a middle ground. Instead of completely shutting the agent down, the system throttles request rates to slow any potential damage. Or, it routes results through human review before release. The agent keeps functioning, but with some guardrails.
The ability to degrade gracefully is especially valuable in AI systems where availability is a priority. Customer support bots or compliance review assistants can’t just error out on every elevated risk. By applying tiered responses, we are able to strike a balance to keep the system operational.
However, implementing this is quite complex. Policies need fine-grained enforcement, sometimes down to the field level. Additionally, transparency matters. Logs and audit trails must explain why the system masked a field or throttled a query so that security teams can reconstruct decisions months later.
Behavioral Context as Input
Additionally, an agent’s behavior is a signal. Agents leave trails of telemetry in the form of query patterns, download volume, request timing, and more. A sudden spike of bulk exports or simultaneous logins from distant regions suggests elevated risk.
Developers can account for this risk with behavior-based checks. Humans might take hours to manually exfiltrate a dataset. An agent can do the same in less than a second if left unchecked. When developers feed behavioral signals into the PDP, the system can automatically catch and respond to misuse without waiting for human review.
The hard part is calibration. Thresholds set too tightly flood users with re-authentication prompts while thresholds set too loosely let anomalies slip past. To reach higher-confidence decisions, most enterprises blend behavior scores with other context inputs (i.e., device posture, network, location).
Closing Thoughts
Context-aware permissions are straightforward in principle. You evaluate live signals, trim scope, and adapt to risk. In practice, adoption is harder. Every extra check adds latency. Fragmented systems send signals asynchronously. Developers must add extra checks for complex token exchange flows. And the system must log each masked field or throttled request clearly enough for security teams to explain six months later.
Still, the investment pays off for sensitive applications. Role-based access defines what a user should be able to do, but only context-aware permissions ensures those guarantees hold in the moment. It ties identity to the live conditions of a request to make AI agents more predictable.
That shift works best when authorization is centralized. Tools like Oso provide a control plane where policies are defined once and enforced consistently across apps and APIs. Instead of rewriting context checks for every service, teams can use Oso to manage them centrally.
If you would like to learn more, check out the LLM Authorization chapter in our Authorization Academy.
FAQ
What is context-aware permissioning?
It’s an access model where each request is evaluated against live conditions (i.e. device posture, network, behavior) rather than relying only on static roles assigned at login.
Why aren’t static roles enough for AI agents?
Static roles assume conditions don’t change mid-session. But agents run at machine speed, often across multiple systems. A stale token can keep working even after a user is off-boarded or a device falls out of compliance.
What’s the risk of using service accounts for agents?
Service accounts usually hold broad, long-lived privileges. When an agent runs under one, it bypasses user-specific roles and revocations, turning a single integration into a systemic exposure point.
What is mid-session risk re-evaluation?
It’s a mechanism where tokens are short-lived and continuously re-validated. If risk signals change (like a device falling out of compliance), systems can revoke sessions immediately rather than waiting for expiration.
What are adaptive responses?
Adaptive responses replace binary “grant or deny” outcomes with graduated actions. Instead of blocking an agent entirely, systems can redact sensitive fields, throttle request rates, or require human approval.
How does behavioral context factor into permissioning?
Agents generate telemetry (query patterns, data volume, request timing) that can be scored against baselines. Sudden anomalies trigger re-evaluation.
Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC) are common ways to design permissions within an application. Policy-Based Access Control (PBAC) is a method of implementing access control – whether RBAC or ABAC – where you decouple your policy from your code.
RBAC ties permissions to roles like Owner, Editor, or Viewer that directly map to permissions. It’s easy to start with, but it creates “role explosion” and becomes rigid as systems grow.
ABAC introduces flexibility by factoring in user attributes, resource metadata, and context, such as time or location. It enables dynamic decisions but is harder to manage, test, and optimize at scale.
PBAC takes central control by using explicit, auditable policies that combine roles, attributes, and direct permissions. Tools like Oso enable teams to implement these policies declaratively, keeping authorization consistent and testable across services.
Oso also supports ReBAC (Relationship-Based Access Control), which defines permissions based on relationships such as manager-of, member-of, or owner-of. (While this article focuses on RBAC, ABAC, and PBAC, we touch on how ReBAC fits into unified, policy-driven authorization systems here.)
In microservices, authorization logic tends to fragment over time. What begins as a few role checks in one service expands into rules based on user attributes, resource metadata, and environmental conditions like time or region. When these rules are implemented separately across APIs, jobs, and frontends, ensuring consistent access control becomes difficult.
This post explains how to design authorization that remains consistent and maintainable across services. It covers three access-control models: RBAC, ABAC, and PBAC, and how they fit together:
RBAC maps users to predefined roles and permissions.
ABAC evaluates user, resource, and contextual attributes for more granular control.
PBAC centralizes all authorization logic in policies evaluated by a policy engine.
Using Oso and its Polar language, we’ll look at how to define RBAC and ABAC declaratively and enforce them through PBAC for reliable authorization across distributed environments.
Access Control Models That Shape Secure Systems
In cloud-native systems and distributed applications, controlling who can access which resources and under what conditions is a pillar of security architecture and operational discipline. Access-control models provide structured ways to enforce these decisions, ranging from static, role-based assignments to dynamic, attribute-driven evaluations. The two foundational models most organizations rely on are RBAC and ABAC, each addressing different levels of granularity and complexity.
RBAC: Role-to-Permission Mapping for Predictable Systems
Role-Based Access Control (RBAC) assigns users to roles, and each role is associated with permissions. This model is effective when user responsibilities are clearly defined and access requirements are relatively stable. For example:
In a project management tool, an Admin can create, update, and delete project configurations, while a Viewer can only read project details.
In a cloud management system, an Owner can manage billing and account settings, whereas an Editor can deploy and modify resources but cannot access billing information.
RBAC’s simplicity enables fast onboarding and predictable permission management, but it struggles with complex and evolving environments. When systems span multiple teams, geographies, or tenants, RBAC can lead to role proliferation (a.k.a. role explosion), where dozens or hundreds of roles are required to capture nuanced access conditions. This complexity not only increases administrative overhead but also raises the risk of unintended privilege escalation and complicates audit and compliance processes.
ABAC: Attribute-Based Access Evaluation
Attribute-Based Access Control (ABAC) evaluates access dynamically based on a combination of user attributes, resource metadata, and environmental/contextual parameters. ABAC is ideal for systems that require fine-grained, context-sensitive access control, especially in regulated industries and multi-tenant architectures. Examples include:
In a banking application, a Compliance Officer may access transaction records only for accounts they manage, while HR personnel are denied access to financial data.
In a hospital system, a cardiologist can access patient records for cardiology cases, but not oncology or neurology patients.
Time-bound or location-bound access, e.g., a report is readable only during business hours or only from a corporate network, can be enforced without creating new roles.
ABAC reduces the need for creating numerous specialized roles because permissions are calculated at runtime, considering multiple conditions. However, ABAC introduces policy complexity: each new attribute or condition adds evaluation logic, increasing the challenge of testing, updating, and auditing policies. Careful schema design, attribute validation, and policy governance are critical for ABAC to scale safely.
RBAC vs ABAC at a Glance
Feature
RBAC
ABAC
Decision Basis
Role membership
User attributes, resource metadata, contextual/environmental conditions
Granularity
Coarse, permissions tied to roles
Fine-grained, context-aware, dynamic
Flexibility
Limited, requires new roles for nuanced access
Policies can adapt to multiple conditions without creating new roles
Complexity
Low initially; grows with role proliferation
Higher; requires attribute management and policy evaluation logic
Auditability
Straightforward; roles and permissions
Complex; requires logging decisions based on multiple attributes and contexts
RBAC gives you predictable guardrails. ABAC adds context, like “only engineers in the same department can edit logs after hours.” The trouble starts when those rules get baked directly into code. An API checks if role == "admin", a middleware checks department, and the frontend hides a button. Six months later, one service blocks the action, another quietly allows it, and nobody can explain why during an audit.
Beyond Access Control: PBAC as the Authorization Control Plane
PBAC solves this problem of fragmented authorization logic by externalizing access control into a centralized policy engine. Instead of embedding conditions across controllers and interfaces, each service makes a standard authorization query: isAllowed(user, action, resource).
The policy engine evaluates roles, attributes, and contextual data against defined policies and returns a consistent, auditable decision. This model provides authorization as a service, ensuring uniform and maintainable access control across all systems.
When applied, those policies capture conditions that would otherwise lead to role sprawl or scattered logic:
Finance systems often need fine-grained clearance rules. Instead of creating a special “AfterHours-ReportViewer” role, PBAC expresses it directly:
allow(user, "view", report) if user.clearance >= 5 and
report.type == "EOD" and
request.time >= "18:00";
Multi-tenant SaaS platforms need regional separation for compliance. Rather than duplicating roles per region, PBAC encodes the condition once:
allow(user, "read", tenantData) if user.role == "support" and
user.region in tenantData.allowedRegions;
Collaboration tools must combine ownership and sharing. Instead of complex role hierarchies, PBAC states the logic explicitly:
allow(user, "edit", doc) if user == doc.owner or
user in doc.collaborators;
Because policies live outside application code, they can be tracked in version control, reviewed via change requests, tested in CI, and rolled out like config. Change the rule once, and every service enforces it immediately. Decision logs give you exact “who did what and why” visibility. And instead of creating endless roles for edge cases, you capture the conditions directly in policy.
PBAC doesn’t replace RBAC or ABAC; it enhances their reliability. Roles still group users, attributes still provide flexibility, but PBAC ensures those rules are applied the same way across APIs, UIs, and background jobs. For large-scale or regulated systems, that shift, from scattered checks to centralized, declarative policies, is what makes authorization consistent, auditable, and easy to evolve.
Architecture: How PBAC Enforces RBAC & ABAC Consistently
In most SaaS systems, authorization logic spreads everywhere.
An API route checks role == "admin".
Middleware validates department == "Engineering".
The frontend hides buttons based on user.clearance.
Individually, these checks work, but when applied across multiple services, they tend to drift. One endpoint denies an action, another quietly allows it, and no one can explain why during an audit.
PBAC fixes this by making all services call the same enforcement layer. Instead of scattering conditions across controllers and UIs, you centralize them in a policy engine and ask:
That one decision point enforces RBAC role rules, ABAC attribute checks, and any resource-specific policies you’ve defined.
Flow in a SaaS App
The workflow below illustrates the high-level architecture of the access control system:
Here’s a detailed flow of how access control is enforced at each step:
Authentication (Identity Provider)
A user signs in through Auth0 or OIDC.
The IdP issues a JWT that includes their ID, role, and optional attributes (e.g. { role: "collaborator", department: "Engineering", clearance: 3 }).
Policy Engine (Oso)
Every request runs through Oso.
The engine applies your Polar policies: RBAC rules (roles -> permissions), ABAC checks (clearance vs. sensitivity), or per-resource overrides.
Output is always the same boolean: allow or deny.
Backend Enforcement (Next.js API Routes)
Each route calls authz.isAllowed() before touching the database.
Example: POST /products checks that the user has "create" permission. If not, it fails fast with 403 Forbidden.
Frontend Adaptation (Next.js + Tailwind)
The UI queries the same engine (or uses cached decisions).
Buttons, forms, and routes are shown or hidden based on the policy decision.
Example: a Viewer never sees “Edit” or “Delete,” while an Owner does.
Permission Store (MongoDB)
Stores users, roles, attributes, and per-resource grants.
Oso pulls from this store when applying policies, ensuring consistent results across API and UI.
Access Control in Action: From RBAC and ABAC to Centralized Policy Enforcement
To see how this works in implementation, imagine a small product management app where different people sign up and start working with resources. Some users are assigned fixed roles, others carry specific attributes, and still others gain permissions through ownership. RBAC and ABAC describe the rules of access, but enforcement becomes messy when those rules are spread across the API, middleware, and frontend. This is exactly where PBAC, implemented here in Polar with Oso as a permission layer, provides a single point of evaluation.
Roles as Guardrails (RBAC)
When Shan signs up, his JWT token includes:
That role maps directly to permissions in a Polar policy:
actor User {}
resource Product {
roles = ["owner", "collaborator", "viewer"];
permissions = ["read", "update", "delete"];
# role inheritance
"viewer"if"collaborator";
"collaborator"if"owner";
# permissions
"read"if"viewer";
"update"if"collaborator";
"delete"if"owner";
}
RBAC is simple and fast, but breaks down once you need rules that depend on context.
Attributes as Context (ABAC)
Bob signs up without a role but with attributes:
When Alice creates Product A, she tags it with metadata:
ABAC rules evaluate those attributes:
user_department(_: User, _: String);
user_clearance(_: User, _: Integer);
product_department(_: Product, _: String);
product_sensitivity(_: Product, _: Integer);
has_permission(user: User, "update", product: Product) if user_department(user, dept) and
product_department(product, dept) and
user_clearance(user, c) and
product_sensitivity(product, s) and
c >= s;
This is more flexible than roles, but managing many attributes across services is error-prone.
Ownership and Sharing (Resource-Level Rules)
When Alice creates Product A, she automatically becomes its owner:
actor User {}
resource Product {
roles = ["owner", "reader", "editor", "deleter", "sharer"];
permissions = ["read", "update", "delete", "share"];
# Track who created the product
relations = { creator: User };
# Ownership: creator automatically becomes owner
"owner"if"creator" on resource;
# Owner inherits all roles
"reader"if"owner";
"editor"if"owner";
"deleter"if"owner";
"sharer"if"owner";
# Map roles to permissions
"read"if"reader";
"update"if"editor";
"delete"if"deleter";
"share"if"sharer";
}
Here’s how the flow is:
1. When a product is created
Your application sends a relational fact linking the creator (Alice) to the new product:
rel(product_a, "creator", alice)
The policy says "owner" if "creator" on resource;
That means Alice automatically gets the owner role on product_a.
Because "owner" inherits all other roles, Alice has every permission:
read
update
delete
share
When Alice shares the product with Bob
Instead of granting permissions directly, your app assigns Bob one or more roles on the product by sending role facts:
role(bob, "reader", product_a) # Bob can read
role(bob, "editor", product_a) # Bob can update
role(bob, "deleter", product_a) # Bob can deleterole(bob, "sharer", product_a) # Bob can share
Each of these role assignments maps directly to the corresponding permission inside the Product resource block.
For example:
role(bob, "reader", product_a) : allows Bob to read product_a
role(bob, "editor", product_a) : allows Bob to update product_a:
Centralized Enforcement with Policies
Here’s the pivot: instead of scattering checks, every part of the app asks the same question:
PBAC ties it all together, not as another model, but as the enforcement layer.
And in this app, Oso is the engine making PBAC practical; policies are written in Polar, versioned in Git, tested in CI, and enforced everywhere through one isAllowed() call.
Applying RBAC and ABAC Through PBAC
RBAC and ABAC define the logic of authorization, but without a consistent policy layer, those rules are often duplicated across APIs, services, and frontends. PBAC (Policy-Based Access Control) solves this by centralizing RBAC and ABAC rules into policies that can be versioned, reviewed, tested, and enforced uniformly. This ensures that the same logic is applied everywhere, reducing errors and making audits reliablet. For example, one service might enforce “Managers can approve invoices up to $10,000,” while another accidentally enforces “Managers can approve all invoices.” Drift like this makes audits unreliable and security gaps inevitable.
This is where PBAC fits in: at the point where you need to ensure rules are applied uniformly across a distributed system. PBAC decouples policy logic from application code and centralizes it into a single decision point, such as an authorization service (isAllowed(user, action, resource)). Instead of each service re-implementing RBAC or ABAC checks, they all delegate the decision to PBAC.
By decoupling logic this way, PBAC provides:
Consistency: RBAC and ABAC rules are written once and enforced everywhere.
Auditability: every authorization decision records which policy allowed or denied it.
Version control: policies live alongside code, can be reviewed in PRs, and tested in CI.
Scalability: as teams add services, they don’t need to reimplement rules; they consume the central policy engine.
PBAC isn’t a separate authorization model like RBAC or ABAC. Instead, it’s an approach that organizes rules (whether role-based, attribute-based, or a mix) into policies that are managed centrally. By externalizing rules into policies, PBAC ensures consistent enforcement across services, APIs, and UIs, reducing duplication and preventing inconsistencies.
The real decision, then, is not “Which model should I use?” but “What mix of RBAC and ABAC does my system require, and how will PBAC enforce those rules consistently over time?”
By this point, it’s clear that RBAC and ABAC define the logic of access, while PBAC provides the control plane that makes those rules consistent, auditable, and scalable.
So how does this work in production? Let’s look at a few real-world examples where organizations hit the limits of scattered RBAC/ABAC, and why they turned to a PBAC approach to bring order back into authorization.
Examples: How Teams Built Unified Authorization Control Planes
While this post focuses on RBAC, ABAC, and PBAC, most production-grade authorization systems also incorporate Relationship-Based Access Control (ReBAC), a model that defines permissions based on relationships between entities (for example, manager-of, member-of, or owner-of). Here, PBAC unifies all three: RBAC for roles, ABAC for context, and ReBAC for relationships, evaluated together by a single policy engine.
Below are three production deployments where engineering teams moved from fragmented role checks to a PBAC control plane using Oso. Each shows how structured, policy-based authorization simplifies complexity and scales cleanly across products and architectures.
Oyster: Global HR, Sensitive Data, Many Jurisdictions
Context: Oyster operates a global employment platform in over 180 countries, managing payroll and sensitive PII, as well as internal admin and customer-tenant boundaries.
Constraints. From day one, Oyster required RBAC + ReBAC + ABAC to model hierarchical roles, cross-functional access, and region-specific compliance. Its in-house system soon became brittle, with manual role assignment, duplicated checks, and months-long engineering cycles to add or adjust permissions.
With Oso, Oyster decoupled authorization into Polar policies managed in Oso Cloud. Policies are versioned, reviewed, and deployed independently of app code, with all checks routed through a centralized decision service. Roughly 90 policy files govern more than 10,000 users (internal + external). Oso Cloud handles global, low-latency authorization (< 10 ms) while maintaining regional data-sovereignty compliance.
The end result was:
8× faster role implementation through reusable policy patterns.
Flexible addition of roles and conditions without touching app code.
Consistent, auditable enforcement across services and jurisdictions.
Webflow: Fine-Grained Enterprise Permissions Without Drag
Context. As Webflow expanded into the enterprise segment, customers demanded granular permissions at the level of CMS collections, pages, locales, and product lines.
Constraints. Its JSON-based, database-tied model didn’t scale. Performance degraded under load, caching was inconsistent, and developer effort ballooned, resulting in weeks lost on rejected authorization changes. Scattered logic across services made reasoning and audits difficult.
Webflow integrated Oso to unify RBAC, ABAC, and ReBAC in one system. Resource blocks define all roles, permissions, and relationships for each resource type, consolidating what had been duplicated logic. Policies are written in Polar and integrated into developer workflows through Oso’s CLI, IDE, and CI tools. The decision engine delivers sub-10 ms checks with near-continuous uptime, and fallback nodes ensure authorization continuity during network outages.
The outcome:
Clean separation of concerns, authorization treated as infrastructure.
Safer, faster policy iterations with minimal regressions.
Unified, fine-grained control aligned with enterprise requirements.
Productboard: Centralized Authorization for Microservices and AI
Context. Productboard serves over 6,000 companies and has transitioned from a monolith to microservices while launching AI-driven products requiring user-scoped visibility.
Constraints. The legacy Ruby authorization layer used hardcoded if checks and couldn’t express custom roles, ReBAC, or field-level rules. Consistency across services and latency at scale were key blockers.
Productboard centralized all authorization logic in Oso Cloud. Each microservice delegates authorize() checks to Oso, which evaluates policies against mirrored relationship data. The same PBAC policies govern both human and AI access flows. The stress tests at enterprise scale, millions of data points per tenant, showed Oso was the only system to meet load requirements with zero errors. In production, authorization runs at < 10 ms p95, ~ 50 ms p99.9, and 99.991 % uptime. AI workflows (RAG-based) filter embeddings and search results through Oso, ensuring AI agents see only authorized data.
The Outcome:
2–3× faster enterprise readiness through centralized policy logic.
A single source of truth for permissions across microservices and AI.
New revenue opportunities via granular, policy-driven governance with minimal engineering overhead.
The Pattern Behind Scalable Authorization
In each of these architectures above, expressing roles, attributes, and relationships declaratively and evaluating them through a single policy engine made authorization deterministic, testable, and observable. PBAC doesn’t replace RBAC or ABAC; it composes them, often extending to ReBAC to model ownership and delegation semantics.
Oso implements this composition at the application layer, where authorization logic must align with domain models and service boundaries. By contrast, managing distributed Rego policies in OPA across many microservices introduces drift, duplicated logic, and operational overhead. Oso’s centralized decision engine eliminates that fragmentation, enforcing consistent authorization semantics across APIs, services, and UIs while maintaining low latency and isolation guarantees..
Oso as a Policy-Based Access Control (PBAC) Layer
The key challenge in authorization is not whether you use RBAC or ABAC; it’s how you enforce those rules consistently without scattering them across your application. That’s what a policy-based approach (PBAC) solves: you decouple authorization logic from application code, write it once as policies, and enforce it everywhere with a single decision point.
Oso gives you that layer through Polar, a policy language designed for application authorization. Polar has first-class primitives for actors, resources, roles, permissions, and relations — the things you actually work with when building app auth. Instead of hardcoding if (role === "admin") checks, you write:
One block defines your entire role, including permission mapping and inheritance. Instead of repeating role checks across controllers, the logic is centralized in policy.
ABAC in Oso
actor User {}
resource Document {
permissions = ["read", "edit", "delete"];
# ABAC: decision based on a scalar attribute
"read"if resource.is_public == true;
}
Rules come from attributes: a document is readable by anyone if its is_public field is set to true. This is an ABAC (Attribute-Based Access Control) policy expressed in Polar.
Per-Resource Policies in Oso
actor User {}
resource File {
permissions = ["read", "delete"];
relations = { owner: User };
# role-to-permission sugar
"read"if"owner";
"delete"if"owner";
# direct grants
"read"if granted(actor, "read", resource);
"delete"if granted(actor, "delete", resource);
}
Here, ownership and explicit grants are pulled from your DB and enforced as policies. Alice might have delete on File A but only read on File B. This is fine-grained, instance-level control without one-off checks in your code.
Developer Workflow with Oso
To manage RBAC, ABAC, and PBAC effectively, Oso provides tooling across the full dev cycle:
Rules Workbench: Use Oso Workbench to model and test Polar rules interactively. Developers can simulate isAllowed(user, action, resource) calls and see which rules match.
Local Dev Server: Run the Oso local server to evaluate policies against sample data before deploying. This ensures Polar rules behave as expected in your environment.
Pre-commit Hooks + CI: Integrate Oso policy linter/tests in Git hooks and CI pipelines. This automatically blocks invalid syntax, untested rules, or overly permissive policies before they merge.
Migration Tools: Use Oso Cloud migration tooling to roll out new or updated Polar policies safely. You can stage, test, and incrementally apply changes without breaking production.
Explain/Debug: With Oso’s explain mode, developers can trace why authorize() returned true or false, showing which rule fired or why access was denied.
This workflow ensures that policy complexity scales safely with your application as you start adding more features and complexities.
Conclusion: Authorization as a Declarative Control Plane
Authorization scales only when it’s built into the system architecture instead of being scattered through service code. PBAC defines that boundary: policies are treated as data and evaluated through a single decision layer. This makes access decisions consistent, observable, and verifiable.
Oso implements this model within the application layer, where authorization must run close to domain data and context. Instead of maintaining separate Rego policies for each microservice, Oso provides a unified policy plane with defined semantics, version control, and low-latency evaluation.
Consistency in authorization comes from consolidation, not duplication. PBAC, implemented through Oso, establishes that boundary and enforces it uniformly.
FAQs
Which is better, ABAC or RBAC?
RBAC is usually preferred for its simplicity. It works well when roles and permissions are stable. ABAC introduces flexibility but also more moving parts. Access is based on user, resource, and environment data, which adds overhead as systems and policies grow.
Is RBAC part of ABAC?
No. RBAC assigns access through predefined roles. ABAC uses attributes, user details, resource type, department, or clearance level to decide access. ABAC can model RBAC behavior, but it’s a broader, data-driven approach.
What is the difference between PBAC and RBAC?
RBAC grants access through fixed role-to-permission mappings. PBAC defines policies that combine roles, attributes, and conditions to make runtime access decisions. RBAC works for predictable structures; PBAC handles complex or dynamic environments where access logic changes often.
Is IAM RBAC or ABAC?
IAM is a framework for managing identities, credentials, and permissions. RBAC and ABAC are models implemented within IAM systems to define how access decisions are made.
RBAC (Role-Based Access Control) shifts the responsibility of access management from individual users to reusable roles. Instead of attaching dozens of permissions directly to each user, you assign them to a role like admin, contributor, or viewer, each with its own set of permissions, which keeps access predictable and consistent as systems grow.
RBAC has use cases across industries like healthcare, banking, cloud, SaaS, and Kubernetes, helping secure sensitive data through least-privilege access control. Doctors can update patient records, auditors in banks have read-only access, and developers in cloud setups are limited to scoped services—each role enforces clear boundaries.
RBAC not only secures sensitive data but also prevents cross-tenant access in SaaS platforms and reduces risks of misconfiguration in large-scale infrastructure. By structuring roles carefully, organizations maintain predictability and avoid accidental privilege escalation.
The mechanics of RBAC vary by system but follow the same principle: permissions are mapped to roles, then enforced via queries, IAM policies, or Kubernetes bindings. Whether database-level row filtering or JSON policy in AWS, the goal is consistent authorization.
Authorization providers like Oso make real-world RBAC setups easier by providing declarative role definitions, drag-and-drop assignments, and built-in testing. This removes the need for hand-coded policies in languages like Rego (policy language used by the Open Policy Agent (OPA) to define and enforce authorization rules) and ensures authorization stays secure, scalable, and maintainable.
RBAC, is one of the most widely used authorization models in software systems like finance, HR, CRMs, etc. Instead of attaching permissions directly to users, RBAC assigns permissions to roles, and users assume those roles. This indirection simplifies access management and keeps authorization consistent as applications scale.
Common role examples include:
Project Manager: Create tasks, assign work, and close projects
Contributor: Create and update tasks
Viewer: Read project status but cannot edit
For example, in a project management tool like Jira or Asana, you might define a project_manager role with permissions to create tasks, assign work, and close projects. Team members take the contributor role, which only allows creating and updating tasks. A client user might be assigned a viewer role, restricted to reading project status but not editing it. By modeling access this way, you don’t manage permissions for every individual user; you manage roles and apply them across the system.
The importance of RBAC becomes clear in multi-tenant and collaborative systems like project management tools, customer support platforms, or SaaS CRMs. In a customer support application, one user could be a support_manager with permissions to assign tickets and update workflows, while another is a support_agent limited to responding to tickets. An account_admin might configure organization-wide settings, and a billing_viewer could access invoices without the ability to change subscription details.
The problem is that RBAC often becomes hard to maintain over time. Teams usually begin with two roles, admin and user, but soon add exceptions like read_only_admin or limited_user, leading to what is known as role explosion. Permissions end up scattered across the codebase, and developers can no longer confidently answer, Who has access to what?
In this post, we will examine RBAC examples, hierarchical roles, resource-scoped roles, action-constrained roles, and hybrid models that address these challenges and keep role systems manageable.
Top 5 RBAC Examples In the Real World
RBAC (Role-Based Access Control) is best understood not through theory but by looking at how it works in real-world scenarios. Instead of abstract policies or technical rules, it is the practical use cases that show how roles and permissions are assigned to manage access effectively.
Before moving forward, let’s understand two important terms often used in RBAC implementations: Polar and Rego.
Polar is the declarative policy language used by Oso, an open-source authorization framework. It allows developers to define access control logic in a structured and readable way. With Polar, you can express who can perform what action on which resource using simple rules. It integrates directly into application code, making authorization decisions consistent and easy to maintain.
Rego, on the other hand, is the policy language used by Open Policy Agent (OPA). It’s a more general-purpose language that can enforce policies across systems, like APIs, CI/CD pipelines, Kubernetes clusters, or microservices. Rego policies define rules for evaluating requests and returning authorization decisions, making it suitable for large-scale, distributed environments.
Looking at such examples helps clarify how permissions, roles, and responsibilities translate into practice. So let’s start one-by-one:
RBAC in Healthcare Systems
Healthcare applications need a clear separation of responsibilities between medical, financial, and administrative staff. Doctors update patient records, nurses maintain vitals and medication details, receptionists handle appointments, and administrators manage system settings.
In the healthcare sector, organizations like Tamrhave used Oso's authorization platform to secure regulated, high-sensitivity data in the cloud. By implementing fine-grained access controls, Tamr enables users to access only the data pertinent to their roles, thereby reducing the risk of unauthorized access and ensuring compliance with healthcare regulations.
Similarly, Kaleidoscope, a biotech R&D platform, utilizes Oso to manage access to sensitive research data. Their platform allows lab and computational teams to plan and track scientific work, integrating data and streamlining collaboration, all while maintaining strict access controls to protect intellectual property and comply with industry standards.
These examples demonstrate how RBAC, when implemented effectively, can protect sensitive healthcare data, ensure compliance with regulations, and streamline workflows by providing appropriate access to users based on their roles.
Role
Permissions
Doctor
View/update patient records, prescribe meds
Nurse
Update vitals, administer treatments
Receptionist
Schedule appointments, manage patient intake
Administrator
Manage users, audit logs, system settings
A common implementation is role–permission mapping in the database. When a user calls an API endpoint, the system validates whether the role tied to that user includes the requested permission.
With Oso Polar policies, we can define these roles and their permissions directly in code. Instead of relying on SQL queries to validate access, the policy itself enforces which actions each role can perform.
When an API call is made, Oso evaluates whether the requesting user has the right role to perform that action. For instance, a receptionist cannot update patient records because the "update_patient_record" permission is never linked to their role. This ensures least-privilege access without manually writing SQL checks.
RBAC in Banking Applications
Banking applications require strict separation of duties to prevent fraud and ensure compliance with financial regulations. Customers, tellers, managers, and auditors operate in the same system but must have carefully bounded access.
For example, customers should never query or update another user’s account, while tellers can process transactions but not authorize unusually large ones. Managers handle escalations and approvals, and auditors must review immutable records without the ability to alter them.
Here’s an example of what roles and permissions might look like in a typical banking application. This table illustrates how different roles are defined to control access to sensitive financial operations and ensure secure handling of customer data:
Role
Permissions
Customer
View balance, transfer funds, download statements
Teller
Process deposits/withdrawals, verify customer identity
Manager
Approve large transactions, manage teller activities
Auditor
Read-only access to all financial logs
We’ll implement this RBAC in Polar using Oso to define these roles and their permissions directly in code instead of relying on row-level database security. Consider this policy:
In this setup, customers can view their balance, transfer funds, and download account statements within their own accounts. Tellers handle deposits, withdrawals, and customer verification but cannot approve high-value transactions. Managers have the authority to approve those transactions and supervise teller activities, adding a layer of oversight. Auditors maintain read-only access to financial logs for compliance checks without the ability to modify records.
Instead of scattering access rules across SQL queries, Oso centralizes these permissions in the policy. For example, when a teller attempts to approve a large transaction, Oso will deny the request because "approve_large_transaction" is only mapped to managers. This makes access decisions clear, auditable, and consistent across the entire banking system.
RBAC in Cloud Infrastructure (AWS IAM)
Cloud environments demand strict access segmentation because misconfigured permissions are one of the most common causes of breaches. In AWS, Identity and Access Management (IAM) enforces access through roles and policies.
Role
Permissions
Developer
Manage Lambda, CloudWatch logs; no IAM modifications
DevOps Engineer
Provision/manage EC2, ECS, EKS, CloudFormation
Auditor
Read-only access across all AWS resources
Administrator
Full access to IAM, billing, and all AWS services
Similarly, with Oso Polar, we can represent cloud personas such as developers, DevOps engineers, auditors, and administrators with scoped permissions that mirror least-privilege IAM setups.
Developers can deploy and debug workloads by managing Lambda functions and viewing logs but have no access to IAM or billing. DevOps engineers manage infrastructure components such as EC2, ECS, EKS, and CloudFormation stacks without account-level governance rights. Auditors operate with read-only access to review system activity, while administrators retain full privileges, including IAM and billing, forming the highest trust boundary.
So, by centralizing access rules in Oso, permissions become explicit, consistent, and auditable across the entire cloud environment. For example, a developer attempting to modify IAM policies will be denied because "manage_iam" is tied exclusively to the administrator role. This prevents privilege creep and enforces least-privilege access in the same spirit as AWS IAM’s JSON policies, but expressed at the application layer for clarity and maintainability.
RBAC in Multi-Tenant SaaS Platforms
In SaaS environments, RBAC must not only manage user actions but also enforce strict tenant isolation. A contributor from one company should never gain access to another company’s data, even if their role name matches. Roles such as tenant admin, team lead, contributor, and viewer must always be scoped to the tenant ID at both the application and authorization layers.
With Oso Polar policies, we can model this tenant-aware RBAC directly. Each role is defined relative to a tenant resource, ensuring that permissions cannot leak across organizational boundaries.
Role
Permissions
Tenant Admin
Manage users, roles, billing, and settings for their own tenant
Team Lead
Create and manage projects, assign contributors within their tenant
Contributor
Update project tasks, add comments, upload files within assigned projects
Viewer
Read-only access to projects and tasks; cannot modify any data
Have a look at the example policy of a Multitenant SaaS environment in Polar:
Tenant scoping is enforced at runtime by combining user identity and tenant claims, often carried in JWT tokens. Middleware verifies the token, extracts the tenant ID, and ensures that every Oso allow check is executed in the context of the correct tenant resource.
For example, a contributor from tenant=acme_corp can update tasks in their own projects, but the same role tied to another tenant, such as tenant=globex_inc, has no access to Acme’s data. This guarantees tenant isolation while still supporting flexible, role-based permissions inside each organization.
RBAC in Kubernetes Cluster Management
Kubernetes includes Role-Based Access Control (RBAC) as a first-class feature of the API server, allowing administrators to define which users or service accounts can perform specific actions on resources. This prevents accidental disruptions, such as a developer deleting workloads or modifying cluster-wide configurations.
Common roles include the cluster admin, who has unrestricted access across all namespaces and resources; the namespace admin, who manages deployments, services, and configurations within a single namespace; the developer, who is restricted to basic workload creation in their assigned namespace; and the auditor, who is limited to read-only visibility of resources, logs, and events.
Role
Permissions
Cluster Admin
Full access across all namespaces, nodes, policies, and API resources
Namespace Admin
Manage workloads, deployments, services, and config within a namespace
Developer
Create and view pods, deployments, or config in their assigned namespace
Auditor
Read-only access to cluster resources, logs, and events
This RBAC structure can be expressed in Oso Polar, modeling clusters and namespaces as resources, with roles scoped to each resource. Cluster-level roles like cluster_admin and auditor provide broad privileges, while namespace-specific roles like namespace_admin and developer allow finer-grained access.
Roles can also inherit permissions from higher-level resources, ensuring that a cluster admin automatically gains management permissions in all namespaces. This approach mirrors Kubernetes’ native RBAC system while using Oso’s declarative, testable authorization model.
actor User {}
resource Cluster {
roles = ["cluster_admin", "auditor"];
permissions = ["full_access", "read_only"];
"full_access"if"cluster_admin";
"read_only"if"auditor";
}
resource Namespace {
roles = ["namespace_admin", "developer", "auditor"];
permissions = ["manage_workloads", "create_pods", "view_resources", "list_pods"];
relations = { cluster: Cluster };
"manage_workloads"if"cluster_admin" on "cluster";
"view_resources"if"auditor" on "cluster";
"manage_workloads"if"namespace_admin";
"create_pods"if"developer";
"list_pods"if"developer";
"view_resources"if"auditor";
"auditor"if"developer";
"developer"if"namespace_admin";
}
# Example Test: Simulate users performing actions
test "developer can create and list pods in assigned namespace" {
setup {
has_role(User{"maria"}, "developer", Namespace{"dev"});
has_relation(Namespace{"dev"}, "cluster", Cluster{"prod"});
}
# Developer actions
assert allow(User{"maria"}, "create_pods", Namespace{"dev"});
assert allow(User{"maria"}, "list_pods", Namespace{"dev"});
assert_not allow(User{"maria"}, "manage_workloads", Namespace{"dev"}); # Not allowed
}
test "auditor can view resources but not manage workloads" {
setup {
has_role(User{"stephan"}, "auditor", Namespace{"dev"});
has_relation(Namespace{"dev"}, "cluster", Cluster{"prod"});
}
assert allow(User{"stephan"}, "view_resources", Namespace{"dev"});
assert_not allow(User{"stephan"}, "create_pods", Namespace{"dev"});
assert_not allow(User{"stephan"}, "manage_workloads", Namespace{"dev"});
}
In this Polar example, maria is a developer who can create and list pods in her assigned namespace but cannot manage workloads, while stephan is an auditor who can view resources but cannot modify or create workloads. Relations link namespaces to clusters, enabling inheritance of cluster-level permissions and ensuring consistent enforcement of least privilege. This model mirrors Kubernetes RBAC behavior in a declarative, testable, and maintainable way.
Challenges with RBAC in Rego
While Role-Based Access Control provides structure and scalability for authorization, implementing it in real-world applications is rarely straightforward. Even experienced developers encounter hurdles when defining, maintaining, and enforcing roles and permissions across complex systems.
Policy Complexity and Syntax Errors
Writing RBAC policies directly in Rego can be error-prone. Small mistakes in indentation, variable naming, or logical operators can result in policies that fail silently or incorrectly deny access. Developers often spend hours debugging why a seemingly correct rule does not grant or restrict access as intended. As the number of roles, resources, and conditional rules grows, the policy code becomes harder to read, test, and maintain.
Example: A missing array index or a typo in a role name might allow a user to escalate privileges unintentionally. Debugging these subtle errors often requires inspecting the full evaluation trace of the Rego engine, which can be time-consuming.
In this case, the policy silently fails because "admins" does not match the actual role "admin". Instead of denying access cleanly, the rule never evaluates as expected, which can create confusion during testing.
Resource and Context Explosion
RBAC roles are static and don’t capture conditions like time, location, or environment. Without attributes layered on top, roles become either too permissive or too restrictive, making the access model misaligned with real-world requirements.
Example: A developer might have different roles for dozens of repositories, each with slightly different permissions. Without careful abstraction, adding a new repository or changing a permission could require updating multiple Rego rules, introducing the risk of inconsistencies.
Debugging User Reports of Wrong Access
A customer reports that a "project_admin" cannot create new projects. The developer inspects logs but finds no error, Rego simply evaluates the policy as false. To diagnose, they must run opa eval with full input JSON and inspect the trace output. This requires reconstructing the exact request context (user role, resource, action, tenant ID, time-based constraints), which is error-prone and slow under production pressure.
Tools like Oso are designed to simplify these challenges by providing built-in support for roles, hierarchies, and relationships. Instead of hand-coding every policy in a textual language, Oso uses Polar and provides a drag-and-drop, input-driven approach to define roles, permissions, and resource constraints.
Developers can configure roles and access rules using structured input values rather than manually writing full policy code. These definitions can then be applied directly in the application, reducing the risk of syntax errors and simplifying the process of scaling RBAC examples across multiple resources and environments.
Example: Implementing RBAC with Oso
Oso is an authorization framework designed to make access control easier to implement, maintain, and scale in applications today. Unlike hand-coded policies in Rego or custom checks scattered throughout application logic, Oso provides a centralized, declarative approach using its own policy language, Polar.
Oso allows you to define roles, permissions, and resource constraints in a way that is reusable, auditable, and directly enforceable in your app. Rather than manually writing long conditional statements, you describe what access looks like, and Oso evaluates these rules at runtime.
Let’s understand how to create an RBAC example in Oso:
Step 1: Define Roles and Resources
In the Rules Editor (Workbench mode), you start by selecting the type of resource (e.g., Item) and the actor type (User). Then, you add roles (like viewer or owner) and assign permissions to each role using a form-based interface with drag-and-drop menus.
This policy ensures that users with a given role automatically receive the correct permissions on the resource.
Step 2: Assign Roles to Users
After defining roles and permissions, you assign roles to individual users. Using a form-based interface with drag-and-drop menus, you add facts like:
has_role(User{"alice"}, "viewer", Item{"foo"});
has_role(User{"bob"}, "owner", Item{"foo"});
This visually maps users to roles on specific resources. Oso automatically integrates these assignments into the Polar policy.
Step 3: Make Authorization Decisions
Once roles and permissions are configured, you can check if a user can perform a specific action on a resource. For instance, check if alice has the view permission on Item: foo.
In the interface:
Select User: alice
Select Action: view
Select Item: foo
Click Check access
Oso evaluates the request against the policy and the assigned roles. The output will indicate whether the action is ALLOWED or DENIED, along with an explanation.
Step 4: Run Tests
The platform allows you to create and run tests to validate your RBAC setup. For example, you can assert:
After running the test, Oso shows results directly in the interface, confirming that the roles and permissions are correctly enforced.
Let’s see the dashboard of Oso here:
In this screenshot, the Oso Cloud Rule Editor is being used to model and test Role-Based Access Control (RBAC). A resource called Item is defined with two roles, viewer and owner, and two permissions, view and edit. The policy specifies that a viewer can only view an item, while an owner can both edit and view it (since owners inherit viewer privileges).
Users are then assigned roles on a specific resource: Alice is assigned the viewer role, and Bob is assigned the owner role on the same Item("example"). To validate these assignments, a test is created that checks different access scenarios. The assertions confirm that Alice can view but cannot edit, while Bob can both view and edit.
Since all assertions pass, the test shows that the RBAC rules are correctly enforced, preventing unauthorized actions and allowing legitimate ones. Essentially, Oso here is being used to write authorization policies, link roles to permissions, assign users to those roles, and verify that the system enforces the intended access boundaries.
Conclusion
Role-Based Access Control is a reliable framework for managing permissions by assigning them to roles rather than individual users. This approach simplifies access management, ensures consistency, and scales well across complex systems.
Real-world examples, from project management tools to code hosting platforms, show how users can hold different roles across resources, allowing precise control without administrative overhead.
RBAC can become complex as roles multiply, but hierarchical, resource-scoped, and hybrid RBAC-ABAC models help maintain clarity and security. Tools like Oso further simplify implementation by providing a centralized, declarative interface for defining roles, permissions, and constraints, along with built-in testing to verify access rules. Using structured RBAC models with such tools ensures predictable, secure, and maintainable access control in modern applications.
FAQs
What is Role-Based Access Control (RBAC) and why is it used?
RBAC (Role-Based Access Control) is an authorization model that assigns permissions to roles rather than individual users. Users assume these roles, which simplifies access management, ensures consistency, and reduces the risk of unauthorized access, especially in large or multi-tenant systems.
What is an example of an RBAC role?
A common RBAC role is Project Manager in a project management system. A Project Manager can create tasks, assign work, and close projects. Other roles might include Contributor (can create and update tasks) and Viewer (can only read project status).
What is the difference between an IAM role and RBAC?
IAM roles grant temporary, as-needed permissions in cloud environments, for example, a Lambda function assuming a role to perform a task. RBAC is a broader model where users are assigned roles with associated permissions, usually persistent, though ephemeral roles are possible. Essentially, IAM roles implement RBAC concepts but focus on temporary access.
What challenges can arise when using RBAC ? Can you combine and ABAC?
Over time, RBAC can lead to role explosion, where too many specialized roles are created. This makes it difficult to track who has access to what and can complicate permission management if not carefully maintained.
Access control is a cornerstone of application security, ensuring that users only access the resources they are authorized to use. Two widely adopted access control models are Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC). While both models aim to secure systems and data, they differ significantly in how they assign and manage permissions.
In this article, we’ll explore the key differences between RBAC and ABAC, their use cases, and how to decide which model—or combination of models—might be the best fit for your organization. Whether you’re looking for a straightforward, role-based solution or a more flexible, attribute-driven approach, this guide will help you make an informed decision.
If you’re short on time, check out the TL;DR section or the video below for a quick summary of the main differences.
TL;DR: Quick Comparison of RBAC vs ABAC
Feature
RBAC (Role-Based Access Control)
ABAC (Attribute-Based Access Control)
How it works
Assigns permissions based on predefined roles (e.g., Admin, Editor, Viewer).
Grants or denies access based on user and resource attributes (e.g., location, time, or data sensitivity).
Best For
Organizations with stable, well-defined roles and straightforward access needs.
Less flexible, as permissions are tied to static roles.
Highly flexible, allowing for dynamic and context-aware access policies.
Complexity
Simple to implement and manage, but can lead to role explosion.
More complex to implement and manage due to the need for attribute definitions and policy configurations, but offers fine-grained control.
Granularity
Coarse-grained control based on roles.
Fine-grained control based on multiple attributes.
Use Case Example
A "Finance Manager" role grants access to budget reports.
A user can only access reports during business hours from a company-issued laptop.
What is RBAC?
Role-Based Access Control (RBAC) is a widely used authorization model that simplifies access management by grouping permissions into roles. A role is essentially a collection of permissions that defines what actions a user can perform on specific resources. For example, roles like "Admin," "Editor," or "Viewer" might grant varying levels of access to a system.
When a user is assigned to a role, they inherit all the permissions associated with that role. This makes RBAC an intuitive and efficient way to manage access, especially in organizations with well-defined job functions or hierarchical structures.
Key Features of RBAC:
Simplified Permission Management: Instead of assigning individual permissions to users, permissions are grouped into roles, which can then be used to assign multiple permissions to a user at once.
Ease of Implementation: RBAC is straightforward to set up and manage, making it a popular choice for organizations with stable, predictable access requirements.
Improved Security: By limiting access based on a user’s role, RBAC reduces the risk of unauthorized access and enforces the principle of least privilege.
Example Use Case:
Imagine a content management system where:
Admins can create, edit, and delete content.
Editors can modify existing content but cannot delete it.
Viewers can only read content.
By assigning users to these roles, the organization can efficiently manage access without needing to define permissions for each individual user.
Pros and Cons of RBAC:
Pros:
Easy to understand and manage.
Scales well for organizations with clear role definitions.
Reduces administrative overhead by grouping permissions.
Cons:
Less flexible for dynamic or complex environments.
Can become cumbersome if roles proliferate without proper management.
RBAC is often seen as a foundational model for access control. However, as we'll explore later, it can also be viewed as a specific implementation of Attribute-Based Access Control (ABAC), where the "role" is treated as just one of many possible attributes.
For a more detailed explanation of RBAC, including its implementation and use cases, check out our Role-Based Access Control guide.
What is ABAC?
Attribute-Based Access Control (ABAC) is an advanced authorization model that provides fine-grained access control by evaluating a variety of attributes. Unlike RBAC, which relies solely on roles, ABAC considers multiple attributes related to the user, the resource, and the environment to make access decisions.
Key Features of ABAC:
Granular Control: ABAC allows for dynamic access policies based on attributes such as user identity, role, department, location, time of access, and more.
Flexibility: This model supports complex scenarios where access needs to be adjusted based on changing conditions or contexts.
Dynamic Authorization: ABAC policies can be tailored to accommodate specific business rules, making it ideal for environments with evolving access requirements.
Example Use Case:
Consider a healthcare application where access to patient records is controlled based on:
User Role: Doctors and nurses have different levels of access.
Location: Access is granted only within the hospital network.
Time: Access is restricted to working hours.
By evaluating these attributes, ABAC can enforce nuanced access policies that adapt to the specific needs of the organization.
Pros and Cons of ABAC:
Pros:
Provides comprehensive and adaptable access control.
Supports complex policies that reflect real-world scenarios.
Enhances security by considering multiple factors in access decisions.
Cons:
Requires careful planning and management to implement effectively.
Can be more complex to set up compared to RBAC.
ABAC expands upon the basic principles of RBAC by incorporating attributes into the mix, allowing organizations to create more granular and dynamic authorization policies. This flexibility makes ABAC particularly suitable for environments where access needs are complex and subject to frequent changes.
While both RBAC and ABAC are powerful models for managing access, they each come with challenges that you should consider when deciding which to use.
Challenges with RBAC
Role Explosion:
In large organizations, the number of roles can grow exponentially as more granular permissions are needed. This "role explosion" makes managing roles and permissions increasingly complex and difficult to scale.
For example, a company with multiple departments may need separate roles for "Manager," "Team Lead," and "Employee" in each department, quickly leading to hundreds of roles.
Lack of Flexibility:
RBAC is rigid and works best in environments where roles and permissions remain stable over time. It’s not well suited for dynamic or context-specific access needs, such as granting access based on time, location, or project status.
Over-Permissioning:
Users are often assigned roles that grant more permissions than they actually need, increasing security risks. This happens because RBAC lacks the granularity to fine-tune access for specific scenarios.
Challenges with ABAC
Policy Complexity:
ABAC policies can become highly complex as they incorporate multiple attributes (e.g., user role, location, time, and resource sensitivity). Writing and maintaining these policies requires significant effort and expertise.
For instance, defining a policy that grants access only to "senior managers in the finance department during business hours" involves multiple attributes and conditions.
Performance Concerns:
Evaluating access requests in ABAC can be resource-intensive, especially when dealing with a large number of attributes or complex conditions. This can impact system performance, particularly in high-traffic environments.
Implementation Overhead:
Implementing ABAC requires a deeper understanding of the organization's data and workflows to identify the right attributes and conditions. This can make adoption slower and more challenging compared to RBAC.
RBAC vs. ABAC: Key Differences
Both Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC) are widely used access control models, but they differ significantly in how they manage permissions. Understanding these differences can help you choose the right model for your organization’s needs.
1. How They Work
RBAC: Access is granted based on roles. Users are assigned predefined roles (e.g., "Admin," "Editor," "Viewer"), and permissions are tied to those roles.
ABAC: Access is granted based on attributes. These attributes can include user roles, resource types, environmental factors (e.g., time, location), or any other relevant criteria.
2. Flexibility
RBAC: Offers a simple and intuitive structure for managing access. It works well in environments where roles are stable and clearly defined.
ABAC: Provides dynamic and fine-grained control by evaluating multiple attributes. This flexibility allows ABAC to adapt to changing conditions and enforce nuanced access policies.
3. Complexity
RBAC: Easier to implement and manage because it relies on a straightforward role hierarchy. However, it can become cumbersome if too many roles are created.
ABAC: More complex to set up and maintain due to the need to define and manage multiple attributes and policies. This complexity is the trade-off for its adaptability and precision.
4. Use Cases
RBAC: A retail company assigns permissions based on job roles
Store managers can access sales reports and manage inventory.
Cashiers can process transactions but cannot access financial data.
ABAC: A healthcare system controls access to patient records
Doctors can access patient records only during their shifts and within the hospital network.
Nurses can view records for patients assigned to their care but cannot edit them.
Access is denied if the request comes from outside the hospital’s secure network.
When to Use RBAC vs ABAC
Choosing between Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC) depends on your organization’s structure, security requirements, and the complexity of your access control needs. Each model has its strengths and is suited to different scenarios.
When to Use RBAC
RBAC is ideal for organizations with static access requirements and clearly defined roles. It works well in environments where simplicity and ease of management are priorities. Consider using RBAC if:
Your organization has stable roles: For example, a company where employees have fixed roles like "HR Manager," "IT Support," or "Sales Associate."
You need a straightforward implementation: RBAC is easier to set up and manage, especially for smaller teams or organizations with limited engineering resources.
Your access needs are predictable: If permissions rarely change or are tied directly to job functions, RBAC provides a reliable and efficient solution.
When to Use ABAC
ABAC is better suited for organizations with dynamic and complex access needs. It provides fine-grained control by evaluating multiple attributes, making it ideal for environments where access requirements frequently change. Consider using ABAC if:
Your organization requires granular control: For example, access policies need to account for attributes like user location, time of access, or the sensitivity of the resource.
You operate in a highly regulated industry: ABAC can enforce compliance by tailoring access policies to meet specific regulatory requirements (e.g., HIPAA, GDPR).
Your access needs are context-dependent: ABAC can dynamically adjust permissions based on real-time conditions.
Combining RBAC and ABAC for Better Authorization
At Oso, we recognize that modern organizations often require a combination of access control models to meet their unique needs. While RBAC and ABAC are widely used, many organizations benefit from a hybrid approach—combining the simplicity of RBAC with the flexibility of ABAC. For systems where relationships between entities play a key role, they can even incorporate ReBAC (Relationship-Based Access Control). Learn more about ReBAC and how it works here.
When implementing your hybrid model, start with RBAC to define broad permissions, then layer ABAC policies for dynamic access control. For example, assign a 'Team Member' role with baseline permissions and use attributes like project status or user location to refine access.
Why Use a Hybrid Approach?
A hybrid approach allows you to:
Simplify baseline access management: Use RBAC to define broad permissions based on roles, such as "Admin," "Manager," or "Employee."
Add granularity and adaptability: Layer ABAC on top of RBAC to refine access policies based on attributes like location, time, or resource sensitivity.
Balance ease of management with precision: By combining the two models, you can avoid the complexity of managing numerous roles while still enforcing dynamic, context-aware access policies.
This approach is particularly useful in environments where:
Roles alone are insufficient: For example, when access needs to account for real-time conditions or regulatory requirements.
Flexibility is critical: Organizations with dynamic access needs, such as global enterprises or industries with strict compliance standards, benefit from the adaptability of ABAC.
Example Use Cases for a Hybrid Approach
Enterprise with Regional Restrictions
RBAC: Assign employees roles like "Regional Manager" or "Team Lead."
ABAC: Enforce additional policies to restrict access to data based on the user’s location, ensuring compliance with regional regulations.
Healthcare System
RBAC: Define roles such as "Doctor," "Nurse," and "Administrator."
ABAC: Add attributes to control access to patient records based on the user’s shift hours, department, and the sensitivity of the data.
SaaS Application
RBAC: Assign roles like "Admin," "Editor," and "Viewer" to manage baseline permissions.
ABAC: Use attributes like subscription tier, account status, or geographic location to customize access for specific users.
How Oso Supports Hybrid Models
Implementing a hybrid model can seem daunting, but Oso’s Authorization as a service platform is designed to make it seamless, combining the simplicity of RBAC, the flexibility of ABAC, and even the relationship-driven granularity of ReBAC. With Polar, Oso’s declarative configuration language for authorization, you can define and enforce both role-based and attribute-based logic in a single policy, ensuring efficient and scalable access control.
By adopting a hybrid approach, organizations can achieve the best of both RBAC and ABAC, addressing real-world challenges while maintaining security and flexibility.
Example: Using Polar to Implement a Hybrid Model
Let’s say you’re building an application for a project management platform. You want to combine RBAC, ABAC, and ReBAC to manage access to project resources. Here’s how you could do it with Oso and Polar:
RBAC for Baseline Permissions:
Define roles like "Project Manager," and “Member."
Use Polar to write rules that grant basic permissions based on these roles. For example:
# Define Actor (User)
actor User {}
# Define Resource (Project)
resource Project {
permissions = ["read", "update", "delete", "member.add", "member.remove"];
roles = ["member", "project_manager"];
# Role permissions
# project managers can do everything members can do
"member" if "project_manager";
# project manager permissions
"delete" if "project_manager";
"member.add" if "project_manager";
"member.remove" if "project_manager";
# member permissions
"read" if "member";
"update" if "member";
}
ABAC for Attribute-Based Refinements:
Add attributes like project status (e.g., "Active" or "Archived") and user location.
Refine access policies based on these attributes. For example:
# Define Actor (User)
actor User {}
# Define Resource (Project)
resource Project {
permissions = ["read", "update", "delete", "member.add", "member.remove"];
roles = ["member", "project_manager"];
# Attribute-based permissions
# All users can read public projects
"read"if is_public(resource);
# Role-based permissions
# project managers can do everything members can do"member"if"project_manager";
# project manager permissions
"delete"if"project_manager";
"member.add"if"project_manager";
"member.remove"if"project_manager";
# member permissions
"read"if"member";
"update"if"member";
}
ReBAC for Relationship-Based Control:
Incorporate relationships between users and resources, such as team assignments or ownership.
Use Polar to enforce permissions based on these relationships. For example:
# Define Actor (User)
actor User {}
# Define Resource (Team)
resource Team {
roles = ["member"];
}
# Define Resource (Project)
resource Project {
permissions = ["read", "update", "delete", "member.add", "member.remove"];
roles = ["member", "project_manager"];
# A project can be associated with a team
relations = {team: Team};
# Relationship-based permissions
# Members of a team that owns a project can view the project
"read"if"member" on "team";
# Attribute-based permissions
# All users can read public projects
"read"if is_public(resource);
# Role-based permissions
# project managers can do everything members can do"member"if"project_manager";
# project manager permissions
"delete"if"project_manager";
"member.add"if"project_manager";
"member.remove"if"project_manager";
# member permissions
"read"if"member";
"update"if"member";
}
By combining these models, you can create a powerful and flexible authorization system that meets the needs of your application.
Why Use Oso for Hybrid Models?
Ease of Implementation: Oso’s Polar language makes it simple to define and enforce complex policies.
Flexibility: Combine RBAC, ABAC, and ReBAC seamlessly to handle a wide range of access control scenarios.
Scalability: As your application grows, Oso’s tools make it easy to adapt your policies to new requirements.
Conclusion
Choosing the right access control model—RBAC, ABAC, or a combination of control models—depends on your organization’s specific needs. RBAC offers simplicity and ease of management, making it ideal for environments with stable roles and predictable access requirements. On the other hand, ABAC provides the flexibility and granularity needed for dynamic, attribute-driven scenarios.
For many organizations, a hybrid approach that combines RBAC and ABAC delivers the best of both worlds. By using roles as a foundation and layering attributes for fine-grained control, you can create an access control system that is both powerful and easy to manage. Additionally, incorporating models like ReBAC into a hybrid solution can further enhance your ability to enforce relationship-driven permissions.
At Oso, we make it easy to implement these models with tools like Polar, enabling you to define and enforce policies that meet the demands of modern applications. Whether you’re managing a small team or a global enterprise, Oso provides the flexibility and scalability you need to secure your systems effectively.
Ready to take your authorization to the next level? Explore our Authorization Academy or learn more about how Oso can help you build a robust access control system.
Role-Based Access Control (RBAC) is a method of managing user permissions by assigning users to roles, where roles are granted specific permissions to act on resources such as API endpoints, database records, and cloud infrastructure objects.
RBAC is important in production environments because it enforces the principle of least privilege, cutting down on security incidents, misconfigurations, and accidental over-provisioning. By restricting each user or service to only the actions they’re authorized to perform, you get a system whose behavior is stable and auditable, you know exactly who can do what, and surprise changes are far less likely.
Implementing RBAC is easiest with a centralized access policy engine (for example, Oso) that enforces the same rules across all parts of your application, APIs, microservices, and frontend components. This eliminates scattered access control logic and keeps enforcement consistent throughout the entire stack.
RBAC policies must be enforced at the backend (API) to guarantee security and consistency. The frontend (UI) can adapt dynamically to a user’s role, hiding or disabling actions they aren’t allowed to perform, but this is purely for usability. True enforcement always happens at the API layer.
Hand-rolling access control logic becomes unmanageable at scale, leading to inconsistencies, poor auditability, and security risks. A centralized RBAC engine like Oso simplifies management by defining a robust policy module so that one need not to reinvent the wheel, making it auditable, scalable, and easier to maintain.
When RBAC is implemented through a central policy engine, you can unit-test every permission rule in one place and immediately apply changes across all APIs, microservices, and front-end components. Adding a new role or resource becomes a single policy update instead of dozens of scattered code edits. This approach keeps access decisions consistent, auditable, and predictable as your system grows.
When building internal tools at scale, whether it’s a developer portal, an audit dashboard, or a CI/CD orchestrator, access control quickly stops being a feature and becomes a risk surface. In a past role, I worked on a multi-tenant deployment platform used by dozens of internal teams. A misconfigured authorization rule allowed a junior engineer to deploy to production instead of staging, a classic example of how fragile hand-rolled RBAC can lead to real security incidents. It wasn’t malicious, but it took down a customer-facing API. Most access-related incidents stem not from code defects, but from the absence of proper contextual enforcement and boundary controls.
In a lifecycle, especially one that’s regulated or customer-facing, the strategic imperative is not whether to adopt RBAC, but how to implement it early without disrupting operational continuity. From developer environments to admin consoles and feature toggles, every internal interface becomes a potential vector for misuse. Engineers, platform teams, and security leaders all want the same thing: to move fast without sacrificing control. RBAC offers a structured way to scale those guarantees.
This post is for DevSecOps leads, product security engineers, and platform architects who’ve either implemented or are planning to roll out RBAC in their stack. We’ll walk through how to do RBAC properly, at the code level, across environments, and with real UI examples, using a sample app we built from scratch: a small e-commerce product-catalog demo implemented with Next.js (Next API routes + React frontend), Node/Express-style handlers, PostgreSQL, JWT authentication, and Oso as the centralized policy engine. Instead of hand-writing permission checks across controllers, routes, and UI components, we implemented policies once in Oso (the .polar file), wired the app to call isAllowed(user, action, resource) from server routes, and then surfaced role-aware controls in the Next.js UI. That means you can see exactly how much boilerplate, edge cases, and brittle logic Oso replaces, things you would otherwise have to design, implement, and test yourself (role mapping, environment scoping, audit trails, revocation, partial evaluation and caching, etc.). Along the way we’ll discuss tradeoffs of hand-rolled logic, show how Oso simplifies role-based access management, and spell out what “enterprise-ready” RBAC looks like in practice.
What Is RBAC?
RBAC (Role-Based Access Control) is an authorization model designed to manage who has access to what in a system. Rather than assigning permissions directly to individual users (which quickly becomes unmanageable), RBAC introduces an abstraction:
Users are assigned to roles: Each user inherits permissions by belonging to a role like Viewer, Editor, or Admin.
Roles are granted permissions: A role defines which actions (read, edit, delete) are allowed.
Permissions are scoped to resources or actions: Permissions apply to specific resources (e.g., product, feature flag) and the actions performed on them.
This creates an access system that scales cleanly as your app grows. For example, a user with the Collaborator role can edit product details or post comments, but they can’t delete products, that action is reserved for Owners. The system doesn’t check for individual user IDs (e.g., “is user123 the product creator?”); instead, it checks the user’s role against the policy attached to that role. By avoiding hardcoded checks like “only the creator of this product may delete it”, you remove scattered exceptions and let Oso enforce consistent rules across every endpoint. When a role’s permissions change, the new behavior applies immediately without rewriting business logic.
Why RBAC is Important
Without access boundaries, everything becomes a potential point of failure: not just the services, but the humans operating them. Teams accidentally ship to the wrong environment, over-provision infrastructure, or expose sensitive data, often because they had more access than necessary.
RBAC enforces the principle of least privilege, which says users should only have the minimum permissions needed to do their jobs. For example, in a product catalog app, a Viewer can read product listings but can’t edit or delete them; a Collaborator can update descriptions or add comments but still can’t remove products; and only an Owner has full control, including deletion. This role separation limits the blast radius of mistakes (a Viewer can’t accidentally wipe data), keeps behavior predictable, and gives security teams confidence that access is consistently enforced without blocking day-to-day work.
Overview of RBAC Architecture
In a well-structured production system, Role-Based Access Control (RBAC) shouldn’t be scattered as if/else checks deep inside application code. It should be treated as its own dedicated service or infrastructure layer, on the same footing as your identity provider and authentication mechanism. RBAC acts as the policy-enforcement counterpart to authentication, while principles such as environment isolation (separating dev, staging, and prod) define the boundaries in which that layer operates. This section walks through how a role-based access control system fits into a modern stack, how it interacts with the rest of the infrastructure, and where each responsibility actually lives in practice.
The flow begins with the Identity Provider, such as Okta or Auth0, which handles user authentication. After the user logs in, the Identity Provider issues an identity token (e.g., JWT) containing user information like ID, email, and sometimes role metadata.
App/API
After successful authentication, requests are forwarded to the App/API layer, which acts as the initial entry point for processing the request. The App/API interacts with the Access Policy Engine to check permissions before taking any further action.
Access Policy Engine (Oso/OpenFGA)
This is where role-based access decisions are made. The engine evaluates whether a specific user is authorized to perform a certain action on a given resource (e.g., “Can this user update this document?”). It could be a system like Oso, OpenFGA, or a custom-built solution.
Permission DB (PostgreSQL)
The Access Policy Engine queries the Permission Database to evaluate relationships between users, resources, and actions. For example, it checks whether "User A" has permission to "Update" a specific resource or if "Collaborator" has permission to "Delete a comment." The Permission DB is optimized for fast lookups and stores this mapping information, often populated by role assignments or sync jobs.
Final Decision
The Access Policy Engine processes the permission check and returns a final authorization decision. The App/API then either proceeds with the requested operation or returns a 403 Forbidden error if the user is not authorized to perform the action.
RBAC-Aware Frontend (Next.js)
The frontend, built with Next.js or similar frameworks, adjusts its UI based on the user's roles or permissions. It ensures that only the relevant UI elements (e.g., buttons, forms, pages) are visible or interactive, aligning with the backend's access control decisions to maintain a consistent user experience.
Implementation Principles for RBAC in a Microservices Stack
Beyond the high-level flow, it helps to ground this in a real business use case. Assume a product catalog app where different users, Owners, Collaborators, and Viewers, need different levels of access to products and comments. Owners can add or remove products, Collaborators can edit and comment, and Viewers can only browse. On the surface, this sounds simple, but if you tried to hardcode these rules into every API route, frontend component, and database query, it would quickly become complex, brittle, and time-consuming to maintain.
That’s why we built this demo app with Oso. Instead of reinventing the wheel or writing a custom authorization framework from scratch, we used Oso’s open-source policy engine to centralize and declare all role logic at once. The app itself is deliberately lightweight, Next.js frontend, Node/Express-style API routes, and PostgreSQL for persistence, but it demonstrates how even a “small” product can benefit from a dedicated RBAC layer. With Oso handling the rules, the implementation becomes practical, auditable, and easy to extend, which is what you need in a production microservices stack.
1. Identity and Authentication
Every access control system begins with identity. Users must be authenticated before any permissions can be evaluated. Most production systems rely on an Identity Provider (IdP) such as Okta, Auth0, or an internal OIDC-compliant service. Once a user is authenticated, the IdP issues a token (typically a JWT) containing identity claims like user ID, email, organization ID, and sometimes role identifiers. These identity claims are then passed downstream to any service requiring authorization logic.
In our demo app, this process starts at the login page (screenshot above). A user signs in with their email and password, the app verifies their credentials, and a JWT is issued containing their user ID and assigned role (Owner, Collaborator, or Viewer). That token is then included in all subsequent requests to the backend, where Oso evaluates whether the user is allowed to perform the requested action.
2. App/API Layer
After authentication, requests flow into the App/API, which acts as the main entry point for business logic. At this stage the application does not decide permissions on its own. Instead, it forwards the user identity and requested action to the authorization layer. This separation avoids oversized, permission-stuffed tokens and keeps enforcement auditable.
Oso’s recommended patterns include:
Let services fetch authorization data as needed. Each microservice requests permission info when required, rather than relying on outdated or oversized tokens.
Use an API gateway to forward identity context. The gateway only handles authentication and passes identity, not permissions, to services, letting them evaluate access with fresh policy data.
Centralize authorization logic in one service. Services decide whether an action is allowed by calling a shared policy engine (like Oso) that combines roles, resource context, and environment data.
This approach ensures decisions reflect the most current permissions, avoids token bloat, and keeps your authorization logic auditable and maintainable across services.
If a user with access Y is trying to access resource X, it throws an access denied message.
The key advantage of having a separate RBAC engine is that the logic becomes reusable, auditable, and environment-aware. Whether you’re calling it from a backend route, an internal tool, or a CLI-based automation script, the permission logic remains consistent. This separation of concerns also makes it easier to manage and evolve your role based access control model over time, as permissions change or new roles are introduced.
Here, we showed how that token flows into backend routes, using Postman to test requests like “view product” or “edit product.” Those tests made it clear that identity alone isn’t enough, we still need a consistent way to decide what that user can do once authenticated.
That’s where the RBAC engine comes in. The key advantage of separating authorization into its own engine is that the logic becomes reusable, auditable, and environment-aware. Whether you’re calling it from a backend route, an internal tool, or a CLI-based automation script, the same permission logic applies everywhere. This separation of concerns makes it easier to evolve your RBAC model over time, as roles change or new ones are introduced.
3. Access Policy Engine (Oso/OpenFGA)
The policy engine is where authorization actually happens. Given (user, action, resource), it evaluates whether the operation is permitted based on centrally defined policies. For example, Oso lets you encode:
allow(user, "update", product) if user.role = "collaborator"; allow(user, "delete", product) if user.role = "owner";
On the frontend, the app doesn’t enforce authorization, but it still needs to mirror backend rules for a smoother user experience. For example, if a user is a Viewer, the “Edit Product” button should already be greyed out rather than throwing a 403 after they click it. This prefetching of effective permissions ensures the UI matches what the backend enforces, reducing errors and confusion.
4. Role and Permission Store (e.g., PostgreSQL)
A persistent store underpins the policy engine, tracking user-role assignments and mapping them to resources. This store (often backed by PostgreSQL or similar) captures relationships like role inheritance, project scoping, or environment-specific restrictions. Defining permissions declaratively in version-controlled policy files provides auditability, clarity, and maintainability.
This store also plays a critical role in providing auditability. By tracking which roles exist, what permissions they hold, and how they’re used, the system can generate logs and reports for compliance and debugging purposes. Every permission decision can be traced back to a clearly defined rule or role mapping, reducing ambiguity when things go wrong.
5. Final Decision
After evaluation, the policy engine returns an allow/deny decision. The App/API enforces this outcome: if permitted, the request continues; if not, it returns a 403 Forbidden. Every decision can be logged, giving you an audit trail of who tried to do what and when.
6. RBAC-Aware Frontend (Next.js)
While the frontend may receive minimal role or identity information (e.g. "role": "collaborator"), it should never enforce access control directly. Instead, the UI adapts behavior, such as hiding buttons or disabling actions, for better user experience.
However, all authorization decisions must still be enforced in the backend, where the service calls into Oso’s policy engine (e.g. isAllowed(user, action, resource)) to validate whether the requested operation is permitted. This guarantees consistency, auditability, and prevents misuse via tools like Postman or cURL.
By avoiding client-side permission caching or local storage of permission hashes, the system maintains a single, centralized source of truth for all access logic: declarative, testable, and enforceable.
Up to this point, we’ve focused on the app-level flow, login, backend checks with Oso, role storage, and a frontend that adapts to permissions. That gives us a clear view of how RBAC works within a single application. But in production, you rarely have just one app. You’re running multiple services behind gateways, identity providers, and caches.
To understand how centralized RBAC holds everything together in that larger picture, let’s step back and look at how it fits into a modern microservices architecture.
How Centralized RBAC Fits Into a Modern Architecture
This diagram represents a role-based access control (RBAC) system architecture implemented across a microservices-based backend, with an API Gateway, Authn Server, Token Store, and local caching at multiple layers. Here's a step-by-step explanation of how it works:
1. User Logs In & Receives Identity Token
The user authenticates through an Identity Provider (IdP) like Okta or Auth0. Upon successful login, the IdP issues an identity token (typically a JWT) containing basic user claims, such as user ID and email, but not full access rights or roles. This token is strictly used for authentication, not for enforcing permissions.
2. Authorization Happens at the Service Layer, Not the Gateway
The API Gateway acts as a routing layer. It forwards requests to the relevant backend microservices without making any authorization decisions itself. Unlike traditional architectures that rely on token-scoped permissions at the gateway level, this model ensures that all access control logic is centralized and auditable.
3. Microservices Query Oso for Access Decisions
When a service (e.g., Inventory Service, Product Service) receives a request, it performs an authorization check by invoking isAllowed(user, action, resource) on Oso. Oso evaluates the request against its .polar policy file to determine whether the action should be permitted.
This dynamic, runtime evaluation ensures that:
Permissions are always up-to-date
Access rules are centrally defined and enforced
There's no risk of permission drift across environments
4. Optional: Caching at the Policy Layer (Not Gateway)
To improve performance, caching is employed inside the authorization engine (e.g., Oso Cloud) for stable parts of policy execution (such as policy compilation) so redundant work is minimized. Some optimizations include visibility into policy versioning (so you can see when policies update) and support for time-based access expiry.
For example:
The cache key isn’t just (user, action, resource) but also the policy version or relationship graph version used to compute the decision. That way, if a policy changes or a relationship is updated, the cache can be invalidated or refreshed automatically.
The service can merge cached facts with fresh facts. E.g., if it already knows the user’s roles but needs a fresh attribute from a DB, it can combine them before evaluation, something a gateway cache can’t do without understanding the policy model.
The service can implement smart TTLs or event-driven invalidation based on policy/relationship changes. From the outside you’d have to guess, but inside the authz service you know exactly when something makes cached decisions stale.
5. UI and API Stay Synchronized
Since all authorization decisions are made per request and per resource by Oso, both the frontend and backend operate off the same access logic. The UI can query what the current user is allowed to do and render controls accordingly, while the API enforces those rules regardless of frontend behavior.
Instead, you plug into a declarative, unified access layer, like Oso, and make authorization an API, not a part of your codebase. This architecture eliminates scattered permission checks and gives you a scalable foundation for consistent access enforcement across services and interfaces.
Why You Shouldn’t Hand-Roll Authorization Anymore
But even with the right architecture, how you define and enforce policies still determines success. Here's why centralized, declarative authorization is now the baseline, and why hand-rolled logic no longer cuts it.
1. Why Hand-Rolled Authorization Always Breaks First
Authorization used to be baked directly into the application layer. Every microservice had its own version of role mapping. Routes were guarded with one-off isAdmin checks. Access was defined in YAML files, controller logic, and conditional middleware scattered across codebases. It may have worked in the early days, but once you’re managing multiple services, environments, and personas, that approach turns into a liability. There’s no single source of truth, no audit trail, and no consistency across the stack.
As soon as new components like internal admin panels, agent-based automation, or AI orchestration chains are introduced, the old model breaks entirely. Each part of the system ends up reinventing access control in its own silo. And that makes it impossible to reason about, or enforce, security at scale.
2. Centralized Policy Is the New Baseline
Modern authorization is externalized into a unified access layer. Instead of encoding roles and permissions directly into app logic, you define policies declaratively, using a tool like Oso, OpenFGA, or Cedar. These tools let you describe RBAC rules in a structured language. You define roles, permissions, relationships, and scopes in a way that’s consistent and testable. Then you integrate the policy engine as an API that your services, tools, and agents can call in real time.
You don’t repeat logic across your backend, frontend, and automation layers. Access decisions are made programmatically and deterministically, eliminating ambiguity and ensuring policy fidelity. This approach turns authorization into infrastructure, not a set of scattered decisions.
Step-by-Step: Implementing the RBAC Layer
The project is structured around a classic fullstack architecture: Express.js for the backend API, PostgreSQL as the database layer, and a frontend UI built with Next.js. We chose this stack to demonstrate how RBAC enforcement can be cleanly embedded into real-world app layers, not just as a backend filter but as an end-to-end access boundary. The user management flow includes registration, login, and protected routes, all wired to a simple JWT-based session system. Authentication happens first, and role-based authorization follows immediately after.
1. Define roles & permissions (claims vs. enforcement)
Users are assigned one of four roles, owner, collaborator, viewer, developer, persisted in PostgreSQL. At login, the role is issued as an identity claim in the JWT so the frontend can render the right controls. We never authorize the token. On every request, the API loads the user & target resource from PostgreSQL and asks Oso, via isAllowed(user, action, resource). This keeps identity in the token and authorization in policy. (See Oso request-level enforcement.)
The owner role grants full permissions, including viewing, commenting, editing, and deleting any product in the system.
The collaborator role allows the user to view and comment on products, and make limited edits, but lacks deletion privileges.
The user is assigned the viewer role, which grants read-only access across the application without permissions to comment, edit, or delete.
The developer role is a special-purpose role with scoped access for debugging or staging environments, not intended for production changes.
2. Wiring Oso into the Backend Authorization Flow
At the core of our access control system is Oso, a policy engine that defines access logic in a .polar file.
Each permission check boils down to one question:
“Is this user allowed to perform this action on this resource?”
To evaluate that, we:
Retrieve both the user and the resource from PostgreSQL.
Wrap them into domain-specific objects (OsoUser, OsoProduct).
Invoke the isAllowed() method via our authorization service wrapper.
Oso checks the policy rules and returns yes/no, no conditional branching or role checks cluttering the controller logic.
# User roles
allow(user, "read", _product) if user.role in ["owner", "collaborator", "viewer", "developer"];
allow(user, "create", _product) if user.role = "owner";
allow(user, "update", _product) if user.role in ["owner", "collaborator"];
allow(user, "delete", _product) if user.role = "owner";
# Comment permissions
allow(user, "comment", _product) if user.role in ["owner", "collaborator"];
allow(user, "read", _comment) if user.role in ["owner", "collaborator", "viewer", "developer"];
allow(user, "delete", comment) if user.role = "owner" or
(user.role = "collaborator" and comment.authorId = user._id);
# User management (only owners can manage users)
allow(user, "manage_users", _) if user.role = "owner";
3. Enforcing Access Across Frontend and API
Once the authorization engine is in place, we connected the frontend to reflect the same access rules visually. After login, users are shown their role in the profile view. Based on that role, certain actions become available or hidden.
For role-based access control example:
Owners can delete products.
Collaborators may see an edit button but no delete option.
Developers get read/update permissions only in staging and cannot delete in production.
Viewers remain strictly read-only.
Policy changes are centrally managed within the .polar file, ensuring consistent, maintainable enforcement.
# User roles
allow(user, "read", _product) if user.role in ["owner", "collaborator", "viewer", "developer"];
allow(user, "create", _product) if user.role = "owner";
allow(user, "update", _product) if user.role in ["owner", "collaborator"];
allow(user, "delete", _product) if user.role = "owner";
# Comment permissions
allow(user, "comment", _product) if user.role in ["owner", "collaborator"];
allow(user, "read", _comment) if user.role in ["owner", "collaborator", "viewer", "developer"];
allow(user, "delete", comment) if user.role = "owner" or
(user.role = "collaborator" and comment.authorId = user._id);
# User management (only owners can manage users)
allow(user, "manage_users", _) if user.role = "owner";
These visual controls are purely cosmetic: the real enforcement happens in the backend, but they help create a role-aware interface that prevents user confusion or error. And since permissions are checked again in every API call, there’s no way to bypass access via tools like Postman or cURL.
4. Centralizing and Simplifying Policy with Oso
Instead of scattering role checks across controllers, all access rules live inside authorization.polar. This becomes the single source of truth for permissions.
For example, if we want to give collaborators delete permissions in the future, we’d edit one line in the .polar file, reload the policy, and the entire app respects the new rule, no middleware rewrites needed.
5. Testing the System and Validating Role Behavior
To test the full flow, users can register with different roles either through the /register route in the frontend or directly via the API.
Once logged in, their role and access level are reflected on the /profile page. From there, they can access /products to view items, attempt edits, or post comments, depending on their permissions.
This is the main product listing screen where users can view all available products along with their status, category, and creation date.
The comment section allows users to read or add comments for a specific product, with RBAC deciding who can post or delete.
Users with appropriate permissions can access detailed metadata views, showing full metadata like status, creation date, and last modified timestamp.
This modal provides fields for editing product details like name, description, category, and status, editable only if the user’s role permits it.
Only users with the appropriate role (e.g. Owner) see the “Delete Product” action in the dropdown, enforced both in UI and backend.
Every action hits a protected backend endpoint, which consults the Oso engine before proceeding. Unauthorized actions result in a 403 response, and authorized ones continue to the business logic layer. This flow enforces that access control is not optional or assumed, it’s part of the request lifecycle.
Core Concepts in RBAC
When designing access control, roles, permissions, and resources define exactly who can create a project, edit someone else’s comment, or even see that a project exists at all.
In our e-commerce product catalog system, the resource is the Product entity and its associated metadata (comments, visibility status, creation time). Each product lives in a system where access isn’t flat; it varies per user, depending on what role they’ve been assigned.
The actions on these resources include create, edit, delete, comment, and view. For example, an Owner can create and delete projects; a Collaborator can’t create new projects but can still comment and make edits; a Viewer can only observe, no mutations allowed.
We’ve broken the system into clear roles to reflect common collaboration patterns in product teams:
Role
View
Comment
Edit
Delete
Create
Viewer
Yes
❌
❌
❌
❌
Collaborator
Yes
Yes
Yes
❌
❌
Owner
Yes
Yes
Yes
Yes
Yes
Imagine these roles like access cards in a secure office building. A Viewer has a guest pass, able to walk around and observe, but not touch anything. A Collaborator is like a contractor with a desk, they can make edits, leave notes, and work on existing assets. An Owner holds the master key: they manage the layout, invite others, and remove or reshape the entire structure.
We’re using Oso to formalize these boundaries in code. Oso allows us to declare relationships between users and resources, and then map specific permissions to role levels. So when a request comes in to delete a project, Oso can evaluate: is this user related to this project as an Owner? If yes, allow the action. If not, block it.
What Manual RBAC Actually Looks Like?
Without Oso, you'd be left stitching together authorization logic manually across every part of your stack. Each service would need to implement its own version of access checks, maybe using raw conditionals, a homegrown roles table, or a custom canAccess() function that slowly balloons with edge cases. For every new resource type, you'd have to write fresh logic to define how users relate to it. If you needed to support cross-resource conditions, like “can delete this project only if the user is also an admin of the parent org,” you'd be threading business rules through multiple layers of code.
This file directly shows what authorization looks like without Oso: role checks embedded inside API route logic. It’s exactly the kind of tight coupling and imperative branching that your Oso-based app avoids.
As the system grows, so does the complexity. You’d eventually have to build your own policy evaluation layer, your own relationship graph, and your own internal DSL just to keep permissions sane. And even then, there's no standard way to audit what rules exist or test them independently. You're not just maintaining the product, you're maintaining a second, invisible product called "the authorization system," and it's leaking into everything.
What Changes When You Add Oso
Instead of baking permissions directly into each route handler, we now have a centralized engine that knows what every user can and cannot do. This not only prevents unauthorized actions, it also simplifies both debugging and UI logic. As you’ll see later, the frontend can now query what a user is allowed to do before showing buttons or actions. This eliminates the need for embedded role conditionals, promoting centralized governance and auditability.
Oso vs Manual RBAC
Feature
Manual RBAC
Oso-Powered RBAC
Policy Location
Scattered in code (controllers, middleware)
Centralized .polar file
Auditability
Poor – hard to trace
Strong – declarative policies
Consistency
Prone to drift across layers
Enforced uniformly across stack
Scalability
Difficult with new roles/resources
Easily extensible
Testing
Complex to mock/validate
Deterministic and testable
UI Awareness
Manual effort, prone to error
Queryable permissions for role-aware UI
Conclusion
As your system grows, authorization can’t live scattered across controllers and frontend checks. It needs to be centralized, declarative, and enforced consistently across every layer, API, UI, and automation. That’s exactly what we built: a fullstack RBAC system where access decisions are cleanly separated from business logic and evaluated through a purpose-built policy engine.
Using Oso with Express and PostgreSQL, we formalized user-role-resource relationships in code, enforced permissions at runtime, and exposed a frontend UI that reflects the same logic visually. The result is an architecture that’s not just functional, but scalable, where access rules live in one place, apply everywhere, and evolve cleanly over time.
RBAC isn’t just about restriction, it’s about control. The right model protects velocity while preventing production drift. With a centralized policy layer, your system becomes safer to build on, easier to reason about, and ready for the complexity that comes with scale. Curious how RBAC compares to attribute-based access control? Read our breakdown of RBAC vs ABAC for deeper insight.
FAQs
1. What’s the difference between user-scoped and role-scoped permissions?
User-scoped permissions are assigned directly to an individual, custom, explicit privileges. Role-scoped permissions are attached to a named role, which is then assigned to users. Role based access control models scale better, while user-scoped models offer precision (at the cost of manageability).
2. Can I manage RBAC through a config file?
Yes, for early-stage systems or simple permission models, YAML or JSON config files work fine. Just make sure to reload them safely and avoid hardcoding paths. For dynamic environments or per-project scoping, a DB-backed model with a policy engine (like Oso or Casbin) is more appropriate.
3. How do I test RBAC effectively in CI/CD?
Treat permissions like any other contract. Write unit tests for permission-checking logic, mock role assignments, and assert expected access outcomes. For integration tests, run flows under different simulated users and validate that protected actions are blocked or allowed accordingly.
4. Is RBAC enough for all security needs?
RBAC governs who can access what, but it doesn’t cover everything. For complete security, you still need input validation, rate limiting, secrets management, and infrastructure hardening. Think of RBAC as necessary but not sufficient, a foundational layer, not the whole structure.
As a developer who's spent years wrestling with access control systems, I can tell you that traditional Role-Based Access Control (RBAC) approaches often fall short when your app needs to grow beyond basic user roles. That's where Attribute-Based Access Control (ABAC) comes to the rescue.
ABAC lets you define access control using attributes of users, resources, and context instead of fixed roles. Think of it as the difference between saying "only admins can edit" versus "users can edit if they're the owner AND the document is in draft status AND it's during business hours."
Sound complicated? It doesn't have to be. Let me show you five practical ABAC examples that'll make your access control both smarter and more maintainable.
TL;DR
ABAC uses attributes (user properties, resource metadata, contextual data) to make fine-grained access decisions. It's more flexible than pure RBAC and perfect for complex business logic. Tools like Oso make implementation straightforward with policy-as-code approaches.
ABAC Policy Examples
Example 1: Conditional Admin Access for After‑Hours Escalations
Scenario: A user can only perform admin actions on resources if they're a support manager and it’s after hours.
Attributes: user.role, hour (current time passed as a context fact)
This is a conditional, time-based admin pattern: support managers get elevated rights only after hours to handle escalations. Instead of handing out permanent admin, you flip it on during the escalation window and let policy turn it off automatically when business hours return—tight control, smaller blast radius, and no manual toggling.
actor User { }
resource Tenant {
roles = ["member", "support_manager", "admin"];
permissions = ["read", "manage"];
"member"if"support_manager";
"member"if"admin";
"read"if"member";
"manage"if"admin";
}
declare current_hour(Integer);
has_role(user: User, "admin", tenant: Tenant) if has_role(user, "support_manager", tenant) and
current_hour(hour) and
hour matches Integer and
hour >= 17;
test "support managers get admin access after 5pm" {
setup {
has_role(User{"alice"}, "support_manager", Tenant{"tenant1"});
has_role(User{"bob"}, "member", Tenant{"tenant1"});
current_hour(18);
}
assert has_role(User{"alice"}, "admin", Tenant{"tenant1"});
assert_not has_role(User{"bob"}, "admin", Tenant{"tenant1"});
}
Why it fits: Support managers get just-in-time admin only after hours, enforcing least privilege and letting the policy auto‑revoke access when business hours resume. It’s granular without extra complexity, and Oso keeps the time/context check in a single, tweakable rule (on‑call, weekends, regions).
Example 2: Conditional Access Based on Resource Tags
Scenario: A contributor can access a project only if it's tagged as "public."
Attributes: user.role, project.tags
This pattern demonstrates business logic expressed as policy rather than hardcoded conditionals scattered throughout your codebase.
actor User {}
resource Project {
permissions = ["read"];
"read"if is_public(resource);
}
test "read access for project is allowed if public" {
setup {
is_public(Project{"project1"});
}
assert has_permission(User{"alice"}, "read", Project{"project1"});
assert_not has_permission(User{"bob"}, "read", Project{"project2"});
}
Why it fits: When your product manager decides that "internal" projects should also be accessible to contributors, you update the policy once instead of hunting through dozens of API endpoints.
Example 3: Time-Limited Access for Contractors
Scenario: Contractors can access resources only during their active contract window.
Attributes: user.expiration, now
This is a perfect example of contextual access control – permissions that depend on real-time conditions.
actor User {}
resource Repository {
roles = ["member"];
permissions = ["read"];
"read"if"member";
}
has_role(actor: Actor, role: String, repo: Repository) if expiration matches Integer and has_role_with_expiry(actor, role, repo, expiration) and expiration > @current_unix_time;
test "access to repositories is conditional on expiry" {
setup {
# Alice's access expires in 2033 has_role_with_expiry(User{"alice"}, "member", Repository{"anvil"}, 2002913298);
# Bob's access expired in 2022 has_role_with_expiry(User{"bob"}, "member", Repository{"anvil"}, 1655758135);
}
assert allow(User{"alice"}, "read", Repository{"anvil"});
assert_not allow(User{"bob"}, "read", Repository{"anvil"});
}
Why it fits: No more manual disabling of contractor accounts. No more "oops, forgot to revoke access" security incidents. The policy automatically enforces time boundaries.
Example 4: Delegated Access (REBAC-style ABAC)
Scenario: A user can access a resource only if someone else has explicitly shared access with them.
actor User {}
resource Repository {
permissions = ["view"];
relations = {
shared_with: User
};
"view"if"shared_with";
}
test "access to repositories is conditional on expiry" {
setup {
has_relation(Repository{"anvil"}, "shared_with", User{"alice"});
}
assert allow(User{"alice"}, "view", Repository{"anvil"});
assert_not allow(User{"bob"}, "view", Repository{"anvil"});
}
Real-world application: Think shared documents, temporary project access, or vacation coverage scenarios. Someone with access can grant it to others without involving IT.
Example 5: State-Based Permissions (Workflow Control)
Scenario: A user can only edit a record if it's in "draft" status.
Attributes: resource.status, user.permissions
This is a clean example of tying access to business process state – perfect for content workflows, product pipelines, or any multi-stage process.
actor User {}
resource Document {
roles = ["viewer", "editor", "owner"];
permissions = ["read", "edit"];
"read"if"viewer";
"viewer"if"editor";
"edit"if"editor"and is_draft(resource);
"edit"if"owner";
}
test "edit access to document is conditional on if draft" {
setup {
is_draft(Document{"document1"});
has_role(User{"alice"}, "editor", Document{"document1"});
has_role(User{"bob"}, "viewer", Document{"document1"});
has_role(User{"alice"}, "viewer", Document{"document2"});
has_role(User{"bob"}, "editor", Document{"document2"});
}
assert allow(User{"alice"}, "edit", Document{"document1"});
assert_not allow(User{"bob"}, "edit", Document{"document1"});
assert_not allow(User{"alice"}, "edit", Document{"document2"});
assert_not allow(User{"bob"}, "edit", Document{"document2"});
}
Why it fits: Your business logic stays in your policies, not scattered across controllers. When the workflow changes (adding a "review" state, for example), you update the policy, not every piece of code that checks permissions.
Implementing ABAC in Oso
Oso makes ABAC practical by letting you express these complex policies in Polar, a declarative policy language designed for developers.
Here's what makes Oso's approach different:
Developer control: Policies live in version control alongside your code
Separation of concerns: Business logic stays in policies, not scattered through your application
Dynamic enforcement: Policies evaluate in real-time with fresh data
Testing support: Built-in tooling for policy validation and edge case testing
Quick implementation example:
# Your application codeif oso.authorize(user, "edit", document):
# Proceed with edit operationpass
The policy handles all the complex attribute checking – you just ask "is this allowed?"
DevOps has transformed how developers build, deploy, and manage infrastructure and applications, making automation, scalability, and rapid iteration core to modern development workflows.
While much of the software delivery process has evolved, authorization has largely remained stuck in legacy approaches. Many organizations still manage homegrown solutions with hardcoded permissions across services, custom policies by different teams, and manual updates as access needs shift. These approaches may work initially, but they do not scale properly.
As teams adopt microservices, APIs, and multi-cloud architectures, fragmented authorization systems become a liability. Each policy change demands manual effort across teams and services—slowing development, increasing the risk of misconfigurations, and eroding confidence in access control.
Why Traditional Authorization Models Fall Short
Many homegrown solutions, such as Duolingo’s previous authorization system, were built to solve immediate needs. Early-stage architectures often rely on simple approaches like Role-Based Access Control (RBAC) or Attribute-Based Access Control (ABAC). These models are easy to implement, making them appealing when rapid development is the priority.
However, as companies scale, these simple models quickly show their limits. Real-world applications rarely stay static. Instead, teams need a blend of authorization models to address growing complexity—supporting multi-tenant architectures, managing resource-specific roles, handling user relationships, and enforcing contextual permissions that shift based on factors like time, ownership, or evolving business rules.
As requirements evolve, this leads to custom logic, scattered exceptions, and manual interventions. The once simple authorization tool becomes fragile, inconsistent, and a bottleneck in the development lifecycle.
The Role of Policy-as-Code and Authorization-as-a-Service
To overcome the challenges of fragmented, manual access control, modern DevOps teams are adopting solutions with the same principles that transformed infrastructure and application delivery into the world of authorization. Two complementary approaches are emerging as the go-to strategies:
Applying DevOps best practices through Policy-as-Code (PaC).
Just as DevOps streamlined infrastructure through automation and version control, PaC and AaaS now deliver the same agility and consistency to authorization.
Policy-as-Code: Authorization Meets DevOps
Policy-as-Code (PaC) is the practice of defining and managing authorization policies in a declarative, code-like format—version-controlled, testable, and integrated into automated workflows. PaC is typically implemented in a domain-specific language or configuration format. By applying core DevOps principles, PaC transforms authorization from a manual, error-prone task into a streamlined, reliable component of software delivery.
Authorization-as-a-Service: Scalable Enforcement Without The Overhead
However, defining policies is only one part of the solution. Teams also need a scalable, reliable way to enforce these policies across their distributed systems and applications. That's where Authorization-as-a-Service (AaaS) comes in, providing managed, cloud-native platforms that handle policy enforcement without requiring teams to maintain their own authorization infrastructure.
Modern authorization solutions combine these two approaches:
Declarative policies (PaC) that ensure transparency, audit-ability, and easier collaboration.
Scalable, hosted decision engines (AaaS) that consistently enforce policies across microservices, APIs, and multi-cloud environments.
This powerful combination enables DevOps teams to rapidly adapt to changing business requirements, ensuring consistent authorization enforcement without slowing down development or adding operational complexity.
This overview highlights the reasons behind many companies' shift to Authorization-as-a-Service for complex authorization use cases.
Best Practices for Modern Authorization
Successfully implementing Policy-as-Code and Authorization-as-a-Service requires adopting certain best practices that align closely with DevOps methodologies.
Key practices include:
Decouple authorization logic from application code. Centralize policies to avoid duplication, reduce drift, and simplify maintenance across services.
Use declarative policies to standardize access control. Focus on what access is allowed, not how it’s enforced.
Choose platforms that:
Support flexible authorization models to handle evolving business requirements without constant rewrites.
Integrate seamlessly with CI/CD workflows for automated testing, deployment, and version control of policies.
Provide scalable, managed enforcement through AaaS. Eliminate operational overhead while ensuring consistent policy decisions across distributed systems.
Model for growth and complexity. Start simple, but ensure your solution can adapt to non-standard use cases, dynamic relationships, and contextual permissions as your application scales.
Ensure observability and compliance by tracking policy changes, enabling peer reviews, and integrating authorization with monitoring and telemetry to maintain full visibility and audit readiness.
This POC framework offers practical steps for evaluating authorization solutions that align with both Policy-as-Code and Authorization-as-a-Service strategies.
Conclusion: The Future is Flexible, Automated Authorization
Modern authorization can no longer rely on static roles, hardcoded logic, or manual processes. As architectures become more dynamic and distributed, effective access control demands both code-driven policies and scalable enforcement models.
For most companies, building and maintaining a custom authorization system isn’t an investment, it is a long-term liability. When authorization isn’t core to your product’s value, investing engineering resources into homegrown solutions distracts from your main focus. Teams need solutions that integrate seamlessly into development workflows and scale as business needs evolve.
By embracing an authorization service based on Policy-as-Code (PaC) and Authorization-as-a-Service (AaaS), teams bring automation, flexibility, and consistency to authorization. This ensures that access management evolves seamlessly alongside their DevOps workflows. This approach not only strengthens security but also removes operational bottlenecks, allowing development teams to move faster without sacrificing control.
Keycloak has long been a popular choice for developers and organizations looking for an open-source identity and access management (IAM) solution. With features like SSO, LDAP integration, and support for major protocols like OAuth2 and SAML, it’s easy to see why Keycloak is often the default. But as infrastructure needs grow and IAM demands evolve, many teams are reevaluating whether Keycloak is still the best fit.
In this post, we’ll explore the top Keycloak alternatives in 2025 — from lightweight self-hosted solutions to fully managed enterprise-grade platforms — and help you decide what might work best for your team.
A look at Keycloak's admin dashboard.
Reasons to Switch From Keycloak
While Keycloak is powerful, it isn’t always the most convenient solution. Here are a few reasons teams look for an alternative:
Operational Overhead: Managing Keycloak yourself requires handling updates, backups, scaling, and security patches. That’s a lot for teams that want to focus on product development.
Complexity: Keycloak’s configuration UI and documentation can feel overwhelming, especially for smaller teams or those new to IAM.
Performance Bottlenecks: At scale, Keycloak’s performance can lag without considerable optimization and monitoring.
Lack of Extensibility: Customizing workflows or deeply integrating with non-standard services can be clunky.
Cloud-Native Preferences: Many teams now prefer solutions that are plug-and-play with modern cloud platforms or serverless stacks.
So, what makes a good Keycloak alternative? A modern IAM solution should:
Be easy to integrate and customize
Offer strong protocol support (OAuth2, OIDC, SAML)
Scale with your application
Offer great documentation and developer experience
Provide flexible hosting options (cloud, self-hosted, hybrid)
Let’s dive into the top alternatives worth checking out in 2025.
1. Oso
A look at Oso’s product.
What is Oso:
Oso is an open-source authorization engine designed to simplify access control logic. Rather than handling authentication or identity management itself, Oso focuses specifically on authorization—fine-grained, logic-driven access decisions that you define in code using a policy language called Polar.
Why is Oso better than Keycloak:
If your team wants fine-grained control over authorization logic but doesn’t need a full user management system, Oso can complement lighter authentication systems beautifully. It’s ideal for apps with complex permissions, like multi-tenant SaaS or systems with nested roles and resources.
Pros:
Supports complex, real-time policy decisions using Polar
Embeddable in your app — not a separate service
Seamlessly integrates with your existing user models
Oso provides flexible pricing plans tailored to various business scales. Their Developer-tier starts at $0 per month, while the Startup-tier begins at $149 per month. For their Growth-tier and migration services, pricing is customized based on individual consultations with their experts.
2. Auth0
A screengrab of Auth0’s dashboard UI.
Auth0 is a fully managed identity platform that simplifies authentication and authorization through SDKs, APIs, and a sleek dashboard. It supports social login, enterprise SSO, and multifactor authentication right out of the box.
Why it’s a good alternative:
Auth0 lets teams ship authentication fast without becoming identity experts. Its robust feature set is ideal for growing applications that need to support complex login flows or multiple identity providers.
Pros:
Built-in support for social, enterprise, and passwordless login
Rich RBAC and tenant isolation features
Strong extensibility through Actions and Rules
Audit logging and anomaly detection baked in
Cons:
Costs can spike as MAUs increase
Less flexible UI customization unless on higher plans
Data residency is fixed unless on enterprise tier
What is Auth0’s Pricing?
Auth0 provides both a free-tier and several premium-tier options. The entry-level premium plan ranges from $35 to $150 per month for 500 users, depending on the specific use case. They also offer annual pricing and allow customization based on the number of monthly active users.
3. Ory
Ory is a modular, cloud-native IAM platform composed of purpose-built services like Kratos (identity), Hydra (OAuth2), Keto (RBAC), and Oathkeeper (gateway).
Why it’s a good alternative:
Ory breaks monoliths like Keycloak into composable services. It’s ideal for teams deploying on Kubernetes or building large-scale, distributed systems where control over every IAM layer is necessary.
Pros:
Modular services allow fine-grained control over architecture
Extremely performant and horizontally scalable
API-first with structured versioning and CLI tooling
Backed by an active open-source community and foundation
Cons:
Requires orchestration between modules
No plug-and-play admin UI — you need to build your own or use third-party
Limited plug-and-play integrations compared to managed providers
What is Ory’s Pricing?
Ory is primarily based on a free open-source core. However, they offer premium cloud tiers based on the user’s need. Their lowest-tier, Ory Network Production, retails at $70/month.
4. Okta
A preview of Okta’s dashboard interface.
Okta is a trusted enterprise identity provider offering authentication, user lifecycle management, and SSO across workforce and customer-facing applications.
Why it’s a good alternative:
Okta delivers deep compliance features and battle-tested reliability. If you're serving a regulated industry or managing thousands of internal users, Okta offers tooling that few others match.
Pros:
Extensive SCIM and directory sync capabilities
Native support for B2B federation and Just-in-Time provisioning
Global reliability SLAs and enterprise compliance
Lifecycle management via Workflows
Cons:
UI feels outdated and less developer-oriented
Complex to configure for multi-tenant apps
Can be prohibitively expensive for startups
What is Okta’s Pricing?
Okta comes with a higher price point than some alternatives and often involves complex enterprise setups that may need specialized expertise. Similar to Microsoft Entra ID, Okta’s entry-level plan is priced at $6 per user per month.
5. FusionAuth
A screengrab of the FusionAuth users page.
FusionAuth is a complete identity platform that’s installable on your infrastructure or via the cloud. It’s designed with developers in mind, supporting OAuth2, OpenID, JWT, and customizable login flows.
Why it’s a good alternative:
FusionAuth offers the control of Keycloak without the same operational burden. It’s highly configurable and handles a wide range of use cases from multi-tenant SaaS to CIAM.
Pros:
Fine-grained tenant and role control
Clean UI and customizable user workflows
Event and webhook system for downstream triggers
Well-designed for embedded login experiences
Cons:
Smaller ecosystem for third-party plugins
Advanced features (e.g., SAML IdP support) require paid tiers
What is FusionAuth’s Pricing?
Free for self-hosted version available. FusionAuth generally dictates their pricing based on the plan you choose, as well as the type of hosting selected. They offer a monthly pricing calculator on their webpage, allowing users to play with numbers and options before selecting.
6. Gluu
A peek at Gluu’s user interface.
Gluu is a security-focused, open-source IAM platform designed for enterprises needing SAML, OpenID Connect, and UMA support.
Why it’s a good alternative:
If you’re in a compliance-heavy sector like healthcare or finance, Gluu provides flexibility and security without the vendor lock-in of managed IAM providers.
Pros:
Strong support for older enterprise protocols like SAML2
UMA support for user-consent-driven authorization
Compatible with multiple LDAP backends
Cons:
Heavy infrastructure footprint
Configuration management is complex and error-prone
UI and deployment process lag behind modern expectations
What is Gluu’s Pricing?
Gluu is free open-source. However, they do offer commercial support which is typically based on MAU’s.
7. Supabase Auth
An overview of Supabase Auth’s privileges.
Part of the Supabase ecosystem, Supabase Auth is a simple but effective authentication system built on GoTrue (originally from Netlify). It supports social logins, email magic links, and passwordless login.
Why it’s a good alternative:
Perfect for fast prototyping or projects already using Supabase’s database and serverless functions. It keeps your stack tight and easy to manage.
Pros:
Passwordless login is built-in and easy to set up
Social providers available with one-click configuration
Real-time syncing with Supabase DB
Cons:
Authorization logic is basic — better suited for simple apps
Limited enterprise readiness
Doesn’t support SAML or SCIM
What is Supabase’s Pricing?
Supabase offers a free-tier with 50,000 MAU and limited specs. Upgrading to the higher-tiers offer better specs, with the next being the pro-tier retailing from $25/month.
8. Clerk
A capture of Clerk’s product.
Clerk provides frontend-centric authentication for React, Next.js, and other JavaScript frameworks. It comes with drop-in UI components and APIs for managing sessions, MFA, and user profiles.
Why it’s a good alternative:
If your frontend stack is React-heavy, Clerk gets you to production quickly with minimal boilerplate. It handles session and user state without needing custom logic.
Pros:
Prebuilt components for fast frontend integration
First-class support for MFA and email verification
Supports org-based auth and multi-session handling
Cons:
Limited back-end language support
Less extensible outside React ecosystem
Not ideal for deeply customized workflows
What is Clerk’s Pricing?
Clerk offers a free-tier for up 10,000 MAUs including everything needed to get started. Their next tier is their pro plan which begins at $20/month and $0.02/MAU after your first 10,000.
9. AWS Cognito
Amazon Cognito is a managed identity service from AWS. It combines user pools (authentication) with identity pools (federation) for managing user identity and access.
Why it’s a good alternative:
If you’re building on AWS and don’t want to leave the ecosystem, Cognito provides reasonable IAM integration with your Lambda functions, API Gateway, and other services.
Pros:
Tight AWS service integration (IAM, API Gateway, AppSync)
Highly scalable and resilient
Federation support with minimal setup
Cons:
Poor developer ergonomics and API design
UI customization is clunky
Debugging issues can be opaque
What is Amazon Cognito’s Pricing?
Amazon Cognito offers a pay-as-you-go pricing model making it cost effective with usage variance. They offer a free-tier for the first 10,000 users and charge per user based on region after crossing the threshold. They also offer more advanced-tiers, which come at greater costs and no free trials.
10. Authentik
A look at Authentik’s dashboard UI.
Authentik is a modern open-source authentication provider that supports OAuth2, SAML, and LDAP, built with modern developer needs in mind.
Why it’s a good alternative:
It’s arguably what Keycloak should have been—lightweight, modern, Docker-native, and built for today’s security needs. Perfect for self-hosters and homelab pros.
Pros:
Modern admin interface with visual policy builder
Clean, modular codebase for extensibility
Built-in provider bridging between OIDC, SAML, and LDAP
Cons:
Smaller contributor base and less third-party tooling
Still maturing compared to older IAM systems
Some missing features like consent management
What is Authentik’s Pricing?
Authentik is free and open-source, but also has premium-tiers starting at $5/user/month. Their enterprise subscription is based on a consultation, but is said to begin at $20k/year billed annually.
Conclusion
Keycloak has earned its spot in the IAM world, but it's not the only game in town. Whether you're looking for better scalability, cleaner developer experience, or tighter control over your access policies, there's a solution that fits your stack better.
Open-source purists might gravitate toward Ory or Authentik, while those prioritizing ease-of-use might prefer Auth0, Clerk, or FusionAuth. If you’re already invested in AWS, Cognito might be the most seamless option.
Ultimately, the right alternative depends on your team size, hosting preferences, feature needs, and budget. Try a few — and see which one makes identity management feel like less of a chore and more of an accelerator.
Access control management is the practice of ensuring specific people have access to specific resources: no more and no less. At its very core, cybersecurity is about good access control management. Stopping hackers or unintentional data leaks amounts to ensuring that resources aren't accessible by users without access.
In this article, you’ll learn how to approach access control management today. We’ll cover the security risks, the systems involved, and best practices to ensure that your organization remains as secure as possible.
1. Introduction: Why Access Risk Begins With Authorization Logic
When I see IT professionals first approach access management, they initially approach it as a set of checkboxes: enable two-factor authentication, revoke former employees' accounts, audit user permissions quarterly, and so on.
I once believed in this tactical view—and it is important—but it doesn't address a fundamental architectural concern: access risk that stems from how authorization logic is designed and implemented within your application.
For developers, this means systematically identifying where your application's permission logic can fail, grant excessive privileges, or drift from intended behavior over time. Compliance frameworks like SOC 2, GDPR, and HIPAA require demonstrated control over data access for good reason: authorization failures consistently drive both regulatory violations and data breaches.
For example, flawed authorization logic enabled attackers in the 2019 Capital One breach to access 100 million customer records through a misconfigured web application firewall. Similarly, the 2020 SolarWinds attack exploited excessive privileged access to cascade across thousands of organizations. In modern hybrid and cloud-native environments, authorization failures become launching pads for comprehensive system compromise.
2. Understanding Access Management Risk in Application Development
In the early days of your product, authorization might be as simple as checking if someone has access to a particular document or resource. But as your MVP grows, that logic starts spreading everywhere: React components, API routes, database queries, and third-party integrations. Before you know it, you're debugging why the new intern can somehow delete production data, or why that contractor still has internal systems access months after their project ended.
I’ve noticed that this organic growth tends to create access risk through two types of decisions.
Sprawling authorization checks across services: Those if user.role == 'admin' checks scattered throughout your codebase become maintenance nightmares when business requirements change. Imagine that you now need to add a "super admin" role: every one of those checks may have to be updated, and it would be difficult to verify it’s working correctly.
Privilege creep: When updating logic becomes costly, I’ve seen developers simply grant broader permissions to existing roles. "Just give them editor access for now" becomes permanent, blurring role boundaries and violating least privilege principles.
These decisions feel inconsequential in the moment, but they compound over time. I’ve experienced this sluggish but constant deterioration of security before. The reality is that engineering teams must own a large portion of access control risk and avoid delegating it entirely to security teams. When developers and security collaborate early in building authorization architecture, those simple permission checks avoid evolving into systemic risks.
3. Top Access Control Risks Developers Should Assess
To understand access control risks, you can start by identifying authorization logic decisions that have the potential to turn into security failures. These are some access security risks I’ve seen emerge as teams and codebases scale:
Inconsistent Policy Enforcement Across Services
When your user service says Sarah is a "viewer," but your API gateway treats her as an "editor," you've got a consistency problem. This can happen more easily than you think. Different teams can implement different interpretations of the same role, creating gaps where unauthorized access slips through.
Authorization Logic Sprawl
You ship an MVP with a simple if user.role == 'admin' check. Then, business requirements evolve, leading this simple check to evolve into an unreadable nested conditional like if (user.role == 'admin' || (user.role == 'editor' && user.department == 'marketing' && resource.owner == user.id))
Sound familiar? Each new business requirement adds another layer of complexity, making your authorization logic impossible to reason about, test, or modify safely.
Zero Visibility Into Effective Permissions
Can you quickly answer "What can the new contractor actually access?" across your entire application? As teams begin to scale, they discover that they can't. Without centralized visibility, access reviews can turn into archaeological expeditions, and security incidents reveal permissions you didn't know existed.
Blurred Lines Between Identity and Authorization
Many applications embed authorization decisions directly into user profiles or JWT tokens, conflating "who someone is" with "what they can do." What should be a simple change, such as "temporarily restricting all contractor access to customer data," becomes a nightmare of updating multiple systems and potentially breaking functionality.
Missing Governance for Permission Changes
Permission changes often happen through direct database updates, config file edits, or hardcoded assignments. Without review workflows and change tracking, you can't understand how permissions evolved or roll back problematic changes, turning every access issue into a forensic investigation.
4. A Code-First Approach to Assessing Access Management Risk
The problems I've outlined so far stem from sacrificing scalability for speed. It’s time to look at authorization in a scaled system as a first-class engineering concern. What if instead of burying permission checks throughout your codebase, you could model access control the same way you model your data: as a structured, queryable, testable system?
This shift from authorization logic to authorization data changes everything. Rather than hunting through conditionals scattered across services, you define policies in a centralized, declarative way. Instead of debugging why someone has unexpected access, you query your policy engine to understand exactly what permissions are in effect.
Separating Authorization From Business Logic
Problematic authorization ties access directly to business logic. However, a tier that allows access to certain premium features is a fundamentally different concern if a certain identity can access those features. Instead, business logic should be separated from authorization, where authorization is purpose-built to strictly answer if a specific identity has access to a specific resource. Meanwhile, whether or not that question is asked is determined by business logic.
The Power of Declarative Policy Languages
Declarative authorization policy languages, such as Polar, let you express complex authorization rules in a readable, maintainable format. Instead of nested conditionals, you write rules that look like: allow(user, "edit", document) if user in document.editors. These policies become living documentation of your access control requirements while remaining executable code.
Policy as Code Unlocks New Capabilities
This approach unlocks engineering best practices that were impossible with scattered authorization logic:
Versioning & auditability: Track exactly how permissions changed over time, with proper commit history and pull request reviews for policy changes.
Unit testing policies: Write comprehensive tests for your authorization rules, catching edge cases before they reach production.
Reusing logic across services: Define common patterns once and apply them consistently, eliminating the drift between different team implementations.
Reducing developer overhead: New features focus on business logic rather than reinventing permission checks, freeing developers from having to solve the same authorization patterns repeatedly.
5. How to Conduct a Developer-Friendly Access Risk Assessment
I love theory as much as the next person, but actually auditing an existing authorization mess can be a nightmare. In the past, I’ve used the following checklist as a practical approach to assessing access risk that minimizes cost.
Inventory all access decisions in your codebase. Start with a simple grep search for patterns like user.role, permissions, can_, is_admin, and authorize. Check frontend code, database triggers, and configuration files. The goal is to build a mental map of where authorization happens.
Identify where authorization logic lives. Next, group findings by location: API middleware, route handlers, frontend components, database security, and third-party configs. If authorization spans more than three different layers, it’s a good idea to also check for consistency problems.
Check for duplication and divergence. Look for similar permission checks implemented differently. If a user is given the ability to delete other users, for example, it could be implemented as user.role === 'admin' in one service, but user.permissions.includes('delete_users') in another. These inconsistencies are your highest-risk areas.
Map user roles to business needs (not convenience). List every role and assess whether it serves a real business function or if it was created simply to make implementation easier.
Review elevated access paths. Trace how users gain admin or elevated privileges. Can the support staff escalate permissions? Do API keys have excessive scope? Are there emergency access procedures that bypass authorization?
Add tests for edge cases. Write tests for scenarios like cross-tenant access, expired permissions, and role transitions. Authorization edge cases are where breaches happen.
Document who can change policies and how. Map your permission change workflow: Who can modify roles? How are changes deployed? Is there approval? Make sure that every step is audited to ensure that policies are only able to be changed by the intended users.
6. Best Practices to Reduce Access Risk in Code
Once the assessment of the current state is complete, I’ve found that I’ll have a strong sense of where the weak points are. Next, I use the following principles to implement new patterns around authorization, which scale with the product I’m working on and minimize technical debt and security risks.
Centralize policies in a policy engine. Instead of scattering authorization logic across your codebase, consolidate all access decisions in a dedicated policy engine. This creates a single source of truth that eliminates inconsistencies and makes changes predictable. When you need to update permissions, modify policies in this one place rather than hunting for authorization logic throughout your dozens of services.
Use relationship-based access control (ReBAC) where appropriate. For complex authorization scenarios, relationship-based models are more natural than role-based ones. Consider file access: RBAC creates roles like "Finance_Viewer," "HR_Editor," and "Engineering_Admin" for each department. ReBAC simply says, "Team members can view files in their team's folder,” a simple rule that automatically works as you add new teams. You define relationships like "member_of" and derive permissions from those connections, making policies that mirror how your business actually works.
Design for least privilege from day one. Start with minimal permissions and add access as needed, rather than granting broad permissions and trying to restrict later. This means being explicit about what each role can do instead of what it can't do. Default-deny policies prevent privilege creep.
Build policies that reflect your domain model. Your authorization rules should be determined by business concepts, not technical convenience. If your business talks about "project members" and "team leads," your policies should use those terms instead of generic "users" and "admins." This alignment makes policies easier to review and modify as requirements change.
Provide interfaces for policy review. Security and product teams need visibility into authorization rules without reading code. Having dashboards or admin interfaces that show effective permissions, role definitions, and policy changes is incredibly useful to the stakeholders who determine access rules.
Integrate policy checks into CI/CD. All critical code is run through continuous integration / continuous development (CI/CD) pipelines, and authorization policies should be no different. Use CI/CD to eliminate breaking authorization changes and enable review from multiple members of your team.
7. Example: Access Risk in a SaaS App
Let’s make this more concrete with an example. Consider a typical document management platform with three roles for your MVP:
Employees who can view their own documents
Managers who can access their team's files
Admins who have full access
For an MVP, I’ve often implemented this as one-off checks in API routes, which usually suffice for the intended scale.
However, as business requirements grow, complexity creeps in. What happens when someone is managing two teams? Can managers edit documents or just view them? What about contractors who need access to specific projects but shouldn't see company-wide files? Do departing employees immediately lose access to documents they created?
Without clear policies, it’s easy to start making one-off decisions. The frontend might check user.role === 'manager' while the API verifies user.department === document.department. The mobile app implements different logic from the web app. Soon, you're debugging why the new marketing manager can't access last quarter's campaign docs, or why a former employee still has read access.
Modeling Clear Policies with Polar
Instead of scattered conditionals, you can express these authorization rules declaratively using Polar. Here's how the document access policy looks:
actor User {}
resource Document {
permissions = ["read", "edit", "delete"];
roles = ["viewer", "editor", "owner"];
relations = { team: Team, creator: User };
# Basic permissions
"read"if"viewer";
"edit"if"editor";
"delete"if"owner";
# Role hierarchy
"viewer"if"editor";
"editor"if"owner";
# Team-based access
"viewer"if"member" on "team";
"editor"if"manager" on "team";
# Creator access
"owner"if"creator";
}
resource Team {
roles = ["member", "manager"];
}
This single policy file captures all the business rules: team members can view team documents, managers can edit them, document creators have full ownership, and roles inherit permissions appropriately.
How Policy Review Surfaces Hidden Risks
With centralized policies, security teams can easily spot problematic patterns. Looking at the policy above, they might ask: "Wait, can managers edit documents from other teams if they're temporarily assigned to multiple teams?" It’s easy to tell that the answer is yes but with scattered if statements, that could have been a business logic error, nigh impossible to catch.
Testing becomes straightforward, too. You can write unit tests in Python, such as:
# Test cross-team access assert not oso.authorize(marketing_manager, "edit", engineering_doc)
# Test role transitions user.remove_role("manager", marketing_team) assert not oso.authorize(user, "edit", marketing_doc)
In the typical authorization logic sprawl, it would be much more difficult to test whether role changes take effect immediately or whether temporary team assignments create unintended access paths without a centralized policy store.
8. Access Risk Assessment as a Living Practice
I’ve outlined several ways to assess authorization risk, but as a product grows, new areas of risk can emerge because each new feature introduces potential access control gaps.
Making Access Management Part of Your SDLC
I believe that the most effective approach to maintaining secure access management is to treat authorization as a first-class concern in the software development life cycle (SDLC). During architecture reviews, ask "How will this feature affect who can access what?" alongside performance and scalability questions. When designing new user types or resource hierarchies, map out the permission implications before writing code.
More broadly, this means establishing clear checkpoints in your SDLC. Policy changes should require a security review, just like database schema changes. New roles need a business justification beyond "it makes the implementation easier." Authorization edge cases should get explicit test coverage in your acceptance criteria.
Let’s make this practical.
Feature planning: Include access control requirements in user stories. "As a team manager, I need to view team reports" should specify whether this includes former team members' data, contractors, or cross-functional project participants.
Code reviews: Flag pull requests that introduce new permission checks or modify existing ones. Look for hardcoded role checks, inconsistent authorization patterns, or missing authorization entirely on new endpoints.
Infrastructure reviews: When adding new services, databases, or third-party integrations, assess how they'll inherit or bypass existing authorization controls. Service-to-service communication often becomes an unintended privilege escalation path.
Regular policy audits: Schedule quarterly reviews of effective permissions, especially for elevated roles. Use your policy engine's visibility tools to identify permissions that exist in theory but aren't used in practice—these often indicate either over-privileged roles or missing functionality.
In my view, don't make perfect security the goal from day one. Instead, slowly build systems that make authorization risks visible and manageable as complexity grows.
9. Conclusion: From Risk to Resilience
Access management doesn't have to be complex. Instead of hunting through scattered if user.role === 'admin' statements and patching holes after incidents, I've found that successful teams consolidate authorization logic into a centralized, reviewable system.
More broadly, I believe authorization can be infrastructure-versioned, tested, and observable, enabling you to ship features confidently, onboard new developers faster, and answer compliance questions with executable code rather than documentation guesswork.
Here's the reality: engineering teams own most access control risk, not just security teams. Every authorization decision made during development directly impacts your security posture. Ready to start? I recommend learning to audit your current access management decisions using Oso’s Authorization Academy, or implementing your first declarative Polar policy with Oso Cloud.
FAQs
What is Access Control Management?
Access control management is the process of implementing tools, policies, and procedures to ensure that users, applications, and devices can only access the data, systems, and services they are explicitly authorized to use. It includes assigning permissions, verifying identities, and continuously monitoring access activities to prevent unauthorized use.
Why is Access Control Management Important?
Access control is critical for:
Preventing data breaches and insider threats
Protecting sensitive customer or employee information
Complying with regulations like GDPR, HIPAA, PCI DSS, and SOX
Maintaining business continuity through secure and auditable access processes
It strengthens both cybersecurity posture and regulatory audit readiness.
What is The Difference Between Access Control and Access Management?
Access control refers to the enforcement of rules that govern who can access what.
Access management is a broader discipline that includes identity verification (authentication), policy creation, provisioning/deprovisioning, and continuous monitoring.
Access management risk assessment is the process of identifying, evaluating, and mitigating risks related to how users, applications, and systems access sensitive resources within an organization. It ensures that access controls align with security requirements, regulatory compliance, and business needs.
What are The Risks of Poor Access Control Management?
Data breaches and loss of customer trust
Insider misuse of privileges
Regulatory fines and audit failures
Account takeover and lateral movement by attackers
Operational disruptions from unauthorized changes
What are Dynamic Access Controls and How Do They Work?
Dynamic access control uses contextual data (like time, location, device, and behavior) to evaluate each access request in real-time. It allows organizations to grant or deny access based on dynamic risk scores rather than just static roles or rules.
Why are Access Controls Important for Compliance Audits?
Auditors evaluate access controls to ensure that only authorized users can access sensitive systems and data. Strong access controls reduce the risk of data breaches, support regulatory compliance, and demonstrate organizational commitment to security best practices.
What are The Risks of Poor Access Control Management?
Weak or missing access controls can lead to:
Unauthorized access to sensitive information
Insider threats and data leaks
Compliance violations and failed audits
Inadequate user offboarding
Difficulty tracking privileged user activity
In the early days of your product, authorization might be as simple as checking if someone's logged in before showing the admin panel. But as your MVP grows, that logic starts spreading everywhere: to React components, API routes, database queries, and third-party integrations. Before you know it, you're debugging why an arbitrary hire can alter production data.
This organic growth creates access risk through three types of decisions that feel routine but compound over time:
Hardcoded authorization logic: Those if user.role == 'admin' checks scattered throughout your codebase become maintenance nightmares when business requirements change. What happens when you need to add a "super admin" role, or when an "admin" needs different permissions across different parts of your app?
Sprawling conditionals across services: When authorization logic lives in multiple places—frontend guards, API middleware, database triggers—it becomes nearly impossible to answer: "Who can actually do what?" Inconsistent enforcement is inevitable.
Privilege creep through unclear role definitions: Developers grant broader permissions to avoid breaking things, especially when role boundaries are fuzzy. "Just give them editor access for now" becomes permanent, violating least privilege principles.
If you're working with infrastructure as code, especially with Terraform, you know how quickly things can get out of hand without proper governance. This is where policy as code comes in handy. Today we’ll discuss Open Policy Agent. OPA is one of the best tools to help you maintain security while using Terraform.
What exactly is Policy as Code?
Policy as Code (PaC) is the practice of defining your governance, compliance, and security rules using code. Think of it as version-controlling your rules, making them auditable, and automatically enforcing them. For Terraform users, this means you can evaluate infrastructure changes before they're deployed and roll them back quickly if something unexpected happens after they're deployed. This significantly reduces the risk of misconfigurations and non-compliance. By integrating PaC into your CI/CD pipelines, you gain consistency, traceability, and faster remediation across your infrastructure workflows.
How Open Policy Agent works with Terraform
OPA is a general-purpose policy engine that evaluates policies written in a language called Rego against JSON-based data inputs. When it comes to Terraform, OPA can evaluate your policies against the JSON output of a Terraform plan. Tools like Conftest or OPA’s HTTP API can then be used to test whether your proposed infrastructure changes meet your defined policy requirements. For example, you can use OPA to validate that resources are only deployed in approved regions or that all required tags are present. The results of these evaluations can then be used to block, warn, or simply log non-compliant infrastructure changes in your automated workflows.
OPA vs. Sentinel: a quick comparison
If you've been in the Terraform ecosystem for a while, you might be familiar with Sentinel. So, what's the difference between OPA and Sentinel? OPA is a more flexible, open-source policy engine that works across a much broader cloud-native stack – Terraform, Kubernetes, APIs, and more. Sentinel, on the other hand, is developed by HashiCorp and is tightly coupled with Terraform and the HashiCorp ecosystem. While Sentinel is great for what it does within its scope, OPA provides broader integration opportunities, a larger community, and greater extensibility. If you're a team looking to standardize policy enforcement across diverse environments and tools, OPA is definitely the way to go. For an introduction on how to use OPA for Kubernetes, checkout our guide here.
The benefits of integrating OPA with Terraform
Integrating OPA with Terraform offers several compelling benefits:
Preventing Non-Compliant Resources: You can stop non-compliant resources from ever being provisioned.
Enforcing Standards: Easily enforce tagging, naming, or security requirements across your infrastructure.
Early Feedback: Get immediate feedback in your CI/CD pipelines, catching issues before they become problems.
Writing an OPA policy with Terraform—an example
Let's walk through a simple example of how you might write an OPA policy to ensure that all AWS S3 buckets are encrypted. First, you'll need a Terraform plan output in JSON format. You can generate this using terraform plan -out=tfplan.binary and then terraform show -json tfplan.binary > tfplan.json.
Now, let's write a Rego policy (e.g., s3_encryption.rego):
package terraform.aws.s3
default allow = false
allow {
input.resource_changes[_].type == "aws_s3_bucket" input.resource_changes[_].change.after.server_side_encryption_configuration[_].rule[_].apply_server_side_encryption_by_default[_].sse_algorithm == "AES256"}
# Deny if any S3 bucket is created or updated without AES256 encryption
deny[msg] {
some i
resource := input.resource_changes[i]
resource.type == "aws_s3_bucket" resource.change.actions[_] == "create" not resource.change.after.server_side_encryption_configuration[_].rule[_].apply_server_side_encryption_by_default[_].sse_algorithm == "AES256"msg := sprintf("S3 bucket '%s' must have AES256 encryption enabled.", [resource.address])
}
deny[msg] {
some i
resource := input.resource_changes[i]
resource.type == "aws_s3_bucket" resource.change.actions[_] == "update" not resource.change.after.server_side_encryption_configuration[_].rule[_].apply_server_side_encryption_by_default[_].sse_algorithm == "AES256"msg := sprintf("S3 bucket '%s' must have AES256 encryption enabled.", [resource.address])
}
To test this policy, you can use the opa eval command:
If your Terraform plan includes an S3 bucket without AES256 encryption, the opa eval command will return a denial message, indicating a policy violation.
How does OPA differ from Oso?
OPA is a general-purpose policy engine used to evaluate rules against JSON-based data inputs. It’s commonly applied to infrastructure and admission control policies like with Terraform and Kubernetes. Oso on the other hand focuses on application-level access control. It can help with with authorization challenges within your application such as determining if a user is allowed to take a certain action or view a certain document. They are complementary tools specializing in authorization for different parts of your stack.
As an example, engineering teams can centralize infrastructure policy using OPA (e.g., deny insecure configurations) and centralize application authorization logic using Oso (e.g., only grant edit access to users with ‘admin’ or ‘editor’ status). Each tool serves a purpose, and together they support a broader policy-as-code initiative.
When to choose Oso or OPA
This is a common question, and it's important to understand their distinct roles:
Use OPA when you need to validate resource configuration across environments, especially in CI/CD or with infrastructure-as-code tools.
OPA shines in its ability to integrate with your infrastucture like Kubernetes and Terraform natively. Oso’s strength is in its ability to easily integrate into your application, simplifiying and centralizing authorization logic.
Conclusion
Adopting policy as code with OPA is great for managing your infrastructure. It brings the rigor and benefits of software development practices to your infrastructure, making it more secure, compliant, and manageable. While OPA handles the infrastructure side, remember that Oso is there to provide robust, fine-grained authorization within your applications. Used together, they create a powerful, layered approach to policy enforcement across your entire stack.
In this article, we’ll cover using OPA Gatekeeper for maintaining security and compliance in your Kubernetes environment. Open Policy Agent (OPA) and its Kubernetes-specific integration, OPA Gatekeeper, address the challenges of security and compliance through a clean policy-as-code approach. This article explores what OPA and Gatekeeper are, how they integrate with your Kubernetes environment, and how to use them to enforce organizational security standards. Specifically, this guide will inform you on making your Kubernetes clusters more robust and less prone to misconfigurations.
What is Open Policy Agent (OPA)?
Open Policy Agent is an open-source, general-purpose policy engine that defines and enforces policies as code across your entire infrastructure stack. You can write rules once and apply them everywhere from microservices and APIs to CI/CD pipelines and Kubernetes.
OPA uses Rego for writing policy rules. Rego is designed to query and manipulate structured data like JSON. For example, you could use OPA to deny requests when container images do not come from approved registries. This approach decouples policy decision making from application logic. Your services ask OPA for decisions rather than containing hardcoded rules.
The policy-as-code approach enables version control, testing, and reuse of policies across different environments, making your security posture more consistent and manageable. OPA exposes APIs through HTTP or library calls to evaluate policy queries, acting as a centralized decision point where any component can ask, "Is this action allowed?" or "Does this configuration comply with our policies?".
If you’d like to go deeper on OPA and Rego, we have an entire tutorial with examples.
How OPA helps secure Kubernetes environments
In Kubernetes environments, admission controllers serve as the first line of defense for security and compliance enforcement. These plugins intercept API server requests before objects are persisted. OPA can be deployed as a dynamic admission controller to enforce custom policies on Kubernetes resources.
OPA integration provides flexible mechanisms for implementing fine-grained controls beyond Kubernetes' built-in validations. For example, you could use the OPA integration to mandate specific labels for auditing purposes, enforce resource limits, allow images from approved sources only, etc.
OPA evaluates each incoming object against organizational rules. Non-compliant configurations (such as Pods missing required securityContext settings) are rejected with clear explanatory messages, preventing misconfigurations from being applied.
Beyond real-time enforcement, OPA constantly audits existing resources for violations, detecting any drift from desired states. This provides a comprehensive approach to defining and enforcing cluster governance rules.
What is OPA atekeeper?
OPA Gatekeeper is the result of a collaboration between Google, Microsoft, Red Hat, and Styra to provide native OPA support in Kubernetes. It’s the Kubernetes-specific integration of OPA designed to simplify policy decisions in Kubernetes environments. Gatekeeper extends the Kubernetes API with Custom Resource Definitions (CRDs) for policy enforcement. OPA Gatekeeper is implemented as a webhook that can both validate incoming requests and modify requests before allowing them to pass.
Gatekeeper enhances OPA with several Kubernetes-native features:
ConstraintTemplates and Constraints: CRDs that declare policies as Kubernetes objects rather than raw configuration files, enabling policy management through kubectl
Parameterization and Reusability: ConstraintTemplates serve as reusable policy definitions, while Constraints are parameterized instances, creating extensible policy libraries
Audit Functionality: Continuous resource auditing against enforced policies, identifying violations in resources created before policy implementation
Native Integration: Built-in Kubernetes tooling that registers as ValidatingAdmissionWebhook and MutatingAdmissionWebhook, ensuring real-time policy enforcement
Gatekeeper transforms OPA into a Kubernetes-native admission controller using a "configure, not code" approach. Instead of building custom webhooks, you write Rego policies and JSON configurations while Gatekeeper handles admission flow integration.
Working within the Kubernetes control plane
Gatekeeper integrates as a “validating admission webhook” within the API server's admission control pipeline. What does that actually mean? When requests to create or modify Kubernetes resources are sent, the API Server authenticates and authorizes them before invoking admission controllers.
The integration process works as follows: Gatekeeper registers a webhook with the API Server for admission events (Pod creation, Deployment updates, etc.). The API Server pauses requests and sends objects (wrapped in AdmissionReview) to Gatekeeper/OPA for evaluation. Using OPA, Gatekeeper evaluates objects against active policies (Constraints). Policy violations result in rejection responses with explanatory messages, while compliant requests are accepted and fulfilled.
A look at K8s Admissions Control Phases
Gatekeeper's admission webhook translates Kubernetes AdmissionReview requests into OPA's input format and queries the loaded Rego policies. The JSON structure passed to OPA includes object content, operations (CREATE/UPDATE), and user information. OPA outputs violations, which Gatekeeper translates into admission responses.
Beyond real-time enforcement, Gatekeeper provides background caching and auditing capabilities. It can replicate Kubernetes objects into OPA's data store, enabling policies to reference other cluster resources (e.g., "deny this Ingress if any other Ingress has the same hostname"). The audit controller periodically scans resources against policies, storing violation results in Constraint status fields for governance reporting.
To recap, Gatekeeper extends the Kubernetes control plane by adding two main things. The first is policy enforcement at admission time. The second is continuous audit capabilities. With OPA Gatekeeper, you’re able to get both of these functionalities without replacing core components of your Kubernetes environment. This architecture integrates cleanly with Kubernetes API machinery while respecting the platform's design principles.
Next we’ll go a little deeper into Constraint and take a look at a real-world example.
ConstraintTemplates and Constraints
ConstraintTemplate is a fundamental concept in OPA Gatekeeper. This Kubernetes Custom Resource Definition (CRD) defines new policy types, serving as blueprints that contain Rego evaluation code and parameter schemas for different policy uses.
When creating a ConstraintTemplate, you define a new constraint type for the Kubernetes API. For example, a template named "K8sRequiredLabels" creates a constraint kind "K8sRequiredLabels". Templates consist of two main components:
Targets & Rego: The actual policy code that runs for admission requests. In Gatekeeper, the target is typically admission.k8s.gatekeeper.sh, applying to Kubernetes object admission events. Rego code produces violation[] or deny[] rules when policies are violated, causing Gatekeeper to block requests with explanatory messages.
CRD Schema: Defines the structure of spec.parameters that users provide in Constraints. This enables policy reusability by allowing administrators to specify inputs (required labels, value ranges, etc.) when instantiating policies.
ConstraintTemplates alone do not enforce policies until you create Constraints, which are template instances. The workflow involves applying a ConstraintTemplate (registering the policy type), then applying Constraint resources to activate enforcement. Gatekeeper compiles Rego from all ConstraintTemplates and enforces policies when corresponding Constraints exist.
This pattern enables reusability and separation of concerns. Policy authors provide generic templates while cluster administrators instantiate them with organization-specific settings. For instance, a K8sRequiredLabels template can generate multiple Constraints: one requiring "owner" labels on Deployments, another requiring "environment" labels on Namespaces.
A Real-World Policy Example: Enforcing required labels
Let's make this concrete with an example. Imagine you want to ensure every Kubernetes Namespace has specific labels, perhaps to indicate the department or owner. Here is how you would do it with OPA Gatekeeper:
This ConstraintTemplate defines a new policy type called K8sRequiredLabels. It specifies that this policy will take a message (string) and a list of labels (array of strings) as parameters. The Rego code then checks if all the specified labels are present on the incoming Kubernetes object.
2. Constraint Example—enforcing labels on namespaces
To actually enforce this, you would create a Constraint that uses this template:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
name: namespace-must-have-owner-and-env
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Namespace"]
parameters:
message: "Namespaces must have 'owner' and 'environment' labels."labels:
- owner
- environment
This Constraint named namespace-must-have-owner-and-env uses our K8sRequiredLabels template. It is configured to match Namespace objects and requires them to have both owner and environment labels. If someone tries to create a Namespace without these labels, Gatekeeper will block the request and return the specified message.
Getting started with OPA Gatekeeper
Getting started with OPA Gatekeeper is straightforward. You can install it in your Kubernetes cluster using Helm or by applying the raw YAML manifests. The official Gatekeeper documentation provides detailed instructions for installation.
Once installed, you will want to:
Deploy ConstraintTemplates: Start by deploying the ConstraintTemplates that define the types of policies you want to enforce. You can find a library of common ConstraintTemplates in the Gatekeeper policy library.
Create Constraints: Instantiate Constraints from your ConstraintTemplates, specifying the parameters and the resources they should apply to.
Test your policies: Always test your policies thoroughly in a non-production environment first. Make sure they behave as expected and do not inadvertently block legitimate operations.
Monitor and audit: Use Gatekeeper's audit functionality to continuously monitor your cluster for policy violations and ensure compliance.
The best way to get started is to pick a simple policy, like requiring specific labels or enforcing resource limits, and implement that first. Get comfortable with the ConstraintTemplate/Constraint pattern and how Rego works. From there, you can gradually build up more complex policies as your needs evolve.
Conclusion
OPA Gatekeeper provides a powerful way to implement policy-as-code in your Kubernetes clusters. By combining the flexibility of OPA with Kubernetes-native integration, it enables you to enforce security and compliance policies consistently across your infrastructure. The ConstraintTemplate and Constraint pattern makes policies reusable and maintainable, while the audit functionality helps you maintain ongoing compliance.
OPA Gatekeeper is a robust solution that integrates seamlessly with your existing Kubernetes workflows. Start with simple policies and gradually build up your policy library as you become more comfortable with the system. Best of luck!
If you're building modern applications, especially those using microservices or Kubernetes, you've probably bumped into the challenge of authorizing access to infrastructure. It's not just about who can log in, but what services they can access once they're in, and what those services can access. Today I want to discuss OPA and how we can use it to reason about and implement policy enforcement.
So, what exactly is OPA? At its core, OPA is an open-source, general-purpose policy engine. Think of it as a brain that makes decisions about whether something is allowed or not. The beauty of OPA is that it decouples policy decision-making from policy enforcement. This means your application or service doesn't need to know how to make a policy decision, it just needs to ask OPA, "Is this allowed?" and OPA will give a clear answer.
This is super important, because without proper consideration, you can end up with a hard to manage mess of policies sprinkled all throughout your code. You have policies for who can access your APIs, what containers can run in Kubernetes, how your CI/CD pipelines behave, and even what data can be accessed in your databases. Trying to hardcode these policies into every single service is a nightmare to manage and update. OPA provides a unified way to manage all these policies as code, making them consistent, auditable, and much easier to maintain.
Here's how it generally works: Your software queries OPA, providing structured data (usually JSON) as input. This input could be something like a user's identity, the resource they're trying to access, the time of day, or even environmental variables. OPA then evaluates this input against its policies, which are written in a high-level declarative language called Rego. The output is a decision, which can be a simple allow/denyor more complex structured data, depending on what your policy needs to convey.
In this article, I'm going to walk you through some practical examples and use cases where OPA truly shines. We'll dive into the details of Rego and see how you can use OPA to solve real-world authorization challenges. Let's get started!
2. Understanding Rego: OPA's Policy Language
Now that you have a grasp of what OPA is, let's talk about Rego. Rego is the language you'll use to write your policies in OPA. It's a declarative language, which means you describe what you want to achieve, not how to achieve it. It's specifically designed for expressing policies over complex, hierarchical data structures like JSON.
In Rego, policies are defined as rules. These rules essentially define what is true or false based on the input data. Let's look at some core concepts:
Rules
Rules in Rego can be either complete or partial.
Complete Rules: These assign a single value to a variable. For example, a rule that defines whether a request is allowed or denied.
In this simple example, allow is true only if the input method is "GET" and the path is "users". Otherwise, it defaults to false. This means that the following input would result in true .
Partial Rules: These generate a set of values and assign that set to a variable. This is useful for collecting multiple results that satisfy a condition.
Rego policies are built using expressions. Multiple expressions within a rule are implicitly joined by a logical AND. All expressions must evaluate to true for the rule to be true. For example:
You can use variables to store intermediate values or to iterate over collections. Variables are assigned using the := operator. OPA will find values for variables that make all expressions true.
allow {
user := input.user
data.roles[user] == "admin"}
In this case, user is assigned the value of input.user, and then that user is checked against the data.roles to see if they are an "admin".
Iteration
Iteration in Rego often happens implicitly when you use variables in expressions. For example, to check if any element in a list meets a condition, you can use a variable to represent each element:
allow {
some i
input.roles[i] == "admin"}
This rule would be true if any of the roles in input.roles is "admin". The some keyword is used to declare local variables that are used for iteration.
If you want to return true if roles only contains admin, then you can do the following.
allow {
not some i
input.roles[i] != "admin"}
This says “Allow if there does not exist any index i such that input.roles[i] != "admin"”. In other words, all roles must be “admin”.
This is just a quick overview of Rego basics. The official OPA documentation is an excellent resource for a deeper dive. Now, let's get into some real-world use cases!
3. OPA Use Cases and Practical Examples
Now let’s se OPA in action! I’ve picked out five common scenarios where OPA can be incredibly powerful. For each, I’ll give you a brief scenario, explain how OPA fits in, and provide a Rego policy example.
Use Case 1: Attribute-Based Access Control (ABAC) for Cloud Resource Access
Imagine you’re managing access to cloud resources (e.g., AWS S3 buckets, Azure Blob Storage, Google Cloud Storage). It’s not enough to just know who is trying to access a resource; you need granular control based on various attributes. For instance, a user might only be allowed to access a specific S3 bucket if they are part of a certain team, the request originates from a whitelisted IP range, and the time of day is within business hours. This is a classic ABAC problem, where access decisions are based on attributes of the user, the resource, the environment, and the action.
How OPA helps: OPA is perfectly suited for ABAC because Rego excels at evaluating complex conditions based on structured data. You can feed OPA all the relevant attributes (user roles, source IP, time of day, resource tags, etc.), and your Rego policy will determine if the access is authorized.
Let’s look at a simplified example for controlling access to an S3 bucket. We want to ensure that:
1.The user is part of the 'devops' team.
2.The request comes from an IP within the corporate network range.
3.The access attempt is during business hours (9 AM to 5 PM UTC).
Here’s how you might write a Rego policy for this:
default allow = false
allow {
input.user.team == "devops" is_from_whitelisted_ip
is_during_business_hours
}
is_from_whitelisted_ip {
ip_range_contains("192.168.1.0/24", input.source_ip)
}
is_during_business_hours {
current_hour := time.now_ns() / 1000000000 / 60 / 60 % 24 current_hour >= 9 current_hour < 17}
# Helper functiontocheckifanIPiswithinaCIDRip_range_contains(cidr, ip) if{
# Simplified for example, real implementation would parse CIDR and IP
# and perform network calculations.
startswith(ip, "192.168.1.")
}
If you were to run this with opa eval -d policy.rego -i input.json "data.app.abac.allow", the output would be true (assuming the current time is within business hours and the IP is whitelisted). This demonstrates how OPA can enforce attribute-based policies for infrastructure access.
Use Case 2: Role-Based Access Control (RBAC) for Server Access
Let's say you have a fleet of servers, and different teams or individuals need varying levels of access to them. For example, 'network admins' can configure network interfaces, 'devops' can deploy applications, and 'auditors' can only view logs.
In this kind of scenario, OPA can centralize your infrastructure’s RBAC policies. This makes it easier to manage user roles and their associated permissions across your server fleet. Instead of scattering authorization logic across SSH configurations or individual server scripts, you define it once in OPA. When a user tries to perform an action on a server, your system queries OPA with the user's role and the requested action. Then OPA returns whether it's allowed.
Here’s a Rego policy that implements a basic RBAC system for server access:
default allow = false# Allow if the user has the required role for the action on the resource
allow {
some role in data.user_roles[input.user]
some grant in data.role_grants[role]
input.action == grant.action
input.resource_type == grant.resource_type
}
The above Rego code is analogous to the following pseudocode in Python.
for role in data.user_roles[input.user]:
for grant in data.role_grants[role]:
if input.action == grant["action"] and input.resource_type == grant["resource_type"]:
allow = True
Running opa eval -d policy.rego -d data.json -i input.json "data.app.rbac.allow" would return true for Alice. If Alice tried to deploy an application, it would return false. This example shows how you can define roles and their permissions for infrastructure components, and then easily check if a user, based on their assigned roles, is authorized to perform a specific action. It’s a clean and scalable way to manage access control for your infrastructure.
Use Case 3: Kubernetes Admission Control
Scenario: Kubernetes is fantastic for orchestrating containers, but how do you ensure that only approved images are deployed, or that all deployments have specific labels for cost allocation or security? Kubernetes Admission Controllers intercept requests to the Kubernetes API server before objects are persisted. This is a perfect choke point for policy enforcement.
How OPA helps: OPA can act as a validating or mutating admission controller in Kubernetes. This means you can write policies in Rego that dictate what can and cannot be deployed to your clusters, or even modify resources on the fly. This is incredibly powerful for maintaining security, compliance, and operational best practices across your Kubernetes environments. If you're a company that needs strict control over your Kubernetes deployments, OPA as an admission controller is, in my opinion, a must-have.
Let's consider a policy that prevents deployments from using images from unapproved registries and ensures all deployments have a team label.
Running opa eval -d policy.rego -i input.json "data.kubernetes.admission.allow" would return true for this valid request. If the image was from unapproved-registry.com or the team label was missing, the policy would evaluate to false, and Kubernetes would reject the admission request. This provides a robust and centralized way to enforce policies in your Kubernetes clusters.
Use Case 4: API Gateway Authorization
Scenario: Your microservices architecture likely exposes APIs through an API Gateway. This gateway is the first line of defense for your backend services. You need to authorize incoming requests, perhaps based on JWT claims, IP addresses, or even rate limits. Hardcoding this logic into each microservice is inefficient and error-prone.
How OPA helps: OPA can be integrated with API Gateways (like Envoy, Kong, or AWS API Gateway) to offload authorization decisions. When a request comes into the gateway, it sends the request details (headers, body, path, method) to OPA. OPA evaluates these details against your policies and sends back an allow/deny decision. This centralizes your API authorization logic, making it easier to manage and update policies across all your APIs.
Let's imagine a policy where only authenticated users with a specific role can access a sensitive API endpoint, and only from a whitelisted IP range.
default allow = false
allow {
input.method == "GET" input.path == ["v1", "sensitive_data"]
is_authenticated
has_required_role
is_from_whitelisted_ip
}
is_authenticated {
input.headers.authorization
# In a real scenario, you'd decode and validate the JWT here
# For simplicity, we just check for presence of the header
}
has_required_role {
input.jwt_claims.roles[_] == "admin"
}
is_from_whitelisted_ip {
ip_range_contains("192.168.1.0/24", input.source_ip)
}
# Helper function to check if an IP is within a CIDR range
# This would typically be a built-in or a more robust library function
ip_range_contains(cidr, ip) if {
# Simplified for example, real implementation would parse CIDR and IP
# and perform network calculations.
# For demonstration, let's assume a simple string match for now.
startswith(ip, "192.168.1.")
}
Input Query (example input.json for a valid API request):
Running opa eval -d policy.rego -i input.json "data.api.authz.allow" would return true for this request. If the user didn't have the admin role, or the request came from an unwhitelisted IP, OPA would return false, and the API Gateway would block the request. This centralized approach to API authorization is, in my opinion, a much cleaner way to manage access to your services.
Use Case 5: CI/CD Pipeline Policy Enforcement
Scenario: In a fast-paced development environment, ensuring that your CI/CD pipelines adhere to security, compliance, and operational best practices is crucial. This could involve mandating code reviews for all merges to main, ensuring that specific security scans are run before deployment, or restricting deployments to production environments based on certain criteria (e.g., only from specific branches or by authorized personnel).
How OPA helps: OPA can be integrated into various stages of your CI/CD pipeline to enforce policies. This allows you to "shift left" on security and compliance, catching issues earlier in the development lifecycle. By externalizing these policies to OPA, you keep your pipeline scripts clean and focused on their primary tasks, while OPA handles the complex policy evaluations. If you're looking to automate and standardize your pipeline governance, OPA is an excellent choice.
Let's create a policy that ensures all deployments to the production environment must originate from the main branch and have been approved by at least two reviewers.
Running opa eval -d policy.rego -i input.json "data.ci_cd.policy.allow" would return true for this deployment. If the source_branch was feature/new-feature or approvals was less than 2, the policy would return false, preventing the deployment. This helps ensure that only well-vetted and compliant code makes it to your critical environments. In my experience, this kind of automated governance is invaluable for maintaining high standards in continuous delivery.
4. OPA vs. Oso: When to Use Which?
So now that we have a good idea of how OPA and Rego work, you’re probably wonder if you should implement this in your system. One question you want to answer is whether you want to go with native OPA or use Oso. Both are fantastic tools for authorization, but they shine in different contexts. Think of it this way:
OPA: The Heavyweight, Flexible, Infra-Friendly Policy Engine
In my opinion, OPA is your go-to when you need to enforce policies outside your application. It's designed to be a general-purpose policy engine that can be integrated across your entire stack. This includes:
Microservices: API Gateway authorization, service-to-service authorization.
CI/CD Pipelines: Ensuring compliance and security throughout your deployment process.
OPA is incredibly flexible because it decouples policy from enforcement. You write your policies in Rego, and then various services query OPA for decisions. This makes it ideal for broad, system-level policy enforcement where you need a consistent policy layer across diverse technologies. If you're building a large, distributed system and need a centralized policy decision point for your infrastructure and services, OPA is, in my humble opinion, the clear winner.
Oso: The Batteries-Included Tool for Modern Apps
Oso, on the other hand, is built for enforcing access logic inside your application. It's a batteries-included framework that simplifies adding authorization directly into your application code. Oso provides libraries for various languages (Python, Node.js, Go, Rust, etc.) and a declarative policy language called Polar.
Oso is perfect for scenarios where you need fine-grained, application-specific authorization, such as:
User Permissions: Determining what a specific user can do within your application (e.g., "Can Alice edit this document?").
Multi-tenancy: Managing access to resources across different tenants.
Resource-level Authorization: Controlling access to individual resources based on ownership or relationships.
If you're a developer building a new application and you want to quickly and effectively implement authorization logic directly within your codebase, Oso is an excellent choice. It's designed to be developer-friendly and provides a more integrated experience for application-level authorization.
Practical Guidance on Choosing
Here's how I think about it:
Use OPA where you enforce policies outside the app. This means policies related to your infrastructure, network, or inter-service communication. It's about controlling the environment your applications run in.
Use Oso where you enforce access logic inside the app. This is about controlling what users can do with the data and features within your application.
It's not necessarily an either/or situation. Many organizations might find value in using both. For example, you could use OPA for your Kubernetes admission control and API Gateway authorization, while using Oso to manage user permissions within your application's backend. The key is to understand their strengths and apply them where they make the most sense for your specific authorization challenges.
5. Conclusion
It was quite the journey, but we did it. We looked at five practical examples showcasing the power and versatility of Open Policy Agent. From fine-grained ABAC and RBAC within your applications to robust policy enforcement in Kubernetes, API Gateways, and CI/CD pipelines, OPA provides a consistent and scalable way to manage authorization across your entire stack. Its declarative policy language, Rego, allows you to express complex rules with clarity and precision.
We also touched upon the distinction between OPA and Oso. In my opinion, understanding their core strengths is key: OPA excels at externalizing policy decisions for your infrastructure and services, while Oso is a fantastic tool for building application-level authorization directly into your code. Both are powerful, and often, they can complement each other beautifully in a comprehensive authorization strategy.
August 2025 Update: Apple has hired the maintainers of OPA and the commercial offerings around OPA will be maintained by the open source community.
This article explores five alternatives to Open Policy Agent (OPA) that offer compelling features for different authorization requirements. We'll examine what makes each solution unique and help you determine which might be the right choice for you.
Understanding Open Policy Agent and Its Limitations
Before diving into alternatives, let's establish what Open Policy Agent is, the use cases where it shines, and where it might fall short for certain applications.
Open Policy Agent is an open-source, general-purpose policy engine that provides unified policy enforcement across the stack. It uses a high-level declarative language called Rego for policy definition and can be deployed as a sidecar, host-level daemon, or library. In general, teams use Open Policy Agent to enforce policy within cloud infrastructure.
While OPA offers flexibility as a general-purpose policy engine, this broad focus comes with tradeoffs:
The Rego language has a significant learning curve
As a general-purpose tool, it lacks application-specific authorization primitives
Implementation requires substantial custom integration work
Performance can be a concern in high-throughput scenarios
These limitations have led many development teams to seek alternatives that better align with their specific authorization needs.
Alternative 1: Oso
Oso takes a fundamentally different approach to authorization by focusing specifically on application authorization rather than being a general-purpose policy engine. This specialized focus translates to practical advantages for development teams.
Key Differentiators:
Purpose-built for application authorization: Unlike OPA's general-purpose approach, Oso’s policy language, Polar, provides primitives specifically designed for application authorization patterns[1]
High-performance data model: Oso’s data model is optimized for authorization operations. Oso can even work directly with your application data when you need to squeeze every last bit of performance out of larger operations like filtering lists.
Developer-friendly implementation: The authorization logic can mirror your application code, reducing the complexity of implementation
AWS Cedar represents another specialized approach to authorization, with a focus on readability and application-level authorization.
Key Differentiators:
Readability focus: Cedar's policy language prioritizes human readability and understanding while also providing a syntax that resembles AWS IAM definitions. It occupies a middle ground between Rego and Polar.
Structured design: Cedar offers a more structured approach to policy definition compared to OPA's Rego
Application-level authorization: Like Oso, Cedar focuses specifically on application authorization rather than general policy enforcement
Cedar's safety-oriented approach and fine-grained permissions make it a strong contender, particularly for applications on AWS. However, it has limited tooling and smaller community support compared to more established alternatives.
Alternative 3: Google Zanzibar Based Tools
For applications that need to manage complex relationship-based permissions at scale, tools like AuthZed or Auth0, which are based on Google Zanzibar, offer a compelling alternative to OPA.
Key Differentiators:
Graph-based authorization model: Zanzibar clones excel at managing access control via relationships
Single source of truth: Systems based on Zanzibar centralize the source of authorization decisions
Relationship-focused: Particularly strong for applications where permissions depend on complex relationships between users and resources
While Zanzibar offers powerful capabilities for relationship-based authorization, it introduces system complexity by requiring centralization of all authorization data. As a result, you will need to store, copy, and sync data across your application and your authorization service. It also forces you to model your authorization logic as relationships, which makes it challenging to implement ABAC.
Alternative 4: XACML
The eXtensible Access Control Markup Language (XACML) represents a standards-based approach to authorization that predates OPA and other newer alternatives.
Key Differentiators:
Standardized approach: As an OASIS standard, XACML offers a well-defined, standardized framework
Mature ecosystem: With a longer history, XACML has established patterns and implementations
Comprehensive model: Includes a complete policy language, architecture, and request/response protocol
However, XACML's XML-based approach can be verbose and complex compared to newer alternatives, and it may not be as well-suited for modern cloud-native applications as some of the other options discussed here[2].
Alternative 5: Hashicorp Sentinel
Rounding out our alternatives is Hashicorp Sentinel, which takes yet another approach to policy as code.
Key Differentiators:
Infrastructure focus: Particularly strong for infrastructure-related authorization decisions
Hashicorp ecosystem integration: Works seamlessly with other Hashicorp products
Embedded policy engine: Designed to be embedded within other Hashicorp applications and services
Sentinel's focus on infrastructure makes it particularly valuable for teams that need to enforce policies across Hashicorp-based infrastructure as code deployments. It’s not suited for application authorization.[3].
Choosing the Right Authorization Solution
When evaluating these alternatives to Open Policy Agent, consider these key factors:
Use case: Are you looking for infrastructure or application authorization?
Integration complexity: How much custom work will be required to implement the solution?
Performance requirements: Can the solution meet your latency and throughput needs?
Team expertise: Which solution aligns best with your team's existing knowledge and skills?
Deployment model: Does the solution support your required deployment scenarios?
The right choice depends heavily on your specific requirements. For teams building complex applications with sophisticated authorization needs, purpose-built solutions like Oso often provide advantages over general-purpose policy engines like OPA.
Comparing Key Features
Feature
OPA
Oso
AWS Cedar
Google Zanzibar-based
XACML
HashiCorp Sentinel
Primary Focus
Infrastructure authorization
Application authorization
Application authorization
Relationship-based authorization
Attribute-based authorization
Infrastructure authorization
Language
Rego
Polar, Oso’s purpose-built language for authorization
Cedar DSL
Variations on Zanzibar configuration language
XML-based
Sentinel language
Learning Curve
Steep
Moderate
Moderate
Steep
Steep
Steep
Deployment Model
Open Source
Flexible – Cloud or Self-Hosted
AWS only
Vendor-dependent
Open Standard
Packaged with Terraform Cloud (HCP Terraform)
Best For
General policy
Application auth with RBAC, ReBAC, ABAC, and custom roles
AWS applications
Relationship-based authorization
Standards compliance
General policy if you're all-in on HashiCorp
Implementation Considerations
Before implementing any authorization solution, consider these questions:
How easy is it to get started? Is it a cloud service or do you have to deploy it to your infrastructure?
How much support does it require? Do you have the capacity and infrastructure to provide it?
What’s the developer experience like? Is it easy to onboard new developers and integrate with your existing development process?
How is the documentation? Can you quickly find the information you need?
Does the solution support your authorization needs? Will it support them in 6 months? A year? Beyond?
Will the solution meet your current performance requirements? Will it continue to do so as your application grows?
Conclusion
While Open Policy Agent offers a flexible, general-purpose approach to policy enforcement, purpose-built alternatives often provide advantages for specific authorization scenarios. By understanding the strengths and limitations of each option, you can select the solution that best fits your unique requirements.
For teams building complex applications with sophisticated authorization needs, solutions like Oso that focus specifically on application authorization often provide the best balance of power, flexibility, and developer experience. The right choice ultimately depends on your specific requirements, existing technology stack, and team expertise.
August 2025 Update: Apple has hired the maintainers of OPA and the commercial offerings around OPA will be maintained by the open source community.
Open Policy Agent (OPA) is a general-purpose policy engine that helps with policy enforcement in cloud infrastructure. OPA allows users to define and enforce policies across a wide range of systems, ensuring compliance and security in dynamic environments.
I have always considered OPA to be one of the most important advancements for cloud infrastructure. In my experience, absent a bespoke solution (e.g. Oso), a rigorous OPA implementation makes for stronger enterprise software.
To implement the OPA engine, you submit a request in the form of a JSON or YAML object. OPA evaluates this incoming request against its policies and data to give a policy determination. You can think of the determination as a decision: approved or declined. It is now up to your software to enforce this decision.
Decoupling Policy Logic and Business Logic
One of the main reasons to use OPA is that it allows you to decouple policy decision making from the business logic of your services. OPA helps you determine the decision of a policy while your software enforces that decision. This allows you to manage policies in one place rather than coordinating policy changes in the business logic of several systems which could be written in different languages and managed by different teams.
What is Rego?
Rego is the custom language that OPA uses for writing policies. It is a declarative language designed for inspecting and transforming structured data, like JSON and YAML that is used for expressing access to cloud infrastructure.
Rego was inspired by Datalog, but extended to support structured document models such as JSON and YAML. Some developers consider it particularly confusing (evidenced by this Reddit thread), but Rego is the language of choice for Opa users.
How do you create an OPA policy?
Authorization in OPA starts with loading your authorization data in a structured format like JSON. You then write policy rules in Rego to transform the data as needed in order to derive the authorization context of the data. An example of this could be determining a user’s role or figuring out which organization a file belongs to. When the data is in the right structure, you inspect it to determine whether to allow or deny a request.
How would you design RBAC using OPA?
RBAC, which stands for Role-Based Access Control, is a broad classification for using roles to control the access that users have to resources. Most people are familiar with the concept of roles, and expect them to be a part of any authorization system. For many app developers, roles are the first and fastest step in implementing application authorization.
To design an RBAC system using OPA, you’ll first need to assign roles to all of your users. We’ll do that using a dictionary. In our case we have two roles: admin and member. Alice is both an admin and a member while Bob is only a member.
Based on their roles, Alice and Bob will have different permissions. We’ll need to define the various permissions that each role has. In the example below, a member can only “read” the Acme repository while an admin can “write” and “delete” the repository.
With these data structures in place, we’ll need to implement logic to determine whether a user has permission to perform a given action based on their role. Given a user, we’ll need to first determine what roles they have. Then, across all of their roles, we need to see what permissions they have.
In this simple example, you can see that we defined a policy that determines what permissions our users have. With this policy defined, we can determine if a given user has permissions to do the requested action.
What does OPA do well?
OPA is a great general-purpose policy engine. It’s designed to accept data from a variety of systems in their native format. Its rules language, Rego, provides primitives that allow you to transform and inspect its data as needed during evaluation to make authorization decisions. In this way, OPA emphasizes interoperability with third-party systems, where the data isn’t under your direct control. It is also well suited to machine-to-machine operations.
What are Open Policy Agent alternatives?
Oso is a good alternative to OPA for use cases like application authorization.
Oso’s policy language, Polar is built around the higher-order entities that you model in applications, such as actors, roles, and relationships. This makes it a natural fit for the application authorization domain.
If this space is relevant to you, I would recommend reading our overview of the distinctions between Open Policy Agent and Oso.
Looking for an authorization service?
Engineering teams are increasingly adopting services for core infrastructure components, and this applies to authorization too. There are a number of authorization-as-a-service options available. OPA is a popular general-purpose policy engine that implements authorization logic as low-level operations on structured data.
Oso Cloud is a managed authorization service that is tailored to Application Authorization. You use Oso Cloud to provide fine-grained access to resources in your app, to define deep permission hierarchies, and to share access control logic between multiple services in your backend. You do all this by using the same sorts of higher-order entities that you’re already modeling in your application: users, roles, relationships, attributes.
Oso also comes with built-in primitives for patterns like RBAC and ReBAC, and it is extensible for other use cases like attribute-based access control (ABAC). It is built using a best practices data model that makes authorization requests fast and ensures that you don’t need to make schema changes to make authorization changes. It provides APIs for enforcement and data filtering. Oso Cloud is also deployed globally for high availability and low-latency.
Oso Cloud is free to get started – try it out. If you’d like to learn more about Oso Cloud or ask questions about authorization more broadly, set up a 1x1 with an Oso engineer.
Common questions related to OPA
How much does OPA cost?
OPA is free and is available under an Apache License 2.0.
OpenFGA is an open-source authorization framework.
Both it and its commercial counterpart, Okta FGA, are interpretations of the Zanzibar whitepaper, which describes the Relationship-Based Access Control (ReBAC) authorization model used at Google. OpenFGA allows developers to define complex application authorization policies using a declarative language.
Why consider alternatives to OpenFGA?
While OpenFGA offers powerful capabilities for access control, you may want to consider alternatives based on specific needs such as ease of implementation and cost of maintenance.
OpenFGA requires that you to replicate data to a secondary data store, which may create more operational overhead than you want to take on. Its rigid ReBAC implementation may not map naturally to your authorization logic. These considerations determine how well a given solution meets your specific organizational constraints and development requirements.
Top 4 alternatives to OpenFGA
The following section will compare and contrast Oso Cloud, Permit.io, Permify and AuthZed.
1. Oso Cloud
Oso Cloud provides application authorization as a service. It diverges from OpenFGA and other Zanzibar-based ReBAC implementations in two fundamental ways.
a. Data architecture: Oso Cloud is able to answer authorization questions using data directly from your application databases. You can gain all the benefits of centralizing your authorization logic - discoverability, sharing, testing - without having to build extra logic to synchronize you application data to Oso Cloud. When you’re getting started with Oso Cloud, you can focus entirely on your authorization logic. You don’t have to worry about how to get your data to it. But don’t worry - if you decide later that you want to centralize some or all of your authorization data, Oso Cloud supports that, too. Whether you use OpenFGA or Okta FGA, you have to copy your authorization data out of your application databases to a separate store that the service uses specifically to answer authorization questions. This introduces all the extra overhead that comes with maintaining two sources of truth: initial data replication, two-phase commits, and drift detection and remediation. You’ll need to manage this from the start.
b. List filtering and LLM permissions. Oso enables you to easily answer questions like “What are all the documents this user can view?” Oso generates filters from your authorization policy so your database returns only authorized results. This is especially important for AI use cases where you need to ensure AI pipelines (search, RAG) return only the data a user is authorized to access.
OpenFGA was designed for static, relationship-only permissions, not dynamic AI pipelines. List filtering queries are inefficient and can take seconds, making them unusable for AI responses.
c. Semantic flexibility: Authorization logic in Oso Cloud is written in the Polar language. Polar is a general purpose logic language that allows you to ask authorization questions in direct terms. Fundamentally, authorization is the act of answering the question “Can User A perform action B on Entity C?” In a ReBAC model like OpenFGA, you can’t ask this question. Instead, you have to ask “Does User A have relation R with Object O?”
d. Expressive logic: Likewise, OpenFGA and similar systems are only capable of expressing authorization logic in terms of relationships. While it’s possible to do this, in reality much authorization logic isn’t relational. This makes it difficult to support common use cases like global permissions and public objects in OpenFGA. Rather than simply granting an administrator edit access to all organizations or marking a document as public, you have to work around the constraints of the language to figure out how to make those rules look like relationships. In Polar, you can directly express these ideas.
2. Open Policy Agent
Open Policy Agent (OPA) is an open-source policy engine for policy enforcement across your stack. Teams use OPA to enforce policy-as-code across microservices, kubernetes, and other infrastructure components.
Deployment model: OPA can be deployed as a sidecar, host-level daemon, or library.
Modeling: OPA uses a high-level declarative language called Rego for policy definition. While powerful, the Rego language has a significant learning curve. As a general-purpose tool, it also lacks application-specific authorization primitives.
Data: OPA accepts data from a variety of systems in their native format, and Rego allows you to transform data to enforce authorization decisions.
While OPA is available as open source software, its maintainers were recently hired by Apple, and there is no longer a commercial company or offering behind it.
3. Permify
Permify is an open-source, Zanzibar-based solution similar to OpenFGA. It is the most pure open-source implementation in this evaluation.
a. Deployment Model: Permify is a self-hosted solution that you deploy on your infrastructure. They provide a docker container or you can build it from the source code.
b. Data Management: Permify stores authorization data in a dedicated store that you set up within your infrastructure.
c. Modeling: Both OpenFGA and Permify are ReBAC solutions inspired by Google Zanzibar. Permify provides an attribute extension that supports attribute-based access control (ABAC) scenarios like public documents more naturally.
4. AuthZed / SpiceDB
Authzed is another Zanzibar-based authorization as a service solution. It provides managed and self-hosted implementations based on the open-source SpiceDB project.
a. Deployment Model: AuthZed provides both cloud and on-premises deployments. It is distributed as a docker container, in the package managers of most common Linux distributions, or as a chocolatey package on Windows.
b. Data Management: AuthZed stores authorization data in a dedicated store that you deploy and manage within your infrastructure. It offers the widest database support of all the solutions evaluated here.
c. Modeling: Both OpenFGA and Authzed define pure Zanzibar-based ReBAC authorization models.
Feature comparison table
Feature
Oso Cloud
OpenFGA
Local Deployment Model
On-premises binary installation
Open-source, self-hosted
Modeling
Support for arbitrary authorization logic using Polar
Authorization logic must be modeled in terms of relationships
Data Architecture
Keep data in your existing database or centralize in Oso Cloud
Data must be copied to a separate store and kept in sync
Why choose Oso Cloud over OpenFGA?
Oso Cloud and OpenFGA are both powerful application authorization solutions. Oso Cloud provides the Polar language, which allows you to express all of your authorization logic in the most natural terms. OpenFGA is based on Google Zanzibar, and as a result requires you to express all of your authorization logic in terms of a relationship between two objects. Oso Cloud can use your application data in-place, so you don’t have to synchronize anything to an external store to start answering authorization questions.
OpenFGA and Okta FGA both require you to copy authorization data to an external data store, which creates extra operational overhead for your team. Oso Cloud provides that more streamlined onboarding experience of the two. Because it always allows you to express your authorization logic in the terms that best fit your mental model, it is also the easier solution to maintain over time.
Conclusion
OpenFGA is a powerful solution for application authorization. But you may find that other options better meet your needs. If you’re already using a policy engine like OPA or AWS Cedar, or if you want to make it easier for business users to manage authorization logic, then Permit.io is a great choice. If open-source is a priority, then take a look at Permify. If you want support for a wide variety of databases, then look at authzed.
For all their strengths, all of the above solutions introduce friction into the developer experience. Whether they force you into an unnatural mental model, require a data replication mechanism, or simply lack dedicated, reliable support, you may find that while they meet your authorization requirements, they fall short of your organizational needs.
Oso Cloud has been built from the start to provide an exceptional developer experience. It allows you to model your logic in the terms you already use to think about it. It lets you keep your data in one place, simplifying your code and your infrastructure. This creates a simple path to adoption while supporting the most sophisticated application requirements. Oso provides comprehensive testing and diagnostic features as well as an unmatched support experience to make sure you get to production with confidence.
Ready to give Oso Cloud a try? Head over to our Quickstart to get up and running in a few minutes! Still have questions? Reach out to us on Slack. We’d love to talk authorization with you.
If you’ve ever checked into a hotel, you’ve already experienced the difference between authentication (AuthN) and authorization (AuthZ). When you show your ID at the front desk, you’re proving who you are—that’s authentication. Once your identity is confirmed, the hotel decides what you can access: which room you get a key for, whether you can use the pool, gym, or member lounges. That’s authorization.
AuthN and AuthZ sound similar, and sometimes people use them interchangeably, but they actually solve two very different problems in your codebase. AuthN confirms your identity, while AuthZ determines what actions and resources you can access based on factors like your role or team. Understanding the difference is essential for building secure systems and making sure users only get access to what they’re allowed.
TL;DR
Aspect
AuthN (Authentication)
AuthZ (Authorization)
Purpose
Confirms a user’s identity
Determines what a user can do
Question Answered
Who are you?
What are you allowed to do?
Typical Methods
Passwords, biometrics, OAuth, SSO
Roles, permissions, policies (RBAC, ABAC)
Order
Happens first
Happens after authentication
Example
Logging into your account
Accessing admin dashboard after login
AuthN confirms identity, while AuthZ controls access based on that identity. Both are essential for secure applications.
Core Differences
AuthN and AuthZ might seem like two sides of the same coin, and it’s easy to see why people mix them up, but they actually solve very different problems in your application.
AuthN is about identity. Imagine someone trying to check into a hotel. The front desk asks for their ID to confirm they really are who they claim to be. If the ID doesn’t match, they’re politely turned away—no room key, no access. This is AuthN: the process that confirms a user’s identity before anything else happens.
AuthZ is about access and privileges. Once AuthN is successful, the hotel staff checks the reservation details. Maybe the guest has a standard room, or maybe their membership status or special package gives them access to free breakfast, a member lounge, or even a welcome gift. This is AuthZ: where your application determines what resources or actions a user is allowed, based on their role, status, or permissions.
In short:
AuthN: Are you really who you say you are? If not, you don’t get in.
AuthZ: Now that we know who you are, what are you allowed to do? Your status or package decides.
These two processes work together to protect identity and control access to resources, ensuring users only get what they’re supposed to—no more, no less.
Common Types
Understanding how AuthN and AuthZ are implemented in real-world applications helps clarify their roles, the tools you might use for each, and the different authentication and authorization types available.
AuthN Types:
Passwords: Still the most common approach, though not always the most secure.
Multi-factor authentication (MFA): Adds an extra layer by requiring something you know (like a password) plus something you have (like a code from your phone).
Biometrics: Uses fingerprints, facial recognition, or voice to confirm identity.
Single sign-on (SSO): Lets users authenticate once and access multiple systems without logging in again.
OAuth/OpenID Connect: Protocols that let users log in using credentials from another trusted provider.
AuthZ Types:
Role-based access control (RBAC): Grants permissions based on a user’s role (admin, editor, viewer, etc.).
Attribute-based access control (ABAC): Makes decisions based on attributes like department, location, or time of access.
Relationship-based access Control (ReBAC): Permissions depend on the relationships between users and resources.
Access control lists (ACLs): Define specific permissions for users or groups on particular resources.
Custom policies: Many apps use their own logic or rules to determine what users can do, often combining elements of RBAC and ABAC.
Both AuthN and AuthZ are essential for secure access control, and understanding the available types helps you choose the right approach for your application’s needs.
Why It Matters
Getting AuthN and AuthZ right is fundamental for protecting your users and your data. When these two processes work together, only verified users can access your application, and each user is limited to the permissions they are supposed to have.
If AuthN is weak, anyone could pretend to be someone else and gain access. If AuthZ is not set up correctly, even a legitimate user might see sensitive resources they should not, or get blocked from features they actually need. This can lead to data breaches, compliance problems, and a frustrating user experience.
For developers, understanding the difference between AuthN and AuthZ makes it easier to design secure systems, troubleshoot access issues, and scale your application as your user base grows. Strong AuthN and AuthZ are essential for building trust and keeping your application safe.
Enough about hotels—let’s look at how authentication and authorization actually play out in a real software application.
Real-World Use Case: Project Management App
Imagine you’re building a project management tool like Trello or Jira. Here’s how AuthN and AuthZ come into play:
AuthN: When a user logs in with their email and password (or via Google SSO), the app verifies their identity. This step ensures the user is who they claim to be.
AuthZ: Once authenticated, the app checks what the user is allowed to do—like viewing boards, creating tasks, or managing team members—based on their role.
To visualize this, here’s an Access Matrix Table showing which roles have which permissions:
Role
View Board
Create Task
Edit Task
Delete Task
Manage Members
Admin
x
x
x
x
x
Project Manager
x
x
x
x
x
Contributor
x
x
x
Viewer
x
This table makes it easy to see at a glance which roles can do what, clarifying how authorization decisions are made in your app. For more complex scenarios, like relationship-based access control (ReBAC), you could extend this table or add notes to represent permissions based on user-resource relationships.
Oso’s Perspective
For most teams, authentication is pretty straightforward—just plug into an identity provider or use a standard library and you’re set. Authorization, on the other hand, is where things get complicated. Here are some common pain points developers run into with AuthZ:
Scattered permission checks: As your app grows, access control logic often ends up spread across controllers, services, and middleware, making it hard to see the big picture or audit who can do what.
Changing requirements: Business rules evolve. Suddenly, you need to support new roles, special cases, or complex hierarchies, and updating your authorization logic everywhere becomes a headache.
Lack of consistency: When authorization is handled in multiple places, it’s easy to miss something and accidentally grant (or deny) access where you shouldn’t.
Testing and debugging: Tracking down why a user does or doesn’t have access to a resource can be tricky when the logic is scattered and hard to follow.
Oso provides Authorization as a service and solves these headaches by giving you a centralized, declarative way to define your authorization policies in code. With Oso, you can:
Centralize your access control logic so it’s easy to review and update.
Define roles, permissions, and custom rules in a clear, maintainable way.
Adapt quickly as your requirements change, without hunting down permission checks scattered throughout your codebase.
Debug and audit your authorization decisions with confidence, since everything is in one place.
Test your policies to ensure your authorization logic works as expected before it hits production.
By taking the complexity out of AuthZ, Oso lets you focus on building features, not fighting with permissions.
FAQs/Common Confusions
What’s the difference between AuthN and AuthZ, really? AuthN (authentication) is about confirming a user’s identity—proving they are who they say they are. AuthZ (authorization) is about determining what actions or resources that user can access, often based on their role or permissions.
Can you have AuthZ without AuthN? No. Authorization decisions depend on knowing who the user is. Without authentication, there’s no way to know which permissions to check.
Why do people mix up AuthN and AuthZ? The terms sound similar and both deal with access control, but they solve different problems. AuthN answers “Who are you?” AuthZ answers “What are you allowed to do?”.
Is OAuth authentication or authorization? OAuth is a way of establishing identity using a token, but it’s often used alongside authorization. Once you have a token that establishes your identity, you can also include data on that token that can be used for authorization. OAuth manages confirming identity and managing the token.
What are some common mistakes with AuthN and AuthZ?
Treating authentication as enough and forgetting to check authorization.
Scattering permission checks throughout the codebase, making it hard to audit or update.
Not updating authorization rules as business requirements change.
Are there best practices for implementing AuthN and AuthZ? Yes. Use established libraries or providers for authentication, and centralize your authorization logic for easier maintenance and auditing. Always keep them as separate concerns in your architecture.
If you’re ever unsure, just remember: AuthN is “Who are you?” AuthZ is “What can you do?”
Conclusion
Understanding the difference between AuthN and AuthZ is essential for building secure and reliable applications. AuthN (authentication) confirms a user’s identity, while AuthZ (authorization) determines what actions and resources that user can access, often based on their role or other factors. Both are crucial parts of access control and work together to protect your users and your data.
As your application grows, keeping authentication and authorization concerns separate—and using the right tools for each—will help you maintain security, simplify your codebase, and adapt to changing requirements. Whether you’re just starting out or scaling up, investing in strong AuthN and AuthZ practices will pay off in the long run. If you'd like to discuss building those practices into your application, reach out to us on Slack.
AWS Cedar is a policy language and enforcement engine developed by Amazon to support fine-grained authorization in applications and services. Built with a focus on access control at scale, Cedar enables developers to define, manage, and evaluate authorization policies across AWS-native environments. It emphasizes policy-as-code, with support for attribute-based access control (ABAC) and resource-based policies, helping teams externalize their authorization logic and improve their security posture.
However, Cedar is still relatively young and tightly coupled to the AWS ecosystem. It currently lacks some of the integrations, ecosystem maturity, and tooling flexibility that more established or open-source alternatives provide.
For teams operating outside AWS, or those looking for more customizable policy models, richer developer tooling, or open standards, there are several compelling alternatives. In this article, we’ll explore five standout options that can help teams implement fine-grained, scalable authorization tailored to their specific stack and workflow.
Why Consider Alternatives to Cedar?
While AWS Cedar offers a focused approach to policy-based authorization within the AWS ecosystem, there are several reasons why teams might consider alternatives.
Pricing Considerations
Cedar itself is free and open-source, but its utility is closely tied to other AWS services like Verified Permissions, which can introduce cost concerns—especially as applications scale or span multiple services. For teams trying to control cloud costs or operate in multi-cloud environments, this tight AWS coupling might become a limiting factor.
Performance Requirements
Cedar is optimized for use within AWS-managed services, but teams building latency-sensitive systems outside of AWS may prefer alternatives that offer local policy evaluation or more direct control over performance tuning.
Implementation Complexity
Cedar offers a powerful policy model, but it comes with a learning curve. Its syntax and mental model may feel unfamiliar to developers who haven’t worked with policy languages before. Teams looking for a more intuitive or developer-friendly experience might gravitate toward tools with simpler APIs or built-in UIs.
Integration Considerations
Cedar is still maturing in terms of ecosystem and integrations. If your system spans a mix of databases, languages, or frameworks—especially outside of AWS—you may run into friction getting everything to work together. Alternative solutions often offer broader SDK support or more flexible integration options.
Vendor Lock-in
Though Cedar is open-source, its design is closely tied to AWS services like Verified Permissions. Teams aiming for long-term portability or hybrid-cloud deployments might prefer vendor-neutral options with open standards and self-hosted capabilities.
Deployment Requirements
Cedar is mainly designed to run in AWS-hosted environments. Organizations with strict data residency, air-gapped infrastructure, or on-prem compliance needs might require solutions that offer greater deployment flexibility or control over the full authorization lifecycle.
Alternatives
Oso
A Look at Oso’s User Dashboard
Oso is one of the strongest alternatives to AWS Cedar for teams that want more control and flexibility in how they build authorization. Rather than being tied to a specific cloud ecosystem, Oso externalizes authorization with a cloud-agnostic strategy.
At the core of Oso is Polar, a purpose-built declarative language designed specifically for modeling authorization logic. It supports a range of access control models like RBAC, ABAC, and relationship-based access control, making it adaptable to a wide variety of use cases.
Oso is also built with developers in mind. It offers clean APIs, helpful tooling, and clear workflows that make implementing and managing authorization feel straightforward—even in complex systems.
For teams that don’t want to be locked into a cloud provider or need more flexibility than Cedar currently offers, Oso is a solid option.
Why is Oso better than Cedar?
Tailored policy language built specifically for application-level authorization
Strong developer tooling for testing, debugging, and iterating on policies
Flexible enough to layer on top of existing access control systems
What is Oso’s Pricing?
Oso’s pricing is designed to meet the needs of teams at various stages. The Developer tier is available at no cost, while the Startup tier begins at $149/month. For larger or scaling teams, Oso also offers custom plans that can include migration assistance and personalized onboarding.
Permit.io is a full-featured authorization platform that builds on top of policy engines like OPA (Open Policy Agent) to offer a streamlined, low-code experience. It wraps the power of policy-as-code with developer-friendly APIs and visual tools, allowing teams to manage permissions, roles, and access flows without building that functionality from scratch.
Permit.io uses Rego under the hood but makes it more approachable with an intuitive UI and built-in features like role management, resource mapping, audit logs, and policy versioning. This makes it especially helpful for teams that want strong access control without getting too deep into the underlying policy language or infrastructure.
Where Cedar is tightly coupled with AWS and requires more manual setup, Permit.io offers an elevated experience—ideal for teams looking to move fast and deliver user-facing permission interfaces or admin controls with minimal effort.
Pros:
Built-in tools for managing roles, policies, and access flows
Visual editing layer on top of Rego for easier policy creation
Includes audit logs, versioning, and delegation workflows out of the box
Requires less manual setup compared to Cedar’s AWS-bound configuration
Cons:
Learning curve despite the UI layer
May be overkill for simple applications
Some features are locked behind paid tiers, which may limit startups on tight budgets
Less flexibility than fully self-hosted or embedded frameworks
Pricing:
Permit.io provides several pricing options, beginning with a free Community edition. The Startup-tier is priced at $5/month and includes up to 25,000 MAUs and 100 tenants. For larger needs, the Pro tier starts at $25/month and supports up to 50,000 MAUs and 20,000 tenants.
Casbin
Casbin is an open-source authorization library that brings access control directly into your application code. It’s built for flexibility and supports a variety of access control models—including RBAC, ABAC, ReBAC, and even domain-specific variants like multi-tenant RBAC.
Unlike AWS Cedar, which requires connecting to AWS-managed services and writing policies in Cedar's own language, Casbin is designed to be embedded and lightweight. It offers official support across multiple languages—like Go, Java, Node.js, Python, and more—making it easier to integrate into different parts of your stack.
Casbin is especially appealing for teams that want a simple, performant, and self-hosted solution. Its model + policy approach gives developers full control over how rules are structured and enforced, without relying on external dependencies.
Pros:
Lightweight and embeddable
Supports a wide range of access control models and policy formats
Multi-language support makes it suitable for polyglot environments
Doesn’t require cloud vendor integration or external services
Cons:
Lacks built-in tools for policy editing, user interfaces, or delegation workflows
Policy syntax is straightforward but limited for complex use cases
Requires custom implementation for features like auditing, versioning, or admin consoles
Pricing:
Casbin is an open-source project, so there are no licensing fees. That said, using it in production may still involve operational costs depending on how it’s implemented and maintained.
OpenFGA
OpenFGA is an open-source authorization system inspired by Google’s Zanzibar paper, built specifically for managing fine-grained, relationship-based access control (ReBAC) at scale. It’s designed to handle complex access rules by using a flexible data model and high-performance evaluation engine.
Unlike AWS Cedar, which uses a policy language tied to AWS services, OpenFGA takes a data-first approach, focusing on relationships between users, roles, and resources. It exposes a clean API for defining and querying access relationships, making it well-suited for dynamic environments like multi-tenant SaaS platforms or collaborative apps.
OpenFGA is a strong fit for teams that need highly expressive permission logic and care deeply about performance and scalability. It offers language-agnostic APIs, a strong developer experience, and a growing ecosystem of SDKs and tooling.
Pros:
Purpose-built for relationship-based access control with a proven model
High-performance engine designed for scale and low-latency checks
API-first design that works across most languages or frameworks
Not tied to a specific cloud vendor or infrastructure
Cons:
Focused primarily on ReBAC—less ideal for simpler RBAC or ABAC setups
Requires upfront modeling of relationships, which can add complexity
Still maturing in terms of documentation, ecosystem, and production tooling
Pricing:
OpenFGA is fully open-source, so there are no licensing fees. However, depending on your setup, there may be notable operational costs involved in running and maintaining it.
SpiceDB
SpiceDB is an open-source database inspired by Google’s Zanzibar paper for managing fine-grained access control at scale. It is designed to be highly performant and expressive, making it ideal for teams building complex authorization systems, such as multi-tenant SaaS applications or collaborative platforms.
SpiceDB adopts a relationship-based access control (ReBAC) model, allowing developers to represent access rules as relationships between users, roles, and resources. Its flexibility and scalability make it a strong alternative to AWS Cedar, particularly for teams that need fine-grained permissions and aren’t tied to the AWS ecosystem. SpiceDB also provides APIs and SDKs for various programming languages, enabling seamless integration into diverse environments.
Pros:
Built for relationship-based access control with a focus on scalability
High-performance engine for low-latency authorization checks
Flexible APIs and SDKs for integration across diverse environments
Open-source and vendor-neutral, providing full control over deployment
Cons:
Requires upfront modeling of relationships, which can be complex for simpler use cases
May involve some operational overhead for teams managing self-hosted deployments
Still evolving in terms of ecosystem and documentation compared to more mature tools
Pricing:
SpiceDB is free and open-source, but operational costs may arise depending on your deployment strategy. For teams needing managed solutions, commercial offerings like Authzed provide hosted SpiceDB instances with additional support and features.
SpiceDB is a compelling choice for teams requiring a high-performance, relationship-based access control system that scales efficiently and operates independently of any specific cloud provider.
OPAL
A demo of getting started with OPAL.
OPAL (Open Policy Administration Layer) is an open-source project that extends policy engines like OPA by making them real-time and dynamic. While OPA handles policy evaluation, OPAL is focused on policy distribution—making sure your authorization layer always has the freshest data when making decisions. OPAL is not an alternative to a policy engine, but is a worthy inclusion to this list, because leveraging OPA + OPAL can be a suitable alternative to products like Permit.io.
Where AWS Cedar focuses on static, declarative policies that live inside AWS’s infrastructure, OPAL helps bridge the gap between your policies and the external data sources that drive them. It syncs policy data from databases, APIs, and event streams, so that OPA can evaluate requests with real-time context—such as user roles, resource ownership, or permissions tied to changing business logic.
OPAL is ideal for teams already using OPA or building real-time systems where stale data could cause incorrect authorization decisions. It’s a strong choice for engineering teams who want to stay in control of their stack, and need dynamic policy loading without relying on a managed platform.
Pros:
Enables real-time, dynamic policy updates
Keeps your policy engine in sync with external data sources
Works seamlessly with OPA and other tools in the policy-as-code ecosystem
Decoupled decision-making from data propagation
Cons:
Requires more setup and orchestration compared to managed platforms
No built-in policy authoring or user interface—relies entirely on OPA and custom tooling
Best suited for teams already familiar with policy-as-code architectures
Pricing:
Opal itself doesn't have a cost, but integrating it into your environment and potentially using related services from vendors might incur costs
Conclusion
AWS Cedar is a capable option for teams fully committed to the AWS ecosystem, but it’s not always the best fit for every use case. Its limited flexibility and cloud-specific design can become constraints for teams needing broader integration or more hands-on control.
If your architecture, pace, or authorization complexity demands more than what Cedar offers, there are solid alternatives worth exploring. The best solution is the one that aligns with your stack, scales with your product, and fits how your team works.
SpiceDB has become a popular choice for teams building fine-grained access control, especially when dealing with complex permission models and user-resource relationships. Built around the ideas in Google’s Zanzibar paper, it gives developers a scalable way to express relationship-based access logic, with performance and consistency controls that are production-ready.
That said, SpiceDB isn’t always the right fit for every team or every project. Maybe you’re working in a framework where embedding authorization logic directly in code feels more natural. Maybe you’d rather use a simpler policy engine without managing a dedicated datastore. Or maybe you’re just curious about how other tools approach the same challenge in a different way.
Whatever the case, it’s worth knowing what else is out there. In this post, we’ll walk through five strong alternatives to SpiceDB, explore what makes each one different, and help you find the right tool for your approach to authorization.
Why Choose Alternatives to SpiceDB?
SpiceDB offers a robust solution for complex authorization, especially when relationship-based access control (ReBAC) is essential. But depending on your team’s architecture, skill set, and needs, it might not be the most efficient or intuitive choice. Here are several reasons why teams consider other options:
Complex Setup and Operational Overhead
SpiceDB is powerful, but it isn't lightweight. Running it typically means managing a custom schema, syncing relationships into a dedicated datastore, and integrating it as a separate microservice. For smaller teams or simpler applications, that operational cost may outweigh the benefits.
Steep Learning Curve
The Zanzibar-inspired model can be difficult to grasp if you're not already familiar with graph-based permission systems. For teams used to writing straightforward access rules or policies in code, SpiceDB can feel unintuitive and harder to debug.
Doesn’t Fit All Authorization Models
SpiceDB excels at ReBAC, but not every system needs relationship graphs. If your app relies more on attribute-based logic (ABAC), time-based permissions, or contextual business rules, other engines may offer better support with less workarounds.
Lack of Built-In Policy Language
Unlike tools like Oso or Cedar, SpiceDB doesn't provide a policy language for expressing custom logic. While you can define complex permissions through relationships, you can’t easily write conditional rules like “only allow this if the user is the owner and the document is in draft.”
Limited Out-of-the-Box Developer Experience
SpiceDB is infrastructure-first. It offers strong APIs and performance, but lacks built-in tooling like UI dashboards, visual editors, or audit trails. If your team is building a product that's meant to be administered by business users, you may need to build those layers yourself—or opt for a tool like Permit.io that includes them.
Alternatives
Oso
A Look at Oso’s User Dashboard
Oso is a developer-first authorization framework that lets you define access control logic directly in your application using a declarative policy language called Polar. Your authorization logic is separated from your business logic, making authorization easier to reason about, debug, and test as part of your normal development flow.
Oso is designed to handle a wide variety of access control patterns, from simple role-based rules to more complex setups like attribute-based (ABAC) or relationship-based access control (ReBAC). It also includes thoughtful developer tooling like policy unit testing and decision tracing. While it doesn’t provide a built-in relationship graph like SpiceDB, Oso gives you the flexibility to model these patterns yourself.
Why Oso is a strong alternative to SpiceDB
SpiceDB is more focused around ReBAC while Polar allows Oso to be more open-ended
Lack of policy language is inherently more limiting
You have to set-up a dedicated data store and a product like Oso may have an easier DX
Granted, that also involves learning Polar.
You've pretty much nailed it. I think it's mostly about preference and what someone finds more intuitive. Polar really is Oso's main distinguishing factor. It's the most general-purpose approach to authorization that I've seen in any of these services. It lets you model just about any authorization logic pretty naturally. And in the case of spicedb, you also have the data store to manage. AuthZed does provide a managed spicedb as well, but then you lose all the open source benefit. And spicedb does also have a schema language to learn - it's just more limited since it's so focused on relations.
Why Oso is better than SpiceDB:
Supports RBAC, ABAC, and ReBAC patterns out of the box with its open-ended language
Uses Polar, a readable and expressive policy language
Strong developer tooling: policy testing and decision tracing
What is Oso’s Pricing?
Oso offers pricing tiers to support teams at different stages. The Developer-tier is completely free, while the Startup-tier starts at $149/month. For growing or larger companies, Oso provides custom pricing, which can include migration support and tailored onboarding services.
Cedar by AWS
Cedar is an open-source, purpose-built policy language developed by AWS to power fine-grained authorization in services like Amazon Verified Permissions and AWS Verified Access. It’s designed to be fast, expressive, and secure by default, and focuses on enabling declarative, attribute-based access control (ABAC) and role-based models in cloud-native applications.
Cedar policies are written in a simple JSON-like syntax, and the language is built to be auditable and analyzable — ideal for environments that prioritize clarity and security in access control. Amazon Verified Permissions (which runs on Cedar) allows you to store and evaluate policies at scale as part of a managed service, but you can also run Cedar standalone in your own stack using the open-source library.
For teams already using AWS infrastructure, Cedar is especially appealing. It’s tightly integrated with AWS services and designed to work seamlessly in cloud-native environments. If you’re building serverless apps or microservices in AWS, Cedar offers a native way to implement fine-grained authorization without introducing external complexity.
Pros:
Designed specifically for fine-grained authorization on AWS
Strong ABAC support, with some support for RBAC patterns
Backed by AWS — used in production services like Verified Permissions
Built-in tooling for static analysis, auditing, and validation
Cons:
Doesn’t support ReBAC or relationship graph modeling natively
Best suited for attribute-based models — less flexibility for custom logic or embedded use
Tightly coupled with AWS — not as appealing if you’re not in the AWS ecosystem
Requires learning a new syntax and integrating an evaluation engine into your app
Pricing:
While Cedar itself has no standalone pricing, it's used within services like Amazon Verified Permissions, which charges based on the number of authorization requests. There are no upfront costs or minimum fees — you only pay for what you use.
OpenFGA
OpenFGA is an open-source authorization system designed for **fine-grained access control.** Like SpiceDB, it's heavily inspired by Google Zanzibar . Originally developed by the team at Auth0 (now part of Okta), OpenFGA provides a simple and scalable way to model and evaluate complex permission relationships across users, roles, and resources.
It uses a declarative modeling language that allows you to define types, relationships, and authorization rules. OpenFGA is stateless and built to scale horizontally, making it a strong choice for large, distributed systems. You can self-host it or use the hosted version via Auth0 Fine-Grained Authorization.
OpenFGA is arguably the closest architectural alternative to SpiceDB on this list. Both tools are inspired by Google Zanzibar and both are built around relationship-based access control (ReBAC), schema definitions, and high-performance permission checks. The key difference lies in execution: OpenFGA aims to be more approachable, easier to integrate, and slightly more opinionated in how you model access logic.
Pros:
Built specifically for fine-grained, relationship-based access control
Stateless and horizontally scalable
Self-hosted or available as a managed service (Auth0 FGA)
Good fit for microservices and multi-tenant architectures
Cons:
Still relatively young — not as battle-tested as SpiceDB in large deployments
Doesn’t offer as much flexibility around consistency models or datastore options
Requires learning a specific schema language and model
Pricing:
OpenFGA is open-source meaning there are no licensing costs, however, there may be significant operational costs.
Permit.io is a full-featured authorization platform that builds on top of policy engines like OPA (Open Policy Agent) to deliver a low-code, developer-friendly experience. It combines the flexibility of policy-as-code with visual tools and APIs that make it easy to manage roles, permissions, and access flows — all without needing to build those layers yourself.
At its core, Permit.io lets you define policies using OPA's Rego language but wraps that in a more approachable interface. It includes built-in tools for role management, user-to-resource mapping, policy versioning, audit logs, and more — making it especially useful for teams who need robust authorization.
If your team wants to move fast without getting deep into graph modeling or managing your own infrastructure, Permit.io offers a more elevated experience. It's ideal for SaaS teams who need multi-tenant access control, role delegation, or admin-facing permission interfaces — all of which would require additional development effort if you were using SpiceDB directly.
Pros:
Full-stack authorization platform with UI, API, and SDKs
Visual role and permission editors — beneficial for business users
Built-in audit logs, versioning, and environment controls
Supports RBAC, ABAC, and custom policies using OPA/Rego
Cons:
Less flexible than building your own Rego-based or ReBAC model from scratch
Built on OPA, which can feel complex if writing advanced policies
May not suit highly custom or deeply embedded use cases
Vendor-managed — limited control compared to fully open-source tools
Pricing:
Permit.io offers multiple pricing tiers, starting with a free Community edition. The Startup-tier begins at $5/month for up to 25,000 MAUs and 100 tenants, while the Pro tier starts at $25/month and supports up to 50,000 MAUs and 20,000 tenants.
Cerbos
Cerbos’ User Dashboard
Cerbos is an open-source authorization engine built for modern applications that want to decouple access control from application logic. Instead of embedding authorization rules directly in your code or relying on a relationship graph like SpiceDB, Cerbos lets you define policies in YAML and evaluate them via a lightweight service or SDK.
Cerbos focuses on attribute-based access control (ABAC) and role-based access control (RBAC) out of the box. It’s designed to be simple to adopt, easy to scale, and highly portable across environments — whether you’re building a monolith, microservices, or serverless functions.
With Cerbos, you don’t need to manage a specialized datastore or relationship graph. You define your policies declaratively, then pass user and resource attributes at runtime to get a decision back. This makes Cerbos easy to integrate, especially when you want to keep your data models and access logic loosely coupled.
Pros:
Policies written in standard YAML
Strong support for RBAC and ABAC out of the box
Language-agnostic — works with any backend via API or SDK
Includes useful tooling: test framework, policy playground, and CI integrations
Cons:
Doesn’t support ReBAC or relationship modeling
More focused on binary “allow/deny” decisions
Complex conditional logic can get verbose in YAML
Pricing:
Cerbos offers several plans, starting with a free, open-source version. Cerbos Hub starts at $0/month for up to 100 monthly active principals, while the Growth-tier begins at $25/month, with pricing based on active usage.
Conclusion
Authorization is a critical part of any application — it protects your data, controls access, and ensures the right users can do the right things at the right time. SpiceDB is a powerful choice for teams needing sophisticated, relationship-based access control, and it has proven itself in demanding production environments.
That said, no single tool is perfect for every situation. SpiceDB’s complexity and operational requirements might not be the best fit for every team or project. Exploring alternatives can uncover solutions that better match your app’s scale, your team’s workflow, and your architecture.
Authorization can quietly become a mess if it's not handled the right way from the start. That's where a great authorization tool comes into play. Cerbos is one such authorization product. However, depending on what you're building and how your team works, Cerbos might not check every box.
Whether you're looking for something that fits more naturally into a specific tech stack, offers a more visual policy experience, or handles both identity and authorization in one place, it's worth knowing what else is out there. In this post, we'll walk through four solid alternatives to Cerbos, break down what makes each one unique, and help you figure out which might be the right fit for your project.
Why Choose Alternatives to Cerbos
Cerbos is not always the best fit for everyone. Some teams may want a solution that's easier to set up or manage, especially if DevOps resources are limited. Others might need features Cerbos doesn't prioritize, such as built-in user management, real-time policy updates, native support for multi-tenant applications, or advanced permission models like ABAC or ReBAC.
So what makes a strong alternative to Cerbos? That really depends on your needs, but generally, you'll want something that strikes the right balance between flexibility, ease of use, and long-term maintainability. For some teams, that means picking a tool with a lower learning curve or a more visual policy editor. For others, it might mean tighter integration with the rest of their stack or an opinionated approach that helps speed up implementation. Whatever the case, it's worth exploring the options before committing to a single approach. Let's jump into four solid alternatives to Cerbos and break down what makes each one worth a look.
Oso
A Look at Oso’s User Dashboard
Oso is a developer-first authorization framework that brings powerful access control into your application using a declarative policy language called Polar. Unlike Cerbos, which externalizes policy logic into a separate engine, Oso is designed to be embedded directly into your app, giving you tighter integration and more immediate control over how permissions are evaluated.
If you're looking for something more tightly coupled with your application code, Oso is a great alternative. It supports a wide range of access patterns, including role-based access control (RBAC), attribute-based access control (ABAC), and relationship-based access control (ReBAC). This makes it especially useful for applications with complex or evolving permission needs. Oso also comes with helpful tooling like policy testing, decision tracing, and a REPL for debugging logic. All of these features make your developer experience smoother than a more barebones policy engine like Cerbos.
In my opinion, if you're a company that values having authorization logic close to your application code and wants powerful debugging capabilities, Oso should be at the top of your list.
Why Oso is better than Cerbos:
Embedded in the app, making integration straightforward
Oso's pricing is designed to support a variety of different businesses. The developer-tier is totally free. The first paid-tier is a startup-tier at $149/mo. If you're larger or growing quickly Oso will work with you to determine custom pricing that can include migration services if needed.
Auth0
A look at Auth0’s console
Auth0, now part of Okta, is a developer-friendly identity platform that handles things like authentication, user management, and access control. It's known for being easy to integrate, making it a decent solution for teams who want to offload identity and authorization complexity.
While Auth0 isn't the best for authorization, it's good if you're looking for the convenience of a managed solution that bundles both authentication and authorization in one place.
Do note that Auth0 doesn't offer the same kind of policy-as-code flexibility or self-hosting option that Cerbos does. However, for teams who want to move fast, stay secure, and integrate with minimal friction, Auth0 provides a lot of value out of the box.
Pros:
All-in-one identity and access management solution
Fast to integrate with great developer tooling and docs
Hosted and scalable with high availability
Marketplace with prebuilt integrations for social login, SSO, etc.
Cons:
Custom authorization logic can feel limited or require workarounds
Policies are managed through a web interface or scripts, not ideal for code-first workflows
Vendor lock-in and less transparency than open-source alternatives
It can get pricey at scale or with advanced features
Pricing:
Auth0 offers a free tier as well as premium tiers. The first premium tier goes for $35/month for up to 500 users. The next tier offered is the professionals tier for up to 1,000 MAUs priced at $240/month. Lastly, they offer an enterprise tier, which comes with custom pricing based on a consultation.
Permit.io is another authorization platform built to bring fine-grained access control to your app. It sits on top of open-source policy engines like OPA, and gives you a management layer with a visual UI, real-time updates, audit logs, and integrations.
Permit.io is similar to Cerbos, but adds tools for managing roles, tenants, and permissions across different environments. If Cerbos feels too hands-on or DevOps-heavy, Permit.io might be the smoother path.
It can be a better option than Cerbos for multi-tenant SaaS apps or any product where permissions change frequently and need to be updated live without redeploying.
If you're building a multi-tenant application and need both developer-friendly policy management and business-user-friendly interfaces, Permit.io could be a good consideration.
Pros:
Built-in support for multi-tenancy, dynamic roles, and real-time updates
Based on open standards and integrates with OPA under the hood
Good balance of control for devs and visibility for non-technical teams
Combines policy-as-code with a no-code UI for business users
Cons:
Still a relatively young platform compared to legacy IAM providers
More layers of abstraction can sometimes make debugging harder
May be overkill for simple apps or small teams with basic access needs
Less community adoption compared to tools like Cerbos or Oso
Pricing:
Permit.io offers a few different tiers, with the cheapest being the community edition, which is free. The next tier available is the startup tier, starting at $5/month for up to 25,000 MAUs and 100 tenants. They also offer a pro tier for up to 50,000 MAUs and 20,000 tenants beginning at $25/month.
Keycloak
A screengrab of Keycloak’s dashboard
Keycloak is an open-source access management solution that includes a built-in authorization engine alongside its authentication and user federation features. It's often thought of as an identity platform, but it also includes authorization functionality . This is mostly used by Keycloak customers who need both identity and fine-grained access control tied to resources, roles, and scopes. The authorization features include role-based access control (RBAC), resource-based permissions, scopes, policies, and permission tickets. These are configurable through a built-in UI or admin API.
Unlike Cerbos, which is policy-as-code focused, Keycloak's authorization logic is more tightly integrated into its platform. That said, it's powerful and flexible enough to model real-world access patterns, including multi-tenant use cases and complex business rules. Keycloak isn't a bad choice if you prefer a declarative, centralized model over embedding logic in code.
If you're a company that needs both identity and authorization in one self-hosted package and doesn't mind the complexity that comes with it, Keycloak could save you from managing multiple systems.
Pros:
Resource-based authorization with roles, scopes, and policies
Fine-grained access control is baked into the platform
Centralized UI and APIs for managing permissions
Fully self-hosted and customizable for on-prem needs
Cons:
Authorization is tightly coupled to Keycloak's identity stack
No policy-as-code model like Cerbos or Oso
It can be overkill if you only need an authorization engine
Learning curve with the admin UI and authorization mode
Pricing:
For organizations building customer-facing applications, Keycloak can be economical in price since it doesn't have per-user licensing fees.
Comparison Table
Feature / ToolCerbosOso CloudAuth0Permit.ioKeycloakTypePolicy-as-code engineEmbedded auth frameworkManaged IAM w/ auth featuresManaged + policy-as-codeSelf-hosted auth platformHostingSelf-hosted / DockerEmbedded in app codeFully managedCloud + self-hostedSelf-hosted (on-prem or cloud)Policy ModelYAML-based, decoupledPolar (DSL), inline in appRoles + rules + actionsUI + YAML (OPA under the hood)Role, resource, scope-basedAccess PatternsRBAC, ABAC, multi-tenantRBAC, ABAC, ReBACRBAC + custom token logicRBAC, ABAC, multi-tenantRBAC, resource policiesPolicy-as-CodeYesPartial (via DSL)NoYesNoAdmin UINone (code only)NoneYesYesYesReal-Time UpdatesManual redeployCode-level change requiredYesYesYes (via admin UI/API)Best ForDev teams wanting full controlEmbedded control in codeFast identity/auth comboScalable apps needing hybridComplex, self-hosted systems
Conclusion
Authorization isn't just a backend task or a security checkbox. It's a core part of how your product works and how users experience it. While Cerbos offers a clean, developer-centric way to manage access control with policy-as-code, it's not a one-size-fits-all solution.
Before you make a decision on which authorization tool to use, it could be worth your time to investigate other authorization products, such as Oso, which can offer a better developer experience.
Role-Based Access Control (RBAC) is an authorization approach that organizes access permissions into roles that can be assigned to users. Intuitively, RBAC seems like a simple system. Our responsibilities within an organization naturally confer different levels of access and corresponding security, so an RBAC should hypothetically be easy to set-up. In theory, a person's position maps to a configured role that grants them the permissions they need.
However, this rosy ideal rarely materializes. In the wild, I've seen organizations implement RBAC with overlapping permissions, bloated roles, or incomplete systems that expose security vulnerabilities and cause maintenance nightmares.
The difference between RBAC success and failure often comes down to design principles and ongoing governance rather than the technology itself. Organizations that implement sustainable RBAC systems follow specific patterns for role design, permission granularity, and system maintenance that prevent the common pitfalls.
In this article, I want to share these best practices that successful organizations adopt to design RBAC systems that actually work in practice, not just in theory.
Adopt the Principle of Least Privilege
The principle of least privilege dictates that users should only be granted the minimum permissions necessary to perform their tasks.
When a new user enters a system, it's critical to understand what the user truly needs to accomplish their tasks. Over-permissioning is a common trap.
For example, I once encountered an organization that automatically granted new marketing team members full administrative access to their customer relationship management (CRM) system, simply because "that's what the previous person had" - a classic case of over-permissioning for convenience. It would have been enough to grant read access to customer data and write access to campaign records.
When increasing someone's access, think carefully about how it impacts others with similar roles, or if there are permissions being granted that are unnecessary for the tasks at hand.
Separate users, roles, and permissions
RBAC doesn't mean users should be locked into a single role. Instead, treat permissions as atomic units, roles as bundles of permissions, and users as having one or more roles. This allows greater flexibility and avoids bloated role definitions.
For example, imagine a support engineer who also occasionally helps with onboarding new customers. Rather than creating a monolithic "Support-Plus-Onboarding" role, assign them both the "Support Agent" role (with permissions for ticket management and customer communication) and the "Onboarding Specialist" role (with permissions for account setup and initial configuration). That way, you can later remove the onboarding role as that process becomes more automated.
Separating the concepts of users, roles, and permissions prevents role sprawl, making it easier to manage permissions as responsibilities change.
Design roles around business functions and change rate
Often, I've seen organizations design roles to match job titles. While this works initially, it's brittle to organizational changes. What happens when someone covers another person's job for a week? Or a new employee wearing multiple hats joins the team? It's easy to break the principle of least privilege by temporarily granting such cases an entire role when they only need some of its permissions.
Instead, design roles around stable business functions that persist even when job titles change or new features are added. Instead of "Sales Manager," try "Customer Data Management." Instead of "IT Admin," try "System Configuration.” Describing roles as business functions means they can remain consistent even as organizational structure shifts.
A broader principle is to adjust granularity of roles to the rate of change of your business. A fast-growing startup benefits from atomic roles like "Invoice Processing" and "Customer Support" that can be quickly reassigned as responsibilities shift. A stable enterprise might use broader roles like "Finance Operations" without constant maintenance overhead.
Roles won’t always be perfect, so use the 80/20 rule as a design test: if 80% of users with a role need 80% of its permissions, your abstraction level is probably right.
Plan for role exceptions, but minimize them
No matter how well designed an RBAC implementation is, I’ve always seen them encounter edge cases. Rather than forcing awkward workarounds, my advice is to plan for controlled exceptions while keeping them minimal.
Before creating one-off roles, I’d consider if the need could become a new standard role that applies to other users. This avoids similar exceptions in the future and reduces tracking overhead.
When exceptions are truly necessary, document them with proper approvals and add expiration times if your system supports it. For example, a support agent needing temporary billing access for a major customer issue should receive a time-limited "Billing Support" role rather than permanent customization.
Finally, schedule periodic reviews to consolidate custom roles back into standard ones as organizational needs evolve. Every custom role is security debt that should be paid down when possible.
Automate to reduce human error
Human error is a major cause of security vulnerabilities. Wherever possible, automate RBAC processes to reduce manual mistakes and operational overhead.
There are many ways to automate RBAC processes. Some examples I’ve seen:
Auto-provision roles based on job titles or departments from HR systems so new hires automatically receive appropriate baseline permissions without manual setup delays.
Automatically revoke all access when someone is marked as terminated in the HR system
Automate access reviews by sending managers quarterly emails that list their team's current roles and permissions, requiring them to confirm or request changes within a deadline. This ensures regular validation without the administrative burden of coordinating manual reviews.
That being said, limit automation for high-risk roles like admin access. Manual approval in cases like these help maintain proper oversight.
Design for scoped roles, not global permissions
One of the biggest mistakes I’ve seen in implementing RBAC is to default to global roles. But "Admin" in marketing shouldn’t mean "Admin" in engineering! Real organizations need scoped roles, not global ones, where the same person has different access levels in different contexts.
To implement this concept, design for User → Role → Scope relationships from the start. This often requires more sophisticated RBAC systems that support contextual roles, not just basic role assignment. For example, a department head may need admin rights in their department, but zero access for others.
Scoped roles reduce blast radius when accounts are compromised and enforce least privilege at scale, providing the right access in the right context while maintaining security boundaries.
Add safeguards for risky permissions
Not all permissions are created equal. Gate different risk levels with appropriate safeguards: require MFA for sensitive data access, implement approval workflows for destructive actions, and add audit notifications for administrative functions. This layered approach prevents both accidental damage and malicious insider activity.
Ensure clear escalation paths when approvals are needed urgently and maintain detailed audit trails for all high-risk operations. For example, production deletions should require manager approval, bulk customer data exports need MFA verification, and password resets for other users should trigger security notifications.
The goal is proportional security. Higher risk operations should get stronger controls without slowing down everyday work.
Build or buy an RBAC system? Default to buy
This is a classic debate I’ve seen play out many times. Companies want to implement their RBAC system internally, thinking “Our requirements are simple, we want full control, existing solutions are overkill and we can build it faster.”
But in my experience, this almost always leads to easily predictable problems. Custom RBAC quickly becomes complex as requirements grow, it lacks security expertise, and creates ongoing maintenance that most teams aren't equipped for.
Buying authorization software that supports RBAC offers benefits that keep paying dividends: ongoing security updates, compliance certifications (SOC2, FedRAMP), integration ecosystems, and proven design patterns. There are few exceptions to this rule - free yourself to focus on your core business instead of reinventing security infrastructure.
Maintain and evolve your RBAC system
RBAC systems reflect the organization they operate in, so when organizations change, so do their RBAC systems. In my experience, it’s best to expect and prepare for change gradually rather than doing big overhauls infrequently.
Establish regular maintenance processes from the start:
Implement access recertification where managers periodically attest to their team's access
Schedule role audits to consolidate and clean up permissions
Create change management procedures for organizational shifts
Consider implementing proper UI/UX for day-to-day operations.
Build monitoring into your RBAC operations by tracking role usage, identifying permission drift, and setting up alerts for unusual patterns.
Without maintenance, even well-designed RBAC systems decay into security liabilities. Your RBAC system should evolve with your company, or else it may eventually constrain it.
Prepare your incident response playbook
Security incidents are a fact of life, but preparation can make all the difference when they happen. I’ve been in rooms with playbooks and rooms without them—trust me, they make all the difference.
RBAC security incidents have unique characteristics: compromised privileged accounts, insider threats abusing legitimate access, and privilege escalation attacks where attackers use existing permissions maliciously. I’ve seen the following preparations work well for these scenarios.
Maintaining comprehensive audit trails. ****Log permission grants, revocations, role changes, and access attempts with timestamps, user details, and justifications. These are essential for forensic investigation during incidents and required for compliance frameworks like SOX, GDPR, and HIPAA.
Establishing emergency access revocation procedures to quickly disable compromised accounts
Creating lockout triggers for suspicious patterns like unusual locations or bulk downloads
Enabling emergency admin access when RBAC systems fail or administrators are unavailable.
Once the playbook is created, be sure to practice it with your team and update it as needed. I’ve been in situations where the the playbook was useless because it was only tested during a live security incident.
Effective incident response planning ensures you can respond quickly and methodically when RBAC-related security events occur - don’t skip it!
Next steps for implementation
Whether you're starting from scratch or improving an RBAC existing system, I believe it’s best to focus on the fundamentals: least privilege, clear role boundaries, and automation where possible. Remember that RBAC is an ongoing operational discipline, not a one-time setup.
If you're looking for a proven solution that implements RBAC best practices out of the box, consider using Oso. It handles the complexity of implementing these patterns correctly, so you can focus on your core business instead of rebuilding authorization infrastructure.
Role-Based Access Control (RBAC) is one of the most widely adopted authorization patterns in modern web applications, providing a structured approach to managing who can access what resources and perform which actions.
Unlike simpler permission models that assign rights directly to individual users, RBAC introduces roles, or groupings of permissions for particular functions. This creates a more natural fit and proves far more scalable for most organizations as they grow.
While RBAC offers clear benefits, I've seen many organizations struggle with role design decisions, technical integration complexities, and migrating from existing permission systems. Without a structured approach, RBAC implementations often become overly complex or fail to meet security requirements. In this guide, we'll walk you through a proven framework for implementing RBAC effectively.
1. Planning & Assessment
I always begin by conducting a comprehensive audit of existing permissions and access patterns. This reveals not just what permissions exist on paper, but how they're actually being used in practice. You'll often discover shadow permissions, unused access rights, and users who've accumulated privileges over time that no longer align with their current responsibilities.
Next, it’s time to design roles. The key insight to keep in mind is that roles should reflect business functions, not job titles or features. Instead of "Sales Manager," use "Customer Data Management." Instead of "IT Admin," use "System Configuration.” Describing roles as functions means they remain consistent even as job titles and organizational structure shifts.
Next, define permissions. Permissions should be atomic, meaning that they map 1-1 to a particular kind of access or action. Roles can have as many permissions as needed, so don’t be afraid to limit the scope of a permission.
When assigning permissions to roles, remember to apply the principle of least privilege, which states that users should only be granted the minimum permissions necessary to perform their tasks. I once encountered an organization that automatically granted new marketing team members full administrative access to their customer relationship management (CRM) system, simply because "that's what the previous person had" - a classic case of over-permissioning for convenience.
The least privilege principle also means that when individuals are over-permissioned, the right thing to do is to remove those extra permissions. This is no fault of the individual, but it’s easy to feel slighted when one’s permissions are reduced. Get ahead of this inevitability by preparing a comms strategy which prepares folks for permission reduction. Remind them that this is inevitable, and is a reflection of the system’s growing maturity rather than an individual’s performance.
Once you have your roles and permissions defined, map current users to these proposed roles. This exercise often reveals gaps in your role design and helps identify users who will need special handling during migration.
Finally, develop a clear migration strategy. Plan to run both systems in parallel during the transition, start with a pilot group for validation, and create fallback mechanisms to quickly revert if issues arise. For users with unique permission sets that don't fit any role, use temporary individual permissions rather than creating one-off roles. This planning phase typically takes longer than expected, but the time invested here prevents painful rework later.
2. Build vs Buy? Default to Buy
Build or buy is a classic debate I've seen play out countless times. For this situation, my advice is simple: default to buying an authorization platform.
I've watched too many teams say "our requirements are straightforward, let’s build it,” six months go by, and they find themselves struggling with complex edge cases, security vulnerabilities, and maintenance overhead that they never anticipated.
Purpose-built authorization platforms bring immediate value through ongoing security updates and battle-tested design patterns learned from thousands of implementations. Nine times out of ten, it’ll save you time and headache.
The rare exceptions where building makes sense are when you have extreme performance requirements or unusually simple integration needs. In most cases, you'll get better results faster by focusing your engineering talent on your core business rather than reinventing security infrastructure that’s already been perfected.
3. Implementation & Integration
Once you've chosen your authorization platform, the real work begins with integrating RBAC checks throughout your application. You'll need checks not just at the API level, but also in your user interface to hide features users shouldn't access.
So, I start by identifying every API endpoint, screen, and component that needs access control. This often is more comprehensive than teams initially realize.
Building automation for handling new users comes next. This is critical - manual role assignments are error-prone and don't scale. Set up automated provisioning tied to your HR systems or identity provider so that when someone joins the sales team, they’re automatically granted the appropriate roles without IT intervention.
Finally, testing. This is where I’ve seen many implementations fall short, especially in handling edge cases gracefully. Systems can break when users have multiple roles with conflicting permissions, or when role inheritance creates unexpected access patterns. Testing should also cover security, including attempted privilege escalation and other boundary conditions. The goal of testing is to catch authorization failures before they reach production.
4. Deployment & Monitoring
Next, it’s time to roll out your RBAC system to production. Remember that this change affects every single person in the organization, so be sure to reinforce your comms strategy through multiple mediums (email, Slack, etc) for redundancy.
Your comms strategy should also prepare your organization for the growing pains that come with such a transition. There are almost certainly edge cases you missed that will bottleneck work. Accelerating approval processes during the transition and communicating with empathy upfront (”We know we’re going to miss some things, but we’ll do our best to address them as quickly as we can…”) will allow most people to give you the benefit of the doubt.
The deployment itself requires careful orchestration and multiple safety nets. I always deploy with robust fallback mechanisms that can quickly revert users to their previous permissions if critical issues emerge. Start with a phased rollout by deploying to a small user group first, then gradually expand as confidence builds.
Once your system is live, monitoring becomes your early warning system. Set up comprehensive logging of access patterns and policy violations, and configure alerting for unauthorized access attempts. I've found that many security incidents reveal themselves through subtle changes in normal access patterns, so baseline your users' typical behavior early.
Also, automate periodic access reviews by scheduling quarterly emails to managers, asking them to verify their team's role assignments. Business requirements evolve, users change responsibilities, new features launch, and compliance requirements shift. Automated reviews help you catch role drift before it becomes a security risk and ensure your RBAC implementation continues serving your organization's needs effectively.
Finally, always plan for incidents. This might mean temporary elevated permissions for specific users or a break-glass procedure that logs all actions for later review. Documenting emergency access procedures allows you to maintain business continuity without compromising security.
5. Common Pitfalls & Design Patterns
The first and most common failure I see is "admin creep" - the gradual expansion of administrative privileges as users request extra permissions to solve immediate problems. If left unchecked, this natural tendency erodes the role structure you took so much care in developing. Combat this by establishing clear approval processes for role changes, implementing expiration dates for elevated permissions, and regularly auditing who has elevated privileges.
Scope creep for roles is equally dangerous. Teams start with simple roles, then add exceptions and special cases until they're essentially back to individual permission management. I've seen organizations with hundreds of micro-roles that defeat the entire purpose of RBAC. When you find yourself creating roles for single users or adding extensive conditional logic, step back and reconsider your role structure.
Finally, role hierarchies - they can be valuable, but more often than not, I’ve seen them increase complexity and maintenance. If this is unavoidable, start with flat role structures and only add inheritance when you have a clear, time-tested business case. Keeping the hierarchy shallow (2-3 levels max) work well for clear permission escalation patterns like "Read-Only User" → "Standard User" → "Admin."
Moving Beyond RBAC
RBAC provides a solid foundation for most organizations' authorization needs, offering role-based permissions that scale well and align with business functions. However, it struggles with complex relationship-based access patterns, like "users can only edit documents they created" or "managers can approve expenses for their direct reports."
When you encounter these relationship-dependent requirements, consider alternate models such as relationship-based access control (ReBAC) or attribute-based access control (ABAC).
The truth is, no access model is perfect. Thankfully, creating custom access models of all types (RBAC, ReBAC, ABAC) is made easy by platforms like Oso. Oso handles the complexity of implementing these access models with these best practices in mind, freeing you up to focus on your core business rather than rebuilding authorization infrastructure.
Permit.io is an “Authorization as a Service” product that offers policy creation and enforcement tooling. Permit.io utilizes a policy-as-code approach based on Open Policy Agent (OPA) and OPAL, in an effort to reduce the amount of custom code that teams need to write. The platform supports multiple authorization models including RBAC, ABAC, and ReBAC to accommodate various use cases.
The platform includes visual policy editing tools and user interfaces designed for cross-functional team accessibility. Organizations may find Permit.io suitable when seeking quick authorization implementation.
For startups and mid-sized companies evaluating authorization solutions, it's valuable to explore all available options to ensure the best fit for specific technical requirements and organizational needs.
While evaluating alternatives to Permit.io, there are several factors that you should consider:
Pricing Considerations
Permit.io’s pricing is based on Monthly Active Users (MAUs) which can get expensive as your user base grows. The jump from the free tier (1,000 MAUs) to paid plans can be too steep for early stage startups with rapid user growth but limited budget.
Performance Requirements
Teams with low latency requirements might prefer solutions with more direct control over the authorization layer, especially for high throughput systems.
Implementation Complexity
For smaller projects with straightforward requirements, Permit.io might be overkill with many authorization features such as SCIM (System for Cross-Domain Identity Management) that you might not need. Smaller teams might prefer a lighter, more focused solution.
Integration Considerations
Before picking a solution, you should think about how it’ll fit into the rest of your stack. Teams with unusual tech stacks or legacy systems might find other solutions are more compatible with their environment.
Vendor Lock-in
Organizations that value flexibility might want a solution with clearer migration paths. Relying too much on the Permit.io ecosystem can create a good deal of vendor lock-in.
Deployment Requirements
Organizations with strict compliance requirements or specific deployment needs might find Permit.io’s deployment options too limited, especially those that need full control over their authorization infrastructure.
Oso is the best Permit alternative for engineering driven companies that want more control and flexibility in their authorization implementation. Oso is a specialized authorization layer that integrates seamlessly into your existing codebase with a focus on developer-friendly workflows.
Oso offers several advantages that make it the better choice. The platform has an intuitive API design that makes implementation a breeze. Additionally, its purpose-built architecture is specifically optimized for microservices environments, making it great for the unique challenges of distributed systems. From my experience, this focus on developer-friendliness and easy of use makes a big difference, especially when you’re not an authorization expert.
With Oso, there are no surprises, and you’ll be working with a platform that you can rely on. Oso has a simple pricing model that makes budget planning very straightforward. They have predictable pricing starting at $149/month for the Startup tier. In terms of reliability, the platform delivers industry-leading uptime with 99.99% SLA guarantees, ensuring consistent availability for critical authorization functions. It’s trusted by teams such as Duolingo, PagerDuty, and Wayfair to run their authorization logic.
If switching to Oso sounds daunting, rest assured that there’s comprehensive migration tooling and services that are really handy for teams transitioning from existing systems. This significantly reduces implementation time and resource requirements.
In short, Oso is great for engineering teams that value control and flexibility while still wanting the benefits of a specialized authorization framework.
Oso’s Polar language is purpose-built declarative language for authorization, unlike Permit’s broad focus
Oso has better support for higher-grade tooling for advanced access control
Oso can work with existing authorization systems
What is Oso’s Pricing?
Oso’s pricing is diverse, designed to support different businesses. Developer-tier is free, while the first paid tier is a start-up tier retailing at $149/mo. Their growth tiers and migration services are custom priced based on needs.
2. Auth0
A screengrab of Auth0’s dashboard UI.
Auth0 is an identity platform with clean-cut APIs and SDKs.
Although Auth0 is mostly an identity platform, you’ll find that they provide authorization functionality as well through their Rules and Actions features. Auth0 stands out from Permit through its integration marketplace that contains connections to other technology stacks and third party services. This one platform for authorization and authentication plus the marketplace makes Auth0 a good choice if you don’t have complex authorization needs. This only becomes a challenge, if you decide to expand your authorization functionality down the line.
When thinking about Auth0 for your authorization, you should consider several factors. First, Auth0 doesn’t provide you much room to grow into a more sophisticated authorization process. Their approach to authorization is quite different than many dedicated authorization solution, meaning when the time comes to migrate away, it’ll be quite the undertaking. If you don’t expect to have complex authorization, you won’t need to move away, right? This isn’t always the case, especially for growing companies, and it comes down to cost. You’ll be paying quite a bit more to do authorization through Auth0 compared to a dedicated authorization solution. I’ve seen several cases of teams needing to move away from Auth0 as they grow due to cost alone.
What are Pros of Auth0?
Pre-built drop-in components that can reduce dev time
Custom workflows
Wide SDK coverage
Enterprise integrations supported
What are Cons of Auth0?
Pricing can easily surge on premium tiers with advanced features
Proprietary lock-in risk
Harder to self-host or audit
Can be complex to manage at scale.
What is Auth0’s Pricing?
Auth0 offers a free-tier as well as premium-tiers. The most basic of the premium-tiers can range from $35-$150/month for 500 users based on use case. They also offer yearly pricing, as well as range to pick monthly active users.
3. Open Policy Agent (OPA)
An overview of the Open Policy Agent flow.
Open Policy Agent, or OPA, is an open-source framework for authorization.
Under the hood, Permit.io uses OPA. OPA is an open-source policy engine that gives you a unified framework for enforcing policies across your tech stack. Rather than using OPA through Permit, your very much could use OPA directly.
Using OPA directly is great if you want the flexibility and cost savings associated with using an open-source project. With no licensing cost, OPA is a great choice for budget conscience teams who are looking to build complex authorization flows. Going directly to the open-source project also gives you the ultimate flexibility and protection against vendor lock-in. You can also rely on the OPA project. It has strong adoption in cloud-native environments and a very strong community that’s supporting it.
I’ve seen my fair share of teams dive directly into OPA, thinking they can roll their own authorization solution. Quickly they realize they’re in over their heads. This is because using OPA directly requires significant implementation resources from specialized experts in policy definition and system integration. OPA also lacks any functionality that would allow non-engineers to change the policies. If you want this, you’ll need to develop custom dashboards. Then there’s also the task of running and managing the infrastructure to support OPA. In short, if you are budget constrained but have the specialized resources required to operate OPA directly, it could be a good alternative to Permit.
What are Pros of Open Policy Agent?
Open-source and free to use, with no licensing costs
Highly flexible and customizable for complex authorization needs
Strong community support and adoption in cloud-native environments
Unified policy framework that can work across multiple services
Vendor lock-in is avoided as it is not tied to any specific service
Supports advanced authorization models and custom policy definitions
What are Cons of Open Policy Agent?
Significant implementation effort required, especially for teams without expertise in policy definition and system integration
No built-in user interfaces or dashboards for non-developers to manage policies
Requires additional infrastructure and resources to run and maintain
Lacks pre-built integrations, requiring custom development for specific use cases
Can be overwhelming for smaller teams or projects with straightforward authorization needs
What is OPA’s Pricing?
OPA is open-source and free to use. However, there may be costs to implementing the solution.
4. Cerbos
A screenshot of the Cerbos policy testing interface.
If using OPA directly sounds like a daunting task, Cerbos could be a good solution. Cerbos has an open-source core with optional commercial support. This gives you pretty flexible adoption pathways based on your team’s requirements. You can start with the open-source and then buy additional support and capabilities as needed.
Cerbos includes several notable features for organizations evaluating authorization options. Cerbos uses a YAML-based policy definition system which provides a simple policy creation and management experience. Cerbos is also easier to use than OPA because it comes with application-focused design patterns out of the box. This makes it easier to plug Cerbos into your product. Compared to cloud only authorization products, Cerbos offers local deployment options. This is great for teams that need ultra low latency authorization decisions.
When looking at Cerbos, there are several things to keep in mind, though. Cerbos is one of the newer players in the market which means it has a less mature ecosystem and less robust community resources.
Additionally, Cerbos provides more limited out-of-box integration options compared to other products. This means you might need additional development for specific technology stacks. The solution also offers limited interfaces for non-technical users, which may impact adoption in organizations where non-developers need to manage authorization policies.
In short Cerbos requires more implementation effort than fully-managed alternatives, but still gives you the flexibility of an open-source core. This is great if you see OPA as daunting but don’t want to rely on a service like Permit.
What are Pros of Cerbos?
Declarative YAML policies with strong code versioning that is fully auditable and testable
Lacks pre-built authentication or identity-features
No built-in dashboards or GUIs—requires custom tooling
Fewer community plugins compared to others such as Auth0 or Keycloak
What is Cerbos’s Pricing?
Cerbos features multiple plans. Their open-source plan is free forever. Cerbos Hub begins at $0/month for up to 100 monthly active principals. Their growth subscription retails at $25/month based on monthly active principals.
Oso was built from the ground up as a microservices solution. Its architecture is designed to handle the complex authorization needs of distributed systems so it’s perfect for modern cloud native applications.
Developer Experience
Oso puts the developer experience first with clean, simple APIs and comprehensive docs. The learning curve is shorter and the integration feels more natural for engineering teams.
Migration Path
One of Oso’s biggest advantages is our dedicated migration service which can reduce migration time by up to 75%. This is especially helpful for teams moving from homegrown solutions or other authorization systems.
Flexibility
Oso offers cloud, hybrid and on-premises deployment options with 99.99% SLA so you have more control over your authorization infrastructure.
Simple Pricing
Oso’s pricing is more transparent with clear tiers starting at $149/month for startups. This is great for growing companies.
Conclusion
For companies looking for an alternative to Permit.io, Oso stands out as the best solution. It’s a modern platform, built from the ground up to be developer friendly and microservices first. It provides the best combination of flexibility and simplicity that allows your team to get started quickly, and scale effortlessly. Lastly, it’s battle tested - trusted by companies like Duolingo, PagerDuty, and Wayfair.
Oso is better in microservices environments with its purpose-built architecture and developer-friendly approach. Clearer pricing, dedicated migration services and higher SLA’s make it more attractive for engineering driven companies.
Migration complexity depends on your implementation but Oso’s dedicated migration services can reduce transition time by up to 75%. Our team will ensure 100% parity with your existing system while minimizing engineering overhead.
Can Oso support multi-tenant SaaS platforms?
Yes, Oso has multi-tenancy out of the box, so it’s perfect for SaaS applications that need to manage permissions across different customer environments.
Both have local authorization decisions to minimize latency. But Oso’s microservices first design may have performance advantages in distributed systems where authorization decisions need to be made across multiple services.
Over the years, Auth0 has established itself as a player in the world of identity and access management. They offer an authentication and authorization platform that includes social login, multi-factor authentication (MFA), and configurable login flows. It is designed for users that seek a full-featured identity platform that requires minimal setup. When it comes to authorization, Auth0 provides built-in support through Rules and Actions. For more complex authorization that goes beyond RBAC, they offer Auth0 FGA, an add-on authorization product that requires a separate implementation.
Auth0’s main dashboard
While Auth0 is a suitable identify management solution, it’s worth exploring alternatives that might better align with your specific needs and budget constraints. Having been a builder for over a decade, and having experience building in the authorization space, I have a shortlist of products that I’d consider strong alternatives to Auth0.
Why Consider Alternatives to Auth0?
Auth0's pricing structure is complex and becomes expensive quickly as you grow. While it offers authorization support, it's not designed for complex authorization models or strict compliance requirements. This becomes even more important if you’re building a product where fine-grained permissions are central to the product’s functionality.
Pricing Complexity and Cost
For Auth0, pricing starts at $35/month for 500 monthly active users and jumps to $240/month for 1,000 users on the Professional plan. These jumps in pricing can be challenging as you scale. Things get even worse if you need any of the features that are only available in higher tier plans like custom databases and advanced multi-factor auth.
For startups and growing companies, pricing alone can start to make Auth0 look less appealing.
Architectural Limitations
Although it has some authorization features, at it’s core Auth0 is designed to be an authentication solution. That means if you have a complex permission model, Auth0's role-based access control may not provide the flexibility you need for global permissions or attribute-based access control.
The platform takes an opinionated approach to identity management, which works well for standard use cases but can become limiting when you need to implement custom authorization logic that goes beyond simple role checks.
Developer Experience Challenges
Even though Auth0 has great documentation, the inherent architectural limitations of the product really harm the developer experience. To implement any complex authorization patterns, you’ll find yourself writing significant customer code or workarounds. This usually means your authorization logic ends up scattered throughout your application, making it harder to maintain and reason about.
For teams focused on iteration speed and developer velocity, the time sink of implementing and maintaining these authorization patterns in Auth0 can be painful.
Top Alternatives to Auth0
1. Oso
A look at Oso’s product
Oso is the best alternative to Auth0. It’s an authorization product that takes a different approach by providing a specialized policy-as-code platform. Since Oso is purpose-built for authorization, it has a declarative policy language that simplifies expressing complex permission logic.
Pros of Oso has over Auth0:
Declarative Policy Language: At Oso, we created the Polar language to enable developers to easily express authorization rules in a maintainable and readable way. This also allows you to centralize your authorization logic as opposed to scattering it across your codebase.
Framework-agnostic integration: Oso has SDKs for all major programming languages, so you can have consistent authorization across your entire stack.
Developer-first approach: With a free tier that’s actually useful for learning and experimentation, and pricing that scales more gradually (starting at $149/month for the Startup plan), Oso has a more predictable cost structure than Auth0’s tiered approach.
Specialized for authorization: While Auth0 is great at authentication, Oso is focused on solving the authorization problem, with more advanced tools for complex permission models.
In summary, Oso is:
Purpose-built declarative authorization
Centralized, code-native authorization logic
Focused on higher-grade tooling for advanced access control
Works alongside existing authorization systems
Cons of Oso:
No integrated identity provider: Oso is purpose-built for application authorization, so you'll supply your own identity provider.
Closed-source approach: Unlike some Authorization providers, Oso has no open-source version of their cloud offering. If open-source is important to you, this may be a negative.
What is Oso’s Pricing?
Oso offers diverse pricing fit for specific scales of businesses. Developer-tier starts at $0/month, where as startup-tier begins at $149/month. Their growth-tier and migration services over custom pricing based on a consultation with an expert.
2. Okta
A preview of Okta’s dashboard interface
Okta is a full identity platform that competes directly with Auth0 (in fact, Okta acquired Auth0 in 2021, but they keep separate product lines). Okta has enterprise-grade identity management with strong SSO and many integrations.
Okta is grown to be more enterprise-focused than Auth0, with pricing and features for larger organizations. For smaller teams and startups, it can be overkill, especially due to its complex implementation requirements relative to other developer-focused alternatives. However, a Fortune 500 buyer would likely want to take a demo with Okta Cloud while also exploring other developer-first solutions like Oso.
Pros of Okta Identity Cloud:
Extensive integration library
Platform is not tied to a specific ecosystem
Centralized management of identities and policies
Adaptive multi-factor authentication
Deep B2E Capabilities
Cons of Okta Identity Cloud:
More Complex for Developers
Similar features across multiple products can lead to confusion in picking the right tool
Limited on-prem support
Advanced customizations may require additional development effort
Separate Offerings for Dev vs Enterprise
What is Okta Identity Cloud’s Pricing?
Okta Identity Cloud features premium pricing compared to some competitors and complex enterprise deployments requiring specialized expertise. Some users complain that similar features are present across multiple Okta products, sometimes making it confusing to know which product to use for a specific task. Okta does have a beginner tier, however, retailing at $6/user/month.
3. Keycloak
A look at Keycloak's admin dashboard
Keycloak is a comprehensive open-source identity and access management solution that provides enterprise-grade capabilities without licensing costs. For teams that value open-source, Keycloak is a strong candidate. Developed by Red Hat, Keycloak has strong feature parity with Auth0 (social login, MFA, customizable user flows).
The main advantage is cost: being open source, you can deploy Keycloak without license fees. But that means you having to manage your own infrastructure and security updates, requiring dedicated DevOps resources.
For organizations building customer-facing applications, Keycloak can be economical in price. Keycloak doesn’t have per-user licensing fees, enabling organizations to scale to millions of users without escalating identity costs. Accordingly, Keycloak is popular amongst consumer applications, SaaS platforms, and other scenarios with large or unpredictable user bases.
4. Supabase Auth
An overview of Supabase Auth’s privileges
Supabase Auth is an open-source authentication and authorization service tightly integrated with Postgres RLS. For teams already using Supabase for database or backend services, this auth system is a streamlined alternative to Auth0 with simple integration.
While not as feature-rich as Auth0 for complex enterprise scenarios, Supabase Auth is a good option for startups and smaller teams with simple pricing based on your Supabase usage rather than per-user. For hobbyists, Supabase Auth is particularly a great option given its friendly pricing and broader ecosystem libraries. However, it lacks more complex out-of-the-box functionality required by enterprise organizations.
Pros of Supabase Auth:
Tight integration with Postgres
Built-in social and email auth
Great DX for fullstack apps
Open-source Firebase alternative
Realtime and event hooks
Cons of Supabase Auth:
Postgres-centric
Harder for frontend-heavy teams to implement as enforcing RLS requires strong SQL knowledge
No granular Authz SDK
Premature for enterprise use
Limited identity federation
What is Supabase Auth’s Pricing?
Supabase offers a free-tier with 50,000 MAU and limited specs. Upgrading to the higher-tiers offers better specs, with the next being the pro-tier retailing from $25/month.
Feature Comparison Table
Feature
Auth0
Oso
Okta
Keycloak
Supabase Auth
Deployment model
Cloud, Private Cloud
Cloud, Hybrid, On-prem
Cloud, On-prem
Self-hosted
Cloud
Policy language
Limited (ReBAC)
Declarative (Polar)
Limited (RBAC)
XML-based
Basic RBAC
Multi-tenancy support
Limited in lower tiers
Native
Enterprise tier
Yes
Basic
Pricing flexibility
Tiered, jumps at thresholds
Gradual scaling
Enterprise-focused
Open source
Usage-based
SDK support
Extensive
All major languages
Extensive
Good
Limited to web/mobile
Developer experience
Good documentation, complex implementation
Developer-first, simplified
Enterprise-focused
Steep learning curve
Simple, limited scope
Support options
Tiered by plan
All plans include support
Enterprise-grade
Community
Limited
Note: This comparison is based on features available as of May 2025. Always check the providers' websites for the most current information.
Why Oso Over Auth0?
For applications where authorization is a core part of your application, Oso has several advantages over Auth0:
Centralized Authorization Logic
With Oso, you can define all your authorization rules in one place using a declarative policy language. This makes your permissions easier to understand, audit, and maintain compared to Auth0 where authorization logic is spread across your application code.
Flexible Permission Models
Oso is great at implementing complex permission patterns like attribute-based access control (ABAC) and global roles that go beyond Auth0’s pure relationship-based approach. This is important for applications with complex permission requirements.
Developer Productivity
As compared to Auth0, implementing authorization with Oso requires much less custom code if you’re looking to build complex permission scenarios. This is thanks to the clean abstractions that Oso provides for authorization. The result is faster development cycles and fewer authorization related bugs than implementing the same features with Auth0.
Scalable Pricing
Oso's pricing model also scales more gradually than Auth0's tiered approach. It starts at $149/month for the Startup plan with 300 MAUs. This provides more predictable costs as your user base grows, avoiding the significant jumps in Auth0's pricing tiers.
Conclusion
Auth0 is still a good choice for authentication, but teams building applications with complex authorization needs should consider alternatives like Oso that specialize in application authorization. By separating authentication from authorization, you can use the best tool for the job rather than compromise with a one size fits all solution.
For senior engineers evaluating auth solutions the key is to assess your specific requirements around both authentication and authorization. If your application needs permission models more complex than simple role checks a specialized authorization solution like Oso paired with your authentication system of choice may be more maintainable and cost effective than relying solely on Auth0.
Ready to see how Oso can help with your authorization needs? Start with their free Developer tier to try out the platform or talk to their engineering team to chat about your use case.
FAQ
Why is Oso better than Auth0?
Oso focuses exclusively on authorization and has more advanced tools for complex permission models than Auth0’s more general purpose approach. With Oso’s declarative policy language you can express complex authorization rules more clearly and maintain them in a central location rather than scattering authorization logic throughout your application code like you do with Auth0.
How hard is it to migrate from Auth0 to Oso?
Migration complexity depends on your current implementation, but Oso is designed to work alongside your existing auth system. This means you can keep Auth0 for authentication and adopt Oso for authorization and do an incremental migration. Oso also offers migration services that can reduce engineering overhead and ensure parity with your existing system.
Can Oso support multi-tenant SaaS platforms?
Yes, Oso is built with multi-tenancy in mind and has native support for tenant isolation and per-tenant authorization rules. This makes it well suited for SaaS applications compared to Auth0 where implementing robust multi-tenancy requires significant custom development.
Authorization and authentication are the foundation of modern application security. They decide who can access what and when, serving as critical infrastructure that protects your data and users. As cyber threats get more sophisticated, strong authorization and authentication matter more and more for all organizations.
In 2025, there are many authorization tools, with solutions for every organization, environment, and security requirement. From cloud native to open-source, the options can feel endless.
In this article, I will cover the top 21 authorization systems with a focus on solutions that are actively maintained, well-documented, and known for their reliability and performance. Some of these solutions are mainly focused on authentication with minimal authorization functionality, but I still include them for completeness. Whether you’re building a new application or strengthening your existing security stack, this guide will help you navigate the authorization maze and make informed decisions for your needs.
Developer-Focused Authorization Tools
Developer-focused authorization tools prioritize integration simplicity, flexible implementation, and specialized capabilities that address the unique challenges of modern application development.
1. Oso Cloud
A screengrab of the Oso user interface.
Oso Cloud is a specialized authorization-as-a-service platform for developers who need fine-grained access control without the complexity of traditional solutions. Unlike full-stack IAM platforms that try to solve all identity problems, Oso focuses on authorization with a developer-first approach.
I would argue that Oso Cloud’s magic is in its purpose-built Polar language for authorization modeling. This declarative language makes complex authorization patterns accessible to developers without security expertise. Instead of implementing authorization logic across all your API endpoints, you can define central policies that express access rules in a way that’s both powerful and readable.
The hybrid architecture gives you unprecedented flexibility in data handling. This, in my opinion, is very important to security-conscious orgs. While many authorization solutions force you to centralize all data, Oso lets you choose what data to centralize vs what to keep in your app databases. Notably, this eliminates the overhead of full data replication while still giving you central policy management—perfect for microservices.
Oso Cloud integrates with any authentication system rather than providing an all-in-one identity solution. This specialization delivers exceptional authorization capabilities but requires pairing with a separate authentication provider for complete identity management.
Pros of Oso:
Purpose-built declarative authorization
Centralized, code-native authorization logic
Focused on higher-grade tooling for advanced access control
Works alongside existing authorization systems
Cons of Oso:
No integrated identity provider: Oso is purpose-built for application authorization, so you'll supply your own identity provider.
Closed-source approach: Unlike some Authorization providers, Oso has no open-source version of their cloud offering. If open-source is important to you, this may be a negative
What is Oso’s Pricing?
Oso offers diverse pricing fit for specific scales of businesses. Developer-tier starts at $0/month, where as startup-tier begins at $149/month. Their growth-tier and migration services over custom pricing based on a consultation with an expert.
2. Auth0
A snapshot of Auth0’s dashboard panel.
Auth0 is a platform centered around identity management, making advanced authentication and authorization available through clean-cut APIs and SDKs. Unlike traditional enterprise IAM solutions that put administrative controls first, Auth0 was built from the ground up to make identity simple for developers.Auth0 provides built-in support for basic authorization through Rules and Actions. For more complex authorization that goes beyond RBAC, they offer Auth0 FGA, an add-on authorization product that requires a separate implementation.”
Auth0 has an extensible model. With Rules, Hooks, and Actions, developers can customize authentication flows without touching application code. This makes Auth0 particularly strong at adaptations—from enriching user profiles with data from external systems to limited custom authorization logic.
Auth0’s pre-built components save implementation time. Instead of spending weeks building secure login flows, password reset functionality, and social login integration, developers can use Auth0’s drop-in widgets and libraries to implement these features in hours with security built-in.
Pros of Auth0:
Drop-in components reduce dev time
Customizable workflows
Extensive SDK coverage
Rich authentication features
Enterprise integration capabilities
Cons of Auth0:
Pricing can easily become premium with advanced features
Proprietary lock-in risk
Harder to self-host or audit
Complex to manage at scale
Advanced authorization models require implementing an additional product.
What is Auth0’s Pricing?
Auth0 offers a free-tier as well as premium-tiers. The most basic of the premium-tiers can range from $35-$150/month for 500 users based on use case. They also offer yearly pricing, as well as range to pick monthly active users.
3. Amazon Cognito
Amazon Cognito is a full authentication and authorization service deeply integrated with the AWS ecosystem. Unlike standalone identity providers, Cognito provides native access to AWS services while supporting applications hosted anywhere. For organizations that strongly prefer an all-in-one solution, choosing Amazon Cognito alongside the AWS stack is an intuitive option.
Cognito’s value is a function of its scalability and pay-as-you-go pricing. The service can handle authentication for millions of users with no upfront costs or capacity planning. This is helpful for consumer facing applications with unpredictable growth or seasonal usage spikes.
Cognito’s user pools and identity pools provide a flexible foundation for different identity scenarios. User pools manage user directories and authentication, while identity pools provide temporary AWS credentials to access backend resources. This allows developers to have fine grained control over authenticated users and anonymous visitors.
Pros of Amazon Cognito:
AWS-Native integration
Massive scalability
Flexible identity models
Secure and Compliant
Cost-effective for apps with variable user loads
Cons of Amazon Cognito:
Poor developer experience
Basic authorization features
No local dev tools
Limited UI customization capabilities
Feature development lags behind modern auth trends
What is Amazon Cognito’s Pricing:
Amazon Cognito offers a pay-as-you-go pricing model making it cost effective with usage variance. They offer a free-tier for the first 10,000 users and charge per user based on region after crossing the threshold. They also offer more advanced-tiers, which come at greater costs and no free trials.
4. Keycloak
A look at Keycloak's admin dashboard.
Keycloak is a comprehensive open-source identity and access management solution that provides enterprise-grade capabilities without licensing costs. Unlike proprietary IAM platforms, Keycloak offers complete control over your identity infrastructure, making it particularly attractive for organizations concerned about vendor lock-in.
Keycloak is ideal for organizations that are seeking a feature-rich but also flexible solution. The platform provides sophisticated capabilities including single sign-on (SSO), multi-factor authentication (MFA), social login, and fine-grained authorization (FGA)—all with extensive customization options through themes, service provider interfaces (SPIs), and direct code modifications.
For organizations building customer-facing applications, Keycloak offers significant cost advantages. Without per-user licensing fees, you can scale to millions of users without escalating identity costs. This makes it particularly valuable for consumer applications, SaaS platforms, and other scenarios with large or unpredictable user bases.
5. Cerbos
A visual of Cerbos’s home interface.
Cerbos is an open source authorization service that decouples permission logic from application code. Unlike traditional approaches where authorization rules are scattered throughout the application, Cerbos centralizes policies in declarative YAML files that can be versioned, tested, and audited independently.
For organizations that care about the developer workflow, Cerbos is a strong candidate alongside other developer-first solutions like Oso. The platform provides local development tools, policy testing frameworks, and CI/CD integration—so authorization is part of the development process, not an afterthought. This "shift-left" approach helps catch authorization bugs early before they become security incidents.
Cerbos is great at handling complex, attribute-based authorization scenarios. The policy language supports complex rules that consider resource attributes, user context, and environmental factors when making decisions. This allows for precise permissions that adapt to business requirements without code changes.
Pros of Cerbos:
Declarative YAML policies versioned with code—fully auditable and testable
Common patterns like ReBAC are complicated to model in YAML
No built-in dashboards or GUIs—requires custom tooling
Fewer community plugins compared to others such as Auth0 or Keycloak
No role or group management
Needs strong policy design
What is Cerbos’s Pricing?
Cerbos offers multiple plans. Their open-source plan of course is free forever. Cerbos Hub begins at $0/month for up to 100 monthly active principals. Their growth subscription retails at $25/month based on monthly active principals.
Enterprise Identity and Access Management Solutions
Enterprise Identity and Access Management (IAM) solutions provide comprehensive platforms for managing user identities, authentication, and authorization across large organizations. These solutions typically offer robust features for governance, compliance, and security at scale.
6. Microsoft Entra ID
An overview of Microsoft Entra admin center.
Microsoft Entra ID is a cloud-based identity and access management service that is a core piece of Microsoft’s broader identity ecosystem. Similar to AWS Cognito, Microsoft Entra ID is natively integrated with the Microsoft ecosystem while also having cross platform support. Accordingly, Microsoft Entra ID is a strong fit for organizations deeply rooted in other Microsoft products like Azure and Active Directory.
Microsoft Entra ID’s intelligent conditional access engine evaluates risk in real-time based on user behavior, device health and location. Do note that advanced security features require premium licenses which can be expensive, even for large organizations.
Pros of Microsoft Entra ID:
Seamless Microsoft ecosystem integration
Intelligent conditional access
Hybrid identity support
Cross-platform compatibility
Advanced security features
Cons of Microsoft Entra ID:
Premium licensing costs
Complex configuration
Dependency on Azure
Steep learning curve
What is Microsoft Entra ID’s Pricing?
Microsoft Entra ID features higher pricing compared to some competitors. However, it also sports a beginner-tier, retailing at $6/user/month with annual commitment.
7. Okta Identity Cloud
An illustration of Okta’s dashboard user interface.
What is Okta Identity Cloud?
Okta Identity Cloud is a cloud-based identity platform with a focus on usability and integration breadth. Unlike many IAM solutions tied to specific ecosystems, Okta is independent and is a universal identity layer across multiple technology environments.
With over 7,000 pre-built integrations, Okta connects to almost any application without custom development. Unified admin features provide a single pane of glass for managing identities and policies. Developers get comprehensive SDKs and documentation to embed identity into custom applications.
Okta, however, features a noteworthy tradeoff: you get extensive integrations and feature-rich centralized management, but at a hefty price and with limited on-prem support. In essence, Okta trades an economical price and some security guarantees for any easy experience.
Pros of Okta Identity Cloud:
Extensive integration library
Platform is not tied to a specific ecosystem
Centralized management of identities and policies
Adaptive multi-factor authentication
Developer-friendly tools
Cons of Okta Identity Cloud:
Premium pricing compared to some competitors
Similar features across multiple products can lead to confusion in picking the right tool
Limited on-prem support
Advanced customizations may require additional development effort
What is Okta Identity Cloud’s Pricing?
Okta Identity Cloud features premium pricing compared to some competitors and complex enterprise deployments requiring specialized expertise. Like Microsoft Entra ID, Okta has a beginner tier also retailing at $6/user/month.
8. Ping Identity
A UI preview of Ping Identity’s product.
Ping Identity is a multi-cloud offering with flexible deployment options including cloud, on-premises, and hybrid support. What sets Ping apart is its focus on large enterprises and regulatory compliance. Ping is worth evaluating if you are a global company handling complex identity challenges.
The platform has strong federation for complex scenarios across multiple domains, specialized tools for securing APIs and microservices, and an enterprise-grade architecture that can handle millions of identities without performance degradation.
That said, implementing Ping does requires expertise, especially for complex environments. The admin interface is a lot more intricate than cloud-only options. Some integrations require a custom config. Additionally, the solution carries a hefty price tag.
Pros of Ping Identity:
Flexible deployment options
Excels in complex scenarios across multiple domains
API and Microservices security
Enterprise-Grade scalability
Compliance focused
Cons of Ping Identity:
Complex administration interface
Custom configuration requirements
Enterprise focus leads to steeper price point
Complexity and cost may be less appealing to small/medium sized businesses
What is Ping Identity’s Pricing?
Ping identity has their premium pricing split into two categories: customer and workforce. The base plan for each is $35k/year and $3/user/month respectively.
9. IBM Security Verify
An example of IBM Security Verify’s user interface
IBM Security Verify is an AI-enhanced IAM platform that fuses identity governance with real-time risk analytics for high-compliance enterprises.
IBM Security Verify combines traditional IAM with AI driven security analytics, so it is particularly useful for organizations that prioritize risk-based security. Unlike many IAM solutions that treat security as an afterthought, IBM has built its platform with security intelligence at the heart.
What makes IBM Security Verify unique is its integration with the broader IBM security ecosystem. The platform shares threat intelligence and security context across multiple security domains, giving a more complete view of risk than standalone IAM solutions can.
The platform sports fairly strong AI-driven risk detection. Advanced algorithms detect suspicious behavior and potential account compromise in real time, so risk can be mitigated before damage is done. This is especially useful for high privilege accounts that could cause massive damage if compromised.
Using IBM Security Verify can be a good idea if you’re already using IBM security products, need robust identity governance capabilities, or have a large compliance burden. There is a notable downside though: the implementation is quite involved and the product is not user-friendly.
Pros of IBM Security Verify:
AI-driven security analytics
Integration with IBM’s vast ecosystem
Robust identity governance
Designed to meet rigid regulatory requirements
Enterprise-level scalability
Cons of IBM Security Verify:
Deployment can be complex and time-consuming
Not the most user-friendly interface
Resource intensive for optimal performance
Limited third-party integrations
What is IBM Security Verify’s Pricing?
IBM Security Verify pricing is offered based on use case meaning the monthly user cost will be fully dependent on the population of individuals and which of their 4 use cases are selected. The estimated cost for 1,000 users can range between $1.989 -$4.044/use case/user/month.
10. CyberArk Identity
A view of the CyberArk Identity application settings page.
CyberArk Identity is a privileged-access-first IAM suite that locks down admin credentials, rotates secrets automatically, and records every high-risk session.
CyberArk Identity focuses on privileged access—the administrative accounts and high-privilege identities that are the biggest risk to your organization. Unlike general purpose IAM solutions, CyberArk built its platform with privileged security as a core component.
What sets CyberArk apart is its comprehensive credential management. The platform stores credentials securely, rotates them automatically, and monitors them in detail including passwords, SSH keys, and certificates. This reduces the risk of credential theft and misuse which are common attack vectors in major breaches.
CyberArk’s session monitoring records and audits privileged sessions for another layer of security. This creates accountability for administrative actions and provides valuable forensic information in the event of a breach. Security teams can see exactly what was done during privileged sessions to identify potential misuse or compromise.
For organizations that specifically care about session monitoring and compliance auditing, CyberArk is a strong candidate. It’s also a product optimized for least privilege principles with support for just-in-time (JIT) access that minimizes standing privileges.
Pros of CyberArk Identity:
Privilege access focused
Comprehensive credential management
Session monitoring and auditing
Seamless integration with security tools
Cons of CyberArk Identity:
Implementation complexity
Premium price point
Network management limitations
May lack broader IAM capabilities
What is CyberArk Identity’s Pricing?
Although CyberArk Identity’s pricing is not publicly available, they offer self-serve free trials, demos, and consultations to test the product and receive pricing before deciding to purchase it for you or your team.
11. OneLogin
A peek at the OneLogin directory types.
OneLogin is a cloud-based identity and access management (IAM) platform that delivers fast single sign-on and MFA for workforce and customer apps.
Some of the IAM solutions that we’ve discussed so far put an emphasis on features over user experience. OneLogin on the other hand has designed its platform with simplicity in mind. For organizations that want a simple IAM solution with strong security, OneLogin is a good candidate.
Accordingly, OneLogin’s value is a matter of time-to-value. The streamlined implementation process allows you to deploy core IAM capabilities in days, not months. It ships with security benefits without professional services engagements. This is especially helpful for mid-sized companies with limited IAM expertise.
OneLogin’s directory integration is comprehensive. The platform supports multiple directory sources including Active Directory, LDAP, and HR systems. This allows you to keep your identity data in authoritative sources and extend access management to cloud applications and resources.
Pros of OneLogin:
User-friendly interface
Streamlined implementation allows for rapid deployment
Supports multiple directory sources
Centralized access control
Productivity enhancement
Cons of OneLogin:
Premium pricing for smaller businesses
Limited advanced features than some competitors
Limited customization options
Scalability concerns
Additional configurations may be needed for some integrations
What is OneLogin’s Pricing?
OneLogin’s pricing is based on the scale of identity you need (Workforce, B2B, Customer and Education). Although their pricing for most identity packages are not public, the basic Workforce Identity bundle is, retailing at $4/user/month.
Open Source Authorization Solutions
Open source authorization tools provide flexibility, transparency, and community-driven innovation without the licensing costs of proprietary solutions. These tools are particularly valuable for organizations that need customization options and want to avoid vendor lock-in.
12. OpenFGA
OpenFGA (Fine-Grained Authorization) is an open-source authorization system inspired by Google’s Zanzibar paper, the same technology that powers permissions at companies like Google, GitHub and Netflix. Unlike traditional role-based systems, OpenFGA is relationship-based (ReBAC) which makes some arrangements easier and others overly-complex.
OpenFGA can be configured to handle authorization at scale. The system is designed for high performance, with authorization checks that complete in milliseconds even with complex relationship graphs. This means you can make many authorization decisions in real time without introducing latency.
OpenFGA’s modeling language lets you express authorization relationships in a simple way. Instead of complex code, you define models that represent how users relate to resources—like ownership, membership or custom relationships—so even complex permission schemes are understandable and maintainable.
For organizations that are open to investing heavy developer hours into implementation, OpenFGA can provide a customizable and scalable solution.
Pros of OpenFGA:
Built for scale
Relationship-based authorization
Clear modeling language
Optimized response times for authorization decisions
Vendor-neutral and modular
Cons of OpenFGA:
Newer platform with fewer integrations and tutorials compared to more established projects
OpenFGA is open-source meaning there are no licensing costs, however, there may be significant operational costs.
13. Casbin
Casbin is a powerful and flexible authorization library that supports almost any permission scenario. Unlike solutions tied to specific paradigms, Casbin can implement RBAC, ABAC, ReBAC and other models or even combinations of these through its model-based approach.
Casbin also features a language-agnostic design. With implementations for Go, Java, Node.js, PHP, Python, .NET and many other languages, Casbin provides the same authorization capabilities across different stacks. For organizations with heterogeneous environments, Casbin can be an attractive solution.
Casbin’s enforcement architecture separates the authorization model from policy storage, so you can store policies in files, databases, or custom backends—and the same enforcement logic will work. This separation allows you to adapt to different infrastructure requirements without changing your application code.
Pros of Casbin:
Multi-model support
Language-agnostic
Customizable policy backend
Simple yet powerful modeling
Requires minimal external dependencies
Cons of Casbin:
No native policy syncing
Limited tooling and UI
No policy-as-code workflow
Complex logic can be hard to debug
Manual identity integration
What is Casbin’s Pricing?
Casbin is open-source. Accordingly, there are no licensing costs. However, there are naturally operational costs of leveraging the solution.
14. OPAL
A demo of getting started with OPAL.
OPAL (Open Policy Administration Layer) is an open-source project that solves the problem of distributing authorization data and policies. Unlike traditional authorization systems that only focus on decision making, OPAL keeps policy agents up-to-date with the latest policies and data.
What makes OPAL special is it can detect changes in policies and data sources and push those updates to policy agents across distributed environments. Real-time sync means consistent authorization decisions even in complex microservices environments where traditional approaches lead to inconsistencies.
OPAL’s flexible integration allows it to work with multiple policy engines and data sources. Whether you’re using Open Policy Agent (OPA), AWS Cedar. or other policy engines, OPAL can keep them up to date with the latest information from APIs, databases, Git repositories, and other sources, creating a complete authorization system.
Pros of Opal:
Real-time policy sync
Pluggable policy engine
Built for distributed systems
Live feed from data sources
Decoupled decision-making from data propagation
Cons of Opal:
Not a policy engine itself
Operational overhead
Limited documentation and maturity
No UI for admin or end-user
Requires deep system integration—more effort for simple use cases
What is Opal’s Pricing?
Opal itself doesn't have a cost, but integrating it into your environment and potentially using related services from vendors might incur costs
Permit.io is a policy-as-code authorization platform that offers both open-source self-hosting and a managed cloud for fine-grained access control.
Permit gives developers a mixed value-prop: the flexibility of open-source software and the convenience of cloud services. That hybrid approach means development teams don't have to choose between the two. That's particularly valuable for developers who don't have the time or expertise to set up and manage their own authorization systems from scratch.
What really sets Permit apart is its focus on making developers' lives easier. The platform provides the tools (SDKs, management interfaces, and deployment tools) that let teams build sophisticated authorization systems without needing a team of security experts. That means teams can get fine-grained permissions up and running much faster.
One of the key benefits of Permit's “policy-as-code” approach is that it keeps authorization logic separate from application code. That means you can manage and enforce authorization policies centrally across all your services. Policies can be version-controlled, tested, and deployed independently of your app updates. That makes your authorization system more maintainable and secure.
Pros of Permit:
Hybrid model: Open-source + Cloud
Designed with developer-friendly tooling
Centralized policy-as-code
Visual access control UI
Multi-tenant and attribute-based support
Cons of Permit:
Smaller community compared to others
Authorization focused only
Still gaining ecosystem depth
Might be more overhead for teams wanting simple access rules
What is Permit’s Pricing:
Even though Permit offers a free open-source plan, they also have cloud-based plans with the basic plan starting at $5/month for up to 25,000 MAU and 100 tenants.
16. Cedar by AWS
Cedar is AWS’s open-source policy language and authorization engine that provides a powerful yet approachable way to implement policy-as-code. Unlike general purpose programming languages used for authorization, Cedar is purpose-built for expressing access control policies with a syntax that’s both powerful and readable.
What makes Cedar a strong candidate is its support for multiple authorization paradigms. The language can express role-based access control (RBAC), attribute-based access control (ABAC), and even relationship based patterns in a single syntax. Accordingly, you can implement the permission model that you need without switching between different tools.
Cedar’s automated reasoning capabilities set it apart from many authorization solutions. The system can analyze policies to validate properties, detect conflicts, and optimize evaluation. These are capabilities that help prevent security gaps from getting to production. This “shift left” approach to authorization improves security and reduces operational incidents.
Pros of Cedar:
Purpose-built authorization language
Automated policy analysis
AWS-backend and open-source
Integration ready
Shift left security
Cons of Cedar:
Premature ecosystem
Not a complete IAM
No built-in distribution layer
Limited UI and admin support
New DSL that developers must learn and maintain
What is Cedar’s Pricing?
Cedar offers pricing based on authorization requests per month. Their most basic pricing retails at $0.00015/ req for the first 40 million requests.
Specialized Authorization Tools
17. NextAuth.js
NextAuth.js is an authentication and authorization solution for Next.js applications—it’s the natural choice for React developers using this framework. Unlike general purpose identity solutions, NextAuth.js integrates with Next.js’s server side rendering and API routes for a frictionless developer experience.
What makes NextAuth.js so valuable is it’s simplicity. With just a few lines of code, you can have secure authentication with OAuth providers, email/passwordless login, and database sessions. This reduces the time it takes to implement secure authentication while following security best practices.
For developers that care about flexibility in session handling and data storage, NextAuth.js is a strong candidate. The library can work with or without a database and supports multiple session strategies including JWT and database sessions. This means you can choose whatever option is best for your application architecture and performance requirements.
Pros of NextAuth.js:
Deep Next.js integration
Minimal setup for maximum output
Flexible session handling
Comes with built-in support for dozens of OAuth providers
Self-hosted and free
Cons of NextAuth.js:
Tightly coupled to Next.js
No fine-grained authorization
No admin UI
Limited enterprise features
What is NextAuth.js’s Pricing?
NextAuth.js is a free, open-source community project.
18. Zitadel
A look at Zitadel’s welcome page.
ZITADEL is an open-source identity and access management platform purpose-built for multi-tenant SaaS products, blending developer-friendly APIs with enterprise features.
ZITADEL combines the simplicity of Auth0 with the open-source commitment of Keycloak. Unlike many identity solutions that focus on either developer experience or enterprise features, ZITADEL does both.
For organizations with multi-tenant architectures, ZITADEL is a strong solution. The platform is designed from the ground up to support B2B scenarios where you need to manage separate companies in one system. This makes it perfect for SaaS applications that serve multiple business customers with different user bases.
ZITADEL’s API-first design means every feature is programmable, so developers have full control over the identity experience. The platform also comes with ready-to-use UI components to speed up implementation without sacrificing customizability.
Pros of Zitadel:
Designed for multi-org SaaS apps
Exposes 100% of its functionality via APIs and gRPC
Open-source with hosted option
Out-of-the-box enterprise features
Customizable UI components
Cons of Zitadel:
Self-hosting can be complicated
Less ideal for small projects
Dense documentation
Still maturing their ecosystem
Only supports RBAC
What is Zitadel’s Pricing?
Zitadel offers a free basic-tier for up to 100 daily active users. Upgrading to the pro-tier comes with a starting price point of $100/month for up to 25,000 daily active users, which can be adjusted for more users.
19. SuperTokens
A flowchart visual of SuperTokens’s product.
SuperTokens is an open-source authentication and session-management framework that lets you add secure login flows to web and mobile apps in minutes.
SuperTokens gives you both a great user experience and robust security. SuperTokens is particularly great for organizations the value a modular design. You get the core components you need for session management (and nothing more), along with optional modules that add social login, passwordless authentication, and user management capabilities. Developers can pick and choose the features they need, streamlining their implementation.
At the heart of SuperTokens are three main components: the Frontend SDK for user interfaces, the Backend SDK for API integration, and the SuperTokens Core—where security operations happen. This separation of duties gives you the flexibility to implement things your way, while ensuring security-critical operations are always handled the same way.
Pros of SuperTokens:
Modular and lightweight
Granular session control
Front and back-end SDKs
Open core with commercial cloud
Simple customization of auth flows
Cons of SuperTokens:
Not framework agnostic yet
No Built-in advanced authorization
Missing enterprise protocols
Limited admin dashboard
Smaller ecosystem than others
What is SuperTokens’s Pricing?
SuperTokens offers free and open-source self-hosting with no limit on MAUs. Their cloud version on the other hand retails at $0.02/MAU after 5,000 MAU.
Hanko is an open-source authentication solution that focuses on passwordless and passkey authentication. They have stemmed some traction as the industry gravitates away from traditional passwords towards alternative strategies. Unlike other authentication systems that treat passwordless as an add-on feature, Hanko is built around modern authentication methods.
Hanko supports FIDO2/WebAuthn for passkey authentication. This makes the platform compatible with Apple, Google, and Microsoft’s device push towards passkey adoption.
Hanko’s developer toolkit includes both backend services and frontend components that work together. The backend handles the complex cryptographic operations of passkey authentication, and the frontend components provide ready to use interfaces for user registration and login, streamlining implementation.
Pros of Hanko:
Top-tier passkey support
Modern, passwordless-first UX
Offers drop-in UI and backend APIs
Open-source and lightweight
Privacy-oriented design
Cons of Hanko:
Password-based login not included—will need to integrate or build separately if needed
Not a full IAM platform
WebAuthn can be tricky
No centralized policy or authorization layer
What is Hanko’s Pricing?
Hanko offers a beginner-tier for free, including 10,000 MAU and 2 projects. Upgrading to the pro-tier offers more features starting at $29/month.
21. Supabase Auth
A peek at Supabase Auth’s privileges.
Supabase Auth is an open-source authentication and authorization service tightly integrated with Postgres row-level security. It’s part of the Supabase platform, an open-source Firebase alternative. Unlike standalone auth solutions, Supabase Auth is deeply integrated with database access control so you can secure both auth and data access in one place.
Supabase Auth notably supports Row-Level Security (RLS) integration in Postgres. The system ties user identity directly to database permissions, so you can define access rules at the data level. This means you have a powerful authorization system enforced by the database itself, not separate application logic. Supabase Auth is ideal for Postgres-first organizations that want to use the database as the central authority on authentication, authorization, and data custody.
Supabase Auth supports multiple auth methods: email/password, magic links, OAuth providers, and phone auth. This means you can implement the auth experience that’s best for your app while keeping security and user management consistent.
Pros of Supabase Auth:
Tight integration with Postgres
Built-in social and email auth
Great DX for fullstack apps
Open-source Firebase alternative
Realtime and event hooks
Cons of Supabase Auth:
Postgres-centric
Harder for frontend-heavy teams to implement as enforcing RLS requires strong SQL knowledge
Not designed for higher-level abstractions and business logic
No granular Authz SDK
Premature for enterprise use
Limited identity federation
What is Supabase Auth’s Pricing?
Supabase offers a free-tier with 50,000 MAU and limited specs. Upgrading to the higher-tiers offer better specs, with the next being the pro-tier retailing from $25/month.
Conclusion
As we’ve looked at the top 21 authorization systems and tools for 2025, some patterns emerge. Enterprise solutions are adding AI-driven security analytics and adaptive authentication, cloud providers are refining their native authorization systems with policy-based approaches, developer-friendly tools are making advanced authentication more accessible and open-source options provide flexibility without compromise.
When choosing an authorization system for your organization consider the following:
For most development teams the most important thing is speed and simplicity. If that’s the case for you, Oso Cloud, Auth0, Supabase or ZITADEL are the way to go.
Large enterprises with complex hybrid environments: Microsoft Entra ID, Ping Identity or IBM Security Verify have the breadth of capabilities and scale you need.
Organizations deeply invested in specific cloud ecosystems: AWS IAM/Cedar or Google Cloud IAM are the way to go.
Budget-conscious organizations with technical expertise: Keycloak or OpenFGA are the best value.
Organizations with specialized security requirements, especially in regulated industries: CyberArk Identity, Thales SafeNet or Entrust are the way to go.
The space is changing fast with zero trust architectures, passwordless authentication, and fine-grained access control. By understanding what’s available today, you can build more secure, efficient, and user-friendly applications that protect your most valuable assets while enabling access for legitimate users.
When building modern applications, few decisions impact security, scalability, and user experience as profoundly as how you design access control. Historically, many development teams start with a simple RBAC model and implement the authorization logic in their application code. But as requirements evolve, it often becomes necessary to blend elements of RBAC, ABAC, and ReBAC to meet real-world demands. The idea that these are perfectly distinct models gives the incorrect impression that companies choose one and stick with it, when in reality, teams gradually layer models based on evolving needs.
In this article, we'll examine the three dominant access control models—RBAC, ABAC, and ReBAC—comparing their strengths, limitations, and ideal use cases. We'll help you understand which model (or combination) best suits your application's needs and how to implement it effectively. We’ll also explore how Oso can simplify implementation of fine-grained access control, giving you ultimate flexibility to model your data.
Understanding the Access Control Landscape
Access control is fundamentally about answering a simple question: "Who can do what with which resources?" The way that you answer that seemingly simple question depends on who the users are, how the resources are structured, and what context (i.e. organization, timing, geography) matters.
Role-Based Access Control (RBAC)
RBAC is the most widely adopted access control model. It assigns permissions to roles, and users inherit those permissions when assigned to roles.
With RBAC, users have defined roles that determine the data that they can access. It works best for organizations with well-defined job functions and hierarchies.
For example, in a content management system:
Editors can create and edit content
Reviewers can approve or reject content
Administrators can manage users and system settings
RBAC is the simplest approach to understand, making it a common starting point when development teams are implementing a “DIY” solution. However, RBAC doesn’t provide the fine-grained controls that most modern applications demand, and as a result, many teams extend their permissions to include relationship-based or attribute-based models.
Relationship-Based Access Control (ReBAC)
ReBAC focuses on the relationships between entities in your system. Rather than assigning permissions directly or through attributes, ReBAC leverages the connections between users and resources.
Let’s continue with the CMS example from the RBAC section. Let’s say a user creates a folder of documents stored within the CMS. If you have viewer access to the folder, you should have viewer access to all of the documents in that folder. Now we need to implement ReBAC, which means that not only do you need roles, but you also need to organize permissions based on the relationship between resources: in this case, which documents are in which folders.
ReBAC is best suited for scenarios with complex hierarchies and interconnected data. For example, in a document management system, ReBAC can easily express policies like "users can access all documents in projects they're assigned to" without having to tag each document individually.
Attribute-Based Access Control (ABAC)
ABAC takes a more dynamic approach by making access decisions based on attributes of users, resources, actions, and environment. It is the most flexible access model, but also the most complex to implement and maintain.
ABAC allows for highly granular control through conditions and attributes. Extending our CMS example further, you may want to mark some documents “public.” A public document can be viewed by all users, regardless of which folder it’s in. The policy now incorporates the “public” attribute of a document into its authorization logic.
RBAC vs. ABAC: When Roles Aren't Enough
While RBAC provides a solid foundation for access control, it can become unwieldy as applications grow in complexity. The number of roles required to meet permissioning needs often explodes, creating an operational burden. Or, even worse, roles are insufficiently granular and have more access than they should, creating a security risk.
The Limitations of RBAC
RBAC works well when access patterns align neatly with organizational roles. However, it struggles with:
Context-sensitive permissions
Temporary access requirements
Fine-grained control needs
Dynamic environments
When these challenges arise, many organizations turn to ABAC. While both RBAC and ABAC secure systems and data, the way that they assign and manage permissions differs significantly.
The Power and Complexity of ABAC
ABAC supports significantly more granular permissions than RBAC by considering multiple factors in access decisions:
User attributes (department, clearance level, location)
Yet this flexibility comes at a cost: ABAC models are harder to reason about than RBAC models. They require more careful planning and can be challenging to audit and troubleshoot.
ABAC vs. ReBAC: Conditions vs. Relationships
Now let’s explore the other major alternative to RBAC: ReBAC. Both ABAC and ReBAC offer fine-grained access control, but they approach the problem differently.
When ABAC Shines
ABAC excels in scenarios requiring complex conditional logic based on multiple attributes. Consider a sophisticated system where access depends on various factors like time, location, and user status.
For example, ABAC can easily express policies like: "A guest can only order a specific drink after midnight if they're seated at the bar." This combines time attributes, location attributes, and user attributes into a single policy.
The ReBAC Advantage
ReBAC leverages the inherent relationships in your data model to simplify access control. Instead of tagging each resource with attributes, ReBAC uses the connections between entities.
Imagine a user named Jay who has a locker containing various items. With ABAC, you might tag each item with "Owner=Jay." With ReBAC, you simply define a policy: "A guest can access all items inside their own locker." The relationship between Jay, his locker, and the items inside creates a natural access control structure.
ReBAC particularly shines in:
Hierarchical systems
Social networks
Document management
Team collaboration tools
Any application with complex entity relationships
Comparing the Models: A Practical Analysis
Dimension
RBAC (Role-Based Access Control)
ReBAC (Relationship-Based Access Control)
ABAC (Attribute-Based Access Control)
Conceptual Complexity
Low
Moderate to High
High
Best for
Role-based organizational hierarchies
Relationship-aware access
Context-aware permissions
Level of granularity
Low; can result in either role explosion or roles with access that is too broad
Moderate to High
High
Example use case
A sales person can view all opportunities
A sales manager can view all the opportunities owned by their direct reports
A sales manager can view all the opportunities owned by their direct reports during business hours on their company laptop
DIY Effort
Low to Moderate
Moderate to High
High
Effort with Oso
Low
Low to Moderate
Low to Moderate
Real-World Applications
To sum it up, different models suit different application types:
RBAC: Enterprise applications with clear organizational hierarchies
ABAC: Systems requiring complex conditional access (financial services, healthcare)
ReBAC: Social platforms, document management, and collaborative tools
Hybrid Approaches: The Best of All Worlds
In practice, many sophisticated applications use a combination of models to address different access control needs. These applications use RBAC for broad permissions, ABAC for context, and ReBAC for structure.
RBAC as a Foundation
RBAC provides a solid foundation for coarse-grained access control. It's intuitive for administrators and developers alike, making it an excellent starting point.
Example use case for RBAC: analyst can view reports
Adding ABAC for Flexibility
ABAC can supplement RBAC when you need context-sensitive permissions. For example, a basic role might grant access to financial reports, while ABAC conditions restrict access based on time, location, or report sensitivity.
Example use case for RBAC and ABAC: analyst can view reports during business hours
Incorporating ReBAC for Relationships
ReBAC excels at handling permissions that follow your data's natural relationships. In many cases, RBAC and ABAC policies can be combined with ReBAC-based policies, with hierarchies enforced by ReBAC and more fine-grained access managed by ABAC.
Example use case for RBAC and ReBAC: Manager can access files owned by their team
Combining RBAC, ABAC, and ReBAC
Finally, there are some scenarios where all three models are required.
Example use case: Doctor can access patient files in their department, if on call, and if patient consent is present
Example of combining models with Oso
resource Document{
roles = ["reader", "editor", "admin"];
permissions = ["read", "edit", "delete"];
relations = { folder: Folder};
# RBAC - document permissions determined by role on document"read"if"reader";
"edit"if"editor";
"delete"if"admin";
# Role inheritance: editors are readers; admins are editors
"reader"if"editor";
"editor"if"admin";
# ReBAC - document permissions inherited from folder permissions
"reader"if"viewer" on "folder";
"editor"if"writer" on "folder";
"admin"if"admin" on "folder";
# ABAC - all users can read public documents
"read"if is_public(resource);
}
Implementation Considerations
When implementing access control, consider these factors:
Performance impact: Complex authorization checks can affect application responsiveness. Oso provides sub 10 ms latency to ensure that permissions queries get an immediate response.
Developer experience: Overly complex models can slow development. Specialized authorization providers like Oso enable development teams to deliver fine-grained access control in a fraction of the time, so that they can focus on differentiated features within their application.
Maintenance overhead: Authorization rules need regular review and updates. Oso provides unit tests, logs, and debugging, so you can make a change without breaking things.
Scalability: Your model should grow with your application. Oso’s flexible and expressive Polar language lets you start small with RBAC and layer in ABAC and ReBAC as your application’s authorization logic gets more sophisticated.
The Authorization-as-a-Service Approach
Implementing a homegrown ABAC or ReBAC solution often requires building custom logic into your services, syncing role or relationship data manually, and duplicating logic across endpoints. For this reason, many organizations are moving toward authorization as a service solutions like Oso to simplify permissions.
This approach separates authorization logic from application code, providing:
Centralized policy management
Consistent enforcement across services
Improved auditability
Reduced development complexity
With Oso, the various access models become composable: you define roles, attributes, and relationships declaratively in one place, and Oso handles enforcement, testing, and propagation.
Making the Right Choice for Your Application
Selecting the right access control model depends on your specific requirements:
Start with your data model: Understand the entities in your system and their relationships
Identify access patterns: How do users interact with resources?
Consider future growth: Will your access patterns become more complex over time?
Evaluate implementation resources: More complex models require more development effort
Questions to Guide Your Decision
Access models differ in conceptual complexity: RBAC is easiest to reason about, ABAC introduces conditional logic, and ReBAC models complex relationships between users and resources. Ask yourself:
Are roles clearly defined and relatively stable in your organization?
Do access decisions depend on dynamic factors like time, location, or resource attributes?
Are relationships between entities central to your data model?
Do you need to support delegation or inheritance of permissions?
In a DIY system, these factors translate directly into implementation effort.
With Oso, we decouple those concerns. You still need to think carefully about which model(s) make sense for your application — but implementing even the most advanced model (like ABAC) becomes dramatically easier. Oso gives you the tools to model relationships, conditions, and roles in a unified, testable, and maintainable way.
Conclusion
The choice between RBAC, ABAC, and ReBAC isn't about finding the "best" model—it's about finding the right fit for your application's needs. Many successful systems use a combination of approaches, leveraging the strengths of each model where appropriate.
As applications grow more complex and interconnected, we're seeing a shift toward more sophisticated access control models like ABAC and ReBAC. These models provide the fine-grained control needed for modern applications while addressing the limitations of traditional RBAC.
Whatever model you choose, remember that access control is a fundamental aspect of application security and user experience. Investing time in designing the right approach will pay dividends throughout your application's lifecycle.
Understanding the Benefits of Microservice Design Patterns
Over the years, I've worked with many companies, both large and small, as they've tackled the world of microservice architectures. This has given me a front-row seat to the real-world hurdles and successes that come with building these kinds of systems. Time and again, I've seen how crucial the right design patterns are – they're often the key to unlocking the agility and scalability microservices promise, while also helping to sidestep common pitfalls. My aim with this guide is to share practical insights from these experiences, focusing on why these patterns are so valuable and how they can make a real difference in your own projects.
Microservices enable the decomposition of large monolithic applications into smaller, independently deployable services. This architectural style promises benefits such as faster deployment cycles, improved scalability, and enhanced team autonomy with clear ownership boundaries. While the advantages are significant, distributed systems introduce unique challenges. These include service discovery, distributed data management, and ensuring system resilience when individual services encounter issues.
From what I've seen, microservice design patterns provide established solutions to these common challenges. These patterns represent the accumulated experience of developers who have successfully built and managed distributed systems. In my experience, adopting these patterns allows development teams to leverage proven strategies, avoiding the need to devise solutions from first principles. This approach can lead to more robust, scalable, and manageable systems, facilitating the realization of microservice benefits like independent development, targeted scalability, and efficient delivery.
This guide explores essential design patterns, covering application decomposition, data management strategies, inter-service communication, observability techniques, and the handling of cross-cutting concerns.
1. Decomposing the Monolith: Service Boundary Patterns
When I approach breaking down a monolithic application or designing a new application with a microservice architecture, I give careful consideration to how service boundaries are defined. Decomposition patterns offer structured approaches to this critical first step.
Decompose by Business Capability
This widely adopted pattern suggests aligning service boundaries with the core functions of the business. For example, an e-commerce platform might be broken down into services like ProductCatalogService, OrderProcessingService, or PaymentService.
My Rationale: Business capabilities tend to be relatively stable over time, more so than specific technologies. This approach fosters services with high cohesion (they perform a single function well) and clear team ownership. If a team is responsible for the "order management" capability, they own the corresponding service.
Example: An online retail system could feature a ProductCatalogService to manage product information, an OrderProcessingService to handle purchases, and a PaymentService to process financial transactions.
Decompose by Subdomain (Domain-Driven Design)
For those of us familiar with Domain-Driven Design (DDD), this pattern feels intuitive. When I use this, it involves defining service boundaries using DDD's concept of Bounded Contexts. Each bounded context represents a specific area of responsibility with its own domain model, ensuring that terms and concepts are clearly defined and consistently used within that context. Generally speaking a decomposition by subdomain will lead to smaller and more fine grain components. For example, while ‘Invoicing” might be a business capability, “tax calculations”, “fraud detection”, etc might be domains.
My Rationale: This strategy aims for high internal cohesion within each service and low coupling between services. These characteristics are crucial, in my view, for enabling services to evolve independently without causing unintended ripple effects across the system.
Example: In a logistics application, the broader "shipping" domain might be divided into subdomains like RoutePlanning and ShipmentTracking. This would naturally lead to the development of a RoutePlanningService and a ShipmentTrackingService, each focused on its specific subdomain.
The Strangler Pattern
Once you’ve decided what the boundaries are, the Strangler Pattern is a tactical approach to doing the decomposition that reduces disruption. Rather than rewriting large sections of the codebase, in the Strangler Pattern you wrap your legacy code with your new microservices logic. This allows you to split off one service at a time until there is no monolith left. Then if needed, you can come back and rewrite the legacy code to better fit the new microservices architecture.
2. Managing Data in a Distributed Landscape: Database Patterns
Once services are defined, managing their data becomes a critical consideration. In microservice architectures, a primary goal I always emphasize is to to create clear data boundaries that reflect and reinforce the service boundaries. This simplifies data management and allows for independent scalability.
Database per Service
I consider this a foundational pattern: each microservice owns its private database. Access to this database is strictly limited to the service itself, typically through a well-defined API. One service cannot directly access the database of another service.
My Rationale: This approach is key to achieving loose coupling between services. It allows each service to choose the database technology that best suits its needs (e.g., SQL for one service, NoSQL for another) and to evolve its database schema independently. Furthermore, each service can scale its data store according to its specific requirements, avoiding the bottlenecks I've often seen associated with shared databases.
Example: An e-commerce application might have an OrderService with its own database for storing order information and a CustomerService with a separate database for customer details. If the OrderService needs customer information, it must request it from the CustomerService via its API, rather than directly querying the customer database.
Saga Pattern
I use this pattern to address the challenge of managing transactions that span multiple services. In this pattern, you forgo strict consistency in favor of availability and resilience. A saga is a sequence of local transactions. Each local transaction updates the database within a single service and then publishes an event or sends a command that triggers the next local transaction in the sequence. If any local transaction fails, the saga executes compensating transactions to undo the changes made by preceding successful transactions, thereby maintaining data consistency across services.
My Rationale: From my perspective, Sagas help maintain data consistency across services in an eventually consistent manner, which I find is often a better fit for distributed systems that prioritize availability and resilience over strict consistency.
Example: Placing an order might involve a saga with the following steps: 1) The OrderService creates an order (a local transaction). 2) The PaymentService processes the payment (another local transaction). 3) The InventoryService reserves the stock (a further local transaction). If the payment processing fails, compensating transactions are executed to cancel the order and release the reserved stock.
3. Enabling Communication: An Integration and Communication Pattern
Effective communication between services, and between clients and services, is essential for a functional microservice architecture. These patterns address how I achieve reliable and efficient communication without creating excessive coupling.
API Gateway
I often implement this pattern to introduce a single entry point, typically a reverse proxy, for a group of microservices. Client applications send requests to the API Gateway, which then routes them to the appropriate downstream services. The API Gateway can also handle tasks such as request aggregation, authentication, authorization, and rate limiting, providing a centralized point for managing these cross-cutting concerns.
My Rationale: My observation is that an API Gateway simplifies client application development by abstracting the internal structure of the microservice system. Clients do not need to be aware of the specific locations or protocols of individual services. It also insulates clients from changes in service composition and provides a consistent interface for accessing the system's functionalities.
Example: A mobile application might send a request to an API Gateway to retrieve a user's profile. The API Gateway, in turn, could interact with a UserService to fetch user details, an OrderHistoryService to get recent orders, and a RecommendationsService to provide personalized suggestions. The gateway then aggregates these responses and sends a unified reply to the mobile application.
4. Ensuring System Health and Performance: Observability Patterns
Distributed systems are complex to monitor and debug. Observability patterns provide mechanisms I use to understand the internal state and behavior of these systems, enabling proactive issue detection and efficient troubleshooting.
Log Aggregation
In my experience with microservice architectures, I’ve spent my fair share of time poring over logs from numerous service instances Manually accessing these logs across multiple machines is impractical. Therefore, I always advocate for log aggregation, which involves collecting logs from all service instances and centralizing them in a dedicated logging system. This system typically provides tools for searching, analyzing, and visualizing log data.
My Rationale: I've found centralized logging to be crucial for effective troubleshooting in distributed environments. It allows developers and operators to correlate events across different services and identify the root causes of problems more efficiently.
Example: Logs from various microservices, such as those running in containers like Docker or managed by orchestration platforms like Kubernetes, can be streamed to a central Elasticsearch cluster. Kibana can then be used to create dashboards and search through the aggregated logs to diagnose issues or monitor system health.
Distributed Tracing
When a request enters a microservice system, it may traverse multiple services before a response is generated. When I design for observability, I ensure distributed tracing is implemented. This involves assigning a unique identifier to each external request and propagating this identifier (along with span identifiers for each hop) as it flows through the services. This allows for the visualization of the entire request path, including the time spent in each service and any errors encountered along the way.
My Rationale: Distributed tracing provides deep insights into the performance and behavior of microservices. It helps me identify bottlenecks, understand inter-service dependencies, and quickly pinpoint the source of errors or high latency.
Example: I’ve used tools like Jaeger or Zipkin to collect and visualize trace data. Using these tools, a developer can then see that a request to the OrderService subsequently called the InventoryService and then the ShippingService, along with the duration of each call, helping to optimize performance or debug failures.
Health Check API
I always ensure each microservice exposes an endpoint (commonly /health or /status) that reports its operational status. This endpoint can be periodically checked by monitoring systems or orchestration platforms to determine if the service is healthy and capable of handling requests.
My Rationale: In my microservice projects, health check APIs have let me enable automated monitoring and self-healing capabilities. If a service instance becomes unhealthy, it can be automatically restarted or removed from the load balancer's rotation, ensuring system stability and availability.
Example: A Kubernetes liveness probe might periodically call the /health endpoint of a service. If the endpoint returns an error or does not respond, Kubernetes can automatically restart the corresponding container, attempting to restore the service to a healthy state.
5. Addressing Common Needs: Cross-Cutting Concern Patterns
Certain functionalities, such as configuration management, service discovery, and resilience, are common requirements across multiple services in a microservice architecture. Cross-cutting concern patterns provide standardized ways I implement these functionalities without duplicating code or creating tight dependencies between services.
Externalized Configuration
I always stress that configuration details, such as database connection strings, API keys, or feature flags, should not be hardcoded within service code. Instead, they should be stored externally and dynamically loaded by services at runtime or startup.
My Rationale: Externalizing configuration allows for greater flexibility and manageability. Configuration changes can be made without redeploying services, which is particularly beneficial in dynamic environments. It also enhances security by keeping sensitive information out of the codebase and facilitates consistent configuration across different deployment environments (e.g., development, testing, production).
Example: Services can fetch their configuration from a dedicated configuration server like Spring Cloud Config or Infisical. Alternatively, configuration can be injected as environment variables or mounted as configuration files in containerized environments like Kubernetes, often managed using tools like ConfigMaps and Secrets.
Service Discovery
In dynamic microservice environments, service instances are constantly being created and destroyed, and their network locations can change frequently. I rely on service discovery mechanisms to enable services to locate and communicate with each other dynamically.
My Rationale: I believe service discovery is crucial for building resilient and scalable microservice architectures. It eliminates the need for hardcoding service locations, which would be impractical to manage in a dynamic environment. Instead, services register themselves with a service registry upon startup and query the registry to find other services they need to interact with.
Example: When an OrderService needs to communicate with a PaymentService, it first queries a service registry like Consul or Eureka to obtain the current network address (IP address and port) of an available PaymentService instance. This allows the OrderService to reliably connect to the PaymentService even if its location changes.
Circuit Breaker
I use this pattern to help prevent a single failing service from causing a cascade of failures throughout the system. If a service repeatedly fails to respond or returns errors, the circuit breaker in the calling service trips. Once tripped, for a configured duration, all calls to the failing service are immediately rejected without attempting to contact it. This gives the failing service time to recover. After the timeout, the circuit breaker allows a limited number of test requests to pass through. If these succeed, the circuit breaker resets; otherwise, it remains tripped. This pattern is crucial for building resilient systems that can gracefully handle transient failures in downstream services.
FAQ
What are the microservices design patterns?
Microservices design patterns are reusable, proven solutions for common challenges in building applications as collections of small, independent services. They act as best-practice guides, addressing issues like application composition, inter-service communication, data consistency, system monitoring, and reliable deployment, helping create robust and scalable systems.
What are the key benefits of using microservices design patterns?
Employing microservice design patterns offers significant advantages by providing structure to manage distributed system complexity. This leads to faster development through proven solutions, enhanced system resilience via patterns like Circuit Breaker, better scalability by allowing independent component scaling (e.g., Database per Service), and easier maintenance due to more understandable and testable architectures.
Can I combine multiple design patterns when designing a microservices architecture?
Yes, combining multiple design patterns is not only possible but standard practice in microservices architecture. Patterns often address different facets of the system and complement each other. For instance, using Database per Service might necessitate the Saga pattern for distributed transactions, while an API Gateway often works with Service Discovery. The goal is to select a cohesive set of patterns that collectively meet your architectural needs.
Is there a “right” microservices design pattern to use?
There isn't a universally "right" microservices design pattern; the best choice depends heavily on your application's specific context, including its complexity, team structure, scalability needs, and data consistency requirements. It's about understanding the trade-offs of various patterns and selecting those that effectively solve your specific challenges, rather than applying patterns indiscriminately.
Should I start by choosing design patterns or by designing the system architecture?
It's generally advisable to start by designing the system architecture, focusing on how to decompose the application into services based on business capabilities or subdomains. Once potential service boundaries and interactions are clearer, you'll identify specific challenges (e.g., data consistency, service communication). At this stage, design patterns should be considered as solutions to these identified architectural problems, preventing premature or misapplied pattern selection.
What is the role of the API gateway design pattern in microservices?
The API Gateway serves as a single entry point or facade for a group of backend microservices, simplifying client interactions. Clients communicate only with the gateway, which then routes requests to appropriate internal services, potentially aggregating responses. It also centralizes cross-cutting concerns like authentication, authorization, rate limiting, and caching, reducing the load on individual services.
Why use the database per service design pattern?
The Database per Service pattern is fundamental to achieving loose coupling in microservices. Each service manages its own private database, preventing direct access from other services. This autonomy allows independent schema evolution, choice of database technology, and scaling of data storage. While this is crucial for agile development and operational flexibility, it does come with more complicated cross-service data operations.
Is it wrong to apply different patterns to different microservices in the same system?
No, it's often necessary and practical. Different microservices can have varying requirements for complexity, data handling, and communication. The aim is consistency where it adds value (e.g., logging, monitoring) but flexibility to use the most suitable patterns for each service's specific function. For example, a financial system might use the Circuit Breaker pattern for critical payment services to handle downstream failures gracefully, while simpler read-only services that display account information might use a simpler retry pattern.
How to handle authorization in microservices?
Authorization across microservices can be managed by enforcement at the API Gateway, via a dedicated central authorization service, or with logic embedded in each service (using shared libraries/sidecars). Each method has trade-offs. Oso facilitates microservices authorization by allowing central policy definition with distributed enforcement, fitting microservice principles by enabling local decisions while integrating with patterns like Database per Service for data access. For more, see our post on microservices authorization patterns .
If you’re evaluating alternatives to Aserto after their announcement to sunset their SaaS platform, it's important to understand how other solutions stack up—not just in terms of features, but in architecture, operational burden, and long-term flexibility. In this post, we go deep into the technical differences between Aserto and Oso across critical areas like infrastructure, performance, modeling, and scalability.
Requires operating edge authorizers (Topaz) with local state replication
Fully managed cloud service, no infra to operate
Consistency Lag
1–2 minutes behind source of truth
Immediate consistency in Oso Cloud
Scaling
You scale and shard per-tenant manually
Oso Cloud scales elastically with zero effort
Migration Tip: With Oso, you no longer need to maintain and tune edge nodes. Simply model your logic and let us handle uptime and performance.
List Filtering and Querying
Feature
Aserto
Oso
List Filtering
Only supported via Directory API; policy logic not applied
Supported directly via query API with full policy logic
Combining Policy + Graph Logic
Can’t combine OPA logic with Directory traversal
Seamless combination in a single query
Negation Support
Not applied during graph traversal
Fully supported in query logic
POC Tip: Try filtering a list using a policy that includes a negation condition. For example, the policy might allow users to be banned from projects. A banned user shouldn’t be able to see a project, even if they still have a role on the project (not an uncommon scenario). When you ask: “Show all projects the user has access to,” Oso will return the correct list - excluding the banned projects based on the policy logic. Aserto can’t evaluate this kind of condition during list filtering; it only applies policy logic at decision time, not during traversal.
Example Aserto Limitation:
Negation in Rego:
# Aserto can not filter lists when policy says:
allow if not banned
Negation in Oso, using Polar:
allow(user, "read", resource) if not banned(user) and
has_permission(user, "read", resource);
Oso will correctly filter out banned users, Aserto won't without removing their relations manually.
Latency of Data Sync
Feature
Aserto
Oso
Data Propagation Time
Up to 1–2 minutes to reflect data changes at edge
Data is evaluated immediately once available in Oso Cloud
Sync Mechanism
Postgres ➝ Rego ➝ Allow Cache ➝ Edge
Postgres ➝ Edge (sync not required if using local evaluation)
Local Evaluation
BoltDB-based store at edge; complex to manage
Facts are derived from your local database with no syncing
Migration Tip: If latency of permissions propagation is a concern, Oso’s centralized but globally distributed model ensures sub-10ms evaluations without sync delays.
Modeling Nested Groups & Hierarchies
Feature
Aserto
Oso
Nested Groups
No first-class support
Full support using relationships in Polar
Resource Hierarchies
Complex to represent cleanly
Simple to express with nested resources + role inheritance
Custom Roles
Defined in both a manifest (YAML/JSON) and Rego policy; must be updated in both to reflect changes
Defined directly in policy as logic rules; dynamic and declarative
POC Tip: Model a team inside an org with delegated permissions. Oso models this in a few lines of Polar.
Handling Large Data Sets
Feature
Aserto
Oso
Embedded Store Limits
BoltDB has size limits (~few GBs); manual sharding
Oso Cloud imposes no arbitrary limits on data size
Scaling Strategy
Shard tenants across multiple edge nodes
No manual sharding required; managed automatically
Migration Tip: If you’re running into scaling ceilings or planning to grow, Oso's hosted infrastructure lifts those limits.
Single step: push changes directly to Oso Cloud via CLI
Promotion Between Envs
Manual tagging, env updates required
Simple CLI-based push to staging or production
Rollback + Versioning
Via registry images and instance tags
Via Oso environment versions, push history available
POC Tip: Make a logic-only change. In Oso, push and test it immediately. Aserto requires environment or instance updates even for small changes.
Extending Authorization Models
Feature
Aserto
Oso
New Object Types
Requires manifest updates + policy artifact build
Define in Polar and push via CLI
New Relations or Permissions
Multi-step with CLI or UI + policy update
One-step rule addition
Iteration Speed
Slow and UI-dependent, structured around artifacts
Fast, testable, and version-controlled via code
POC Tip: Add a new permission or relationship and use it in logic. With Oso, you go from idea to enforcement in minutes, no manifest or build required.
Wrapping Up
When it comes to migrating authorization systems, technical details matter. Oso was built with developer experience, scalability, and clarity at its core—so you can model complex permissions without brittle workarounds or heavy infrastructure. Whether you’re dealing with nested groups, high data volumes, or rapid policy iteration, Oso gives you a modern, unified authorization solution you can trust.
Let us know if you'd like help translating your Aserto setup to Oso. We’ve done plenty of migrations and can help you go live in weeks, not months.
With the news that Aserto is shutting down its SaaS platform on May 31, 2025, many teams are now faced with an urgent and unsettling challenge: choosing a new authorization provider. If you’re one of them, you’re likely asking:
What’s a reliable alternative that won’t force me to rebuild everything from scratch—or worse, disappear next year?
These transitions can be tough. It’s a reminder that authorization isn’t just a feature—it’s infrastructure. And like any core infrastructure choice, you need something that’s dependable, well-supported, and designed to scale with your product.
That’s where Oso comes in.
We’ve helped teams migrate from other authorization solutions before and know where the common pain points are. In this post, we’ll walk through how Aserto compares to Oso, what makes Oso the best long-term Authorization as a Service platform, and offer practical tips to help your team modernize your authorization stack with confidence.
Summary of What We’ll Cover
Key criteria for evaluating authorization solutions
Aserto alternatives: feature and architecture comparison
Why Oso stands out for developers and security teams
Migration tips: how to move from Aserto to Oso with confidence
Evaluating Authorization Solutions: What Matters Most?
When choosing an authorization platform, you need more than a feature checklist. The best solutions deliver:
Low latency: Authorization checks must be fast, ideally under 10 ms, to avoid slowing down your application.
Flexible models: Support for RBAC (role-based access control), ABAC (attribute-based access control), and ReBAC (relationship-based access control) is essential for modern apps.
Seamless integration: The solution should work with your existing databases and infrastructure.
Deterministic and testable: You need to know exactly how permissions are evaluated, with tools for debugging and testing policies.
Developer experience: Clear APIs, expressive policy languages, and strong documentation make a big difference in adoption and maintenance.
Imagine a SaaS platform with thousands of users and complex team hierarchies. If authorization checks are slow or inconsistent, user experience and security both suffer.
Aserto Alternatives
What Aserto Users Should Consider In Their Next Authorization Solution
Aserto worked by centralizing authorization data in Postgres, syncing policy and directory data to edge nodes, and evaluating requests via a local BoltDB-based key-value store. This made it performant for reads, but brittle and limited when it came to:
Many teams also found themselves stuck between two models: either use Aserto’s graph-based directory, or write policies in OPA/Rego—but not both in a truly integrated way. This made certain use cases, like negation or cross-object filtering, difficult or outright impossible.
These are some conversations from their Community Slack:
Q: In Aserto, you can’t do “check” operations in a bulk request, right?
A: This is currently not possible, the OpenID AuthZen specification is trying to define one which we will adopt as soon as it is in DRAFT mode.
Q: Is there any way to get the audit logs to know who changed the objects/relationships of the directory?
A: Currently this is not built-in, we are considering this as a part of moving towards an event stream based model.
Feature and Architecture Comparison
Solution
Authorization Models
Latency
Policy Language
Deployment Options
Debug/Test Tools
Oso
RBAC, ABAC, ReBAC, custom
10 ms
Polar
Cloud, hybrid, on-prem (in beta)
Built-in debugger
Aserto
RBAC, ABAC, custom
Real-time
Custom
Cloud-native
Policy testing
AuthZed
RBAC, ReBAC
Low
SpiceDB
Cloud
Audit tools
Cerbos
RBAC, ABAC
Low
YAML/JSON
Cloud, on-prem
Policy testing
Key takeaways:
Oso is one of the only cloud-based solutions offering local authorization without requiring data syncing, which means you get consistent, low-latency checks even for high-cardinality or rapidly changing data.
Oso’s Polar language is expressive and easy to learn, letting you write concise rules for complex scenarios.
Oso provides a deterministic framework, so you always know how permissions are evaluated and can test policies before deploying.
If you want to deepen your understanding on the technical comparison, read the comparison post: Aserto vs Oso
For teams considering Topaz, Aserto’s open source authorization engine, it’s worth noting that while the maintainers have committed to continued community support, the future of the project is less certain without a backing company. Open source can be a great option—but only if it’s actively maintained and supported. With Aserto winding down its SaaS platform, many teams are rightfully asking what long-term support, roadmap stability, and enterprise readiness will look like for Topaz going forward. And even if the project continues to receive strong community support, adopting it means taking on the full burden and administrative overhead of deploying, operating, and maintaining the service in a production-ready way—ensuring uptime, scaling, and performance falls entirely on your team. If your team needs a solution with guaranteed uptime, built-in testing, and commercial support you can count on, Oso offers a fully managed path forward.
Why Oso? Unique Value for Developers and Security Teams
Oso was built for teams who want to own their authorization logic without reinventing the wheel. We give developers a complete, production-ready authorization solution without forcing tradeoffs between policy logic, data modeling, or performance.
allow(user, "read", resource) if has_role(user, "admin", resource);
This rule says: allow a user to read a resource if they have the admin role for that resource. You can extend this to support multi-tenancy, team hierarchies, or custom attributes with just a few lines.
Unified Policy + Data
Aserto splits the world between the policy layer (OPA) and the directory graph (data). This leads to limitations, like:
No way to apply policy logic during list filtering
Can’t express "negative" logic (e.g., user is banned) during graph traversal
Inconsistent evaluation paths depending on the API used (Authorizer vs Directory)
With Oso, your policy and data are unified—so the same logic used for authorize() also powers list filtering, tests, and audits.
You get consistency and confidence at every level of your system.
Deployment Flexibility
Oso runs anywhere: cloud, hybrid, or on-premises (coming soon). You can use Oso as a managed service or deploy it in your VPC, giving you maximum flexibility.
Developer Experience
Aserto:
Limited documentation and SDK support
Hard to tell what’s possible or how to implement features
Rego’s steep learning curve makes policies hard to write and debug
Easy-to-read Polar language built for real-world authorization
Dedicated guides for every major pattern: RBAC, ReBAC, ABAC, and custom roles
You’ll be able to write and test policies confidently—and fast.
Testable and Debuggable
Oso includes built-in policy tests, so you can catch issues before they reach production. This is especially valuable for teams with complex, evolving permission requirements.
Modeling Complex Authorization Logic
Aserto:
No support for nested groups
Challenging to implement resource-specific roles
Must choose between graph data or policy logic—can’t combine them cleanly
Oso:
First-class support for nested groups, resource hierarchies, and custom roles Express your logic in a single place using Polar, Oso’s purpose-built policy language
Model both relationships and logic together in one consistent, testable framework
With Oso, you don’t have to contort your model to fit the tool—we built it to fit your app.
Migration Tips: Moving from Aserto to Oso
You don’t have to start from scratch—Oso’s architecture makes it straightforward to migrate your:
User-directory relationships
Role definitions
Directory-based data models
Rego logic (converted into Polar rules)
Switching authorization providers can feel daunting, but with the right approach, you can minimize risk and downtime. Our team has helped many teams through this exact process, and we’re here to help you go live in weeks—not months. Here's a step-by-step migration plan:
Audit your current authorization model
List all permission rules, roles, and resource types in your Aserto setup
Identify any custom logic or edge cases
Map Aserto policies to Oso’s Polar language
Translate rules into Polar syntax
Use Oso’s policy tests to validate your logic
Integrate Oso with your application
Replace Aserto API calls with Oso’s API or library functions
Run integration tests to confirm everything behaves as expected
Run in parallel (shadow mode)
Operate both Aserto and Oso side by side
Log and compare authorization decisions to catch discrepancies
Ensure the systems achieve parity
Cut over and monitor
Fully switch to Oso once confident
Monitor logs and metrics for any unexpected behavior This phased approach ensures a smooth transition with minimal disruption.
Conclusion: Why Oso is the Best Alternative
Authorization is too important to leave to chance. The right solution should give you speed, flexibility, and confidence without locking you into a single deployment model or forcing you to sync sensitive data. Oso stands out by offering local, testable authorization with support for RBAC, ABAC, and ReBAC, all backed by a developer-friendly API and policy language.
If you’re considering a move from Aserto or another provider, Oso’s migration path is clear and well-supported. You can start small, test policies in isolation, and scale up as your needs grow.
You can also explore Oso’s documentation, try out the Polar language, and see how easy it is to build secure, scalable permission systems for your applications.
After years of architecting microservices for various companies, I've learned what truly works for managing these complex systems. This guide shares my battle-tested tools and hard-won insights for mastering microservices in 2025. I'll explain my go-to practices for building resilient, scalable architectures, drawing directly from my experiences.
Navigating Microservice Tools: My Key Categories
To effectively manage microservices, I categorize tools by their core function. This approach helps select the right solutions. I focus on these essential areas:
Orchestration & Containerization: The tools I use as the backbone for deploying and managing services.
Observability & Monitoring: The non-negotiables that I rely on for understanding distributed systems
API Gateways & Management: The crucial front door for controlling access and handling cross-cutting concerns.
Service Mesh: Invaluable when I tackle complex service-to-service communication and security.
Throughout this article, my goal is to share my insights on how these tools empower your microservices.
I. Orchestration & Containerization: The Microservices Backbone
I think containerization is fundamental to simplifying microservice deployments. Orchestration tools manage these at scale, automating critical tasks. This category is the backbone of any robust microservice architecture I build.
Key tools I rely on:
Kubernetes (K8s)
K8s is my undisputed leader for container orchestration. I depend on it for automated rollouts/rollbacks, service discovery, load balancing, self-healing (restarting failed containers, rescheduling on node death), and secure configuration management. For complex, large-scale systems needing high availability and fine-grained control, K8s is my go-to. While the learning curve is steep (though managed services like GKE, EKS, AKS help greatly), the operational stability and scalability are unmatched.
Docker Swarm
For teams comfortable with Docker and seeking simplicity, I often suggest Docker Swarm. It’s easier to learn than K8s and uses the familiar Docker API. I find it well-suited for smaller to medium applications where K8s might be overkill. Deployments are fast, and Docker tooling integration is seamless. However, it’s less feature-rich for highly complex scenarios. It’s a great entry point to orchestration without K8s’s overhead.
Amazon ECS (Elastic Container Service)
When working within AWS, ECS is a natural fit. Its deep integration with AWS services (IAM, VPC, ELB, CloudWatch) is a major plus. I particularly value AWS Fargate for serverless container management, reducing operational burden. If your infrastructure is on AWS, ECS with Fargate significantly simplifies container management, letting teams focus on development. Key considerations are AWS lock-in and potential costs if not optimized.
II. Observability & Monitoring: My Watchful Eye on Distributed Systems
In my experience, with numerous microservices interacting, robust observability isn't just important—it's vital. I rely on these tools for insights into performance, errors, and overall health, enabling proactive issue resolution:
Prometheus & Grafana
This duo is a powerhouse in my monitoring toolkit. Prometheus, with its multi-dimensional data model and powerful PromQL, is excellent for metrics. Grafana brings this data to life with versatile visualizations. I use them extensively for real-time health checks and alerting. While PromQL has a learning curve and Prometheus needs extra setup if you need long-term storage, their value in cloud-native environments, especially with Kubernetes, is immense. I’ve seen this combination prevent outages multiple times.
Datadog
When I need a comprehensive, SaaS-based observability solution, Datadog is a strong contender. It offers end-to-end visibility across applications, infrastructure, and logs in one user-friendly platform. Its application performance monitoring (APM), infrastructure monitoring, log management, and extensive integrations have saved my teams countless hours. The ability to pivot between metrics, traces, and logs is a huge productivity booster for troubleshooting. The main considerations I always highlight are potential costs at scale and data residency (SaaS model).
Jaeger / OpenTelemetry
For debugging complex multi-service issues, distributed tracing with Jaeger, often powered by OpenTelemetry (OTel) instrumentation, is a lifesaver in my experience. OTel is becoming my standard for vendor-neutral telemetry. These tools provide X-ray vision into request flows, pinpointing bottlenecks or error origins. While application instrumentation is typically required and they can generate significant data, the insight gained for complex distributed interactions is indispensable. When a user reports "it's slow," these are the tools I turn to first.
III. API Gateways & Management: My System’s Front Door
In my microservice architectures, API gateways are the crucial front door, managing external access and handling cross-cutting concerns like request routing, security (authentication/authorization), rate limiting, and caching.
Key gateways I’ve worked with:
Kong Gateway
Kong is a go-to for me when I need a high-performance, flexible open-source API gateway. Built on Nginx, its plugin architecture is incredibly powerful for customization – I’ve used it for everything from JWT validation to canary releasing. It’s excellent for securing APIs and centralizing policy enforcement. While configuration can get complex with many plugins, its performance and adaptability for high-traffic applications are why I rely on it.
Amazon API Gateway
When deep in the AWS ecosystem, Amazon API Gateway is a very convenient choice. It simplifies creating, publishing, and securing APIs at scale, with tight integration with services like Lambda (for serverless functions) and Cognito (for user authentication). It reduces operational burden, but I always consider AWS lock-in and potential costs at high traffic.
Apigee (Google Cloud)
For large enterprises needing comprehensive, full-lifecycle API management, I consider Apigee. It offers advanced security, sophisticated traffic management, detailed analytics, and a robust developer portal. I’ve seen it used effectively for complex API strategies requiring strong governance. However, this power comes with significant cost and complexity, making it more suitable for organizations with those specific, large-scale needs.
IV. Service Mesh: My Approach to Complex Service Communication
As microservice interactions grow, a service mesh becomes my go-to for safe, fast, and reliable service-to-service communication. It handles sophisticated traffic management (like canary deployments, which I’ve implemented using meshes), security (e.g., mutual TLS, a feature I often enable), and observability at the platform level, rather than in each service.
Istio
Istio is a powerful open-source service mesh I use, often with Kubernetes, to secure, connect, and monitor microservices. I leverage its advanced traffic management (fine-grained routing, retries, fault injection for testing resilience), robust security (identity-based auth/authz, mTLS), and deep observability (automatic metrics, logs, traces). For complex environments needing this level of control, Istio is formidable. However, I always prepare teams for its installation and management complexity and potential operational overhead. My advice is to adopt its features gradually. When I tried this gradual approach in the past, it led to smoother adoption.
Choosing Your Toolkit: Key Factors I Consider
There's no one-size-fits-all solution for microservices management; the "best" toolkit aligns with your specific needs. From my experience, a thoughtful evaluation is crucial. I always consider these factors:
Team Size & Expertise: Can your team handle complex tools like Kubernetes, or is a simpler, managed solution better initially? I’ve seen teams struggle when a tool outpaced their readiness.
Existing Stack & Cloud Provider: Leveraging native tools from your cloud provider (AWS, Google Cloud, Azure) can offer seamless integration, but I always advise weighing this against vendor lock-in.
Scalability Needs: Your tools must grow with your application. I’ve seen painful migrations when teams outgrew their initial choices.
Budget: Evaluate total cost of ownership (licensing, infrastructure, engineering effort). Open-source isn't free if it demands significant self-management, a hidden cost I always point out.
Specific Pain Points: Prioritize tools that solve your most pressing challenges now. Trying to solve too many problems at once often creates even more, a lesson I've learned.
I selected the tools in this guide based on their industry prevalence, rich features I’ve found valuable, strong support, and my own experience seeing them solve real-world challenges.
Summary: My Key Takeaways
Microservices offer agility and scalability, but also complexity. Effective management is key. This guide covered my top tools for 2025 across Orchestration, Observability, API Gateways, and Service Meshes. My core advice: strategically select tools tailored to your team, stack, scale, budget, and pain points. In my experience, this empowers teams to innovate rather than wrestle with complexity.
Frequently Asked Questions (FAQ)
What do you see as the single biggest challenge in microservices management today (2025)?
In my experience, while it varies depending on the organization and the maturity of their microservices adoption, achieving consistent observability across a highly distributed system and managing the sheer operational complexity of many moving parts remain top challenges. When I talk to teams, these are recurring themes. Ensuring robust security, especially around inter-service authentication and authorization, and maintaining reliable, low-latency inter-service communication are also persistent high-priority concerns that I consistently help engineering teams address.
Is Kubernetes always the best choice for container orchestration for microservices in your opinion?
Not necessarily, and this is a point I often make. While Kubernetes is incredibly powerful and, I agree, the de facto standard for large-scale, complex microservices deployments, it comes with a significant learning curve and operational overhead that I’ve seen teams underestimate. For smaller projects I’ve advised on, or for teams with less operational capacity, I’ve found other solutions like Docker Swarm can be more appropriate and cost-effective starting points. I typically try to match the tool to the team’s current capabilities and the project’s actual needs.
How do you advise teams to get started with observability if they have many microservices and feel overwhelmed?
My advice is always to start incrementally. Trying to boil the ocean is a common mistake I’ve seen. I usually suggest beginning by implementing centralized logging for all your services. In my experience, this is often the easiest first step and provides immediate value for debugging. Next, I guide them to introduce metrics collection for key performance indicators (KPIs) – I tell them to think about error rates, latency, saturation, and traffic (frameworks like the RED or USE methods are good starting points I often recommend). Tools like Prometheus are excellent for this. Finally, I help them incorporate distributed tracing using systems like Jaeger, ideally with instrumentation provided by OpenTelemetry, to understand request flows across service boundaries. My approach is to focus on the most critical services or user journeys first, and then expand the observability footprint over time. When I tried this phased approach in the past, it was far more manageable and successful.
In your experience, is a service mesh always necessary for a microservices architecture?
I don’t believe a service mesh (e.g., Istio, Linkerd) is always necessary. It certainly adds significant value for complex inter-service communication. This is particularly true when I’m dealing with advanced traffic management (like canary releases or A/B testing, which I’ve implemented using service meshes), security (automatic mTLS, fine-grained authorization policies), and observability at the network level.
However, I also know from experience that it introduces additional complexity and operational overhead. If the microservices interactions are relatively simple, or if the existing orchestration platform (like Kubernetes) already provides sufficient service discovery and load balancing for their needs then a full service mesh might not be needed initially. I always advise evaluating the need based on specific pain points related to service-to-service calls, security, or traffic control that aren’t adequately addressed by their current tooling. I typically try to avoid adding a service mesh unless the benefits clearly outweigh the costs and complexity for that specific situation.
How important do you think it is to keep up with trending discussions and new tools in the microservices management space?
I think it’s very important. The microservices landscape, including the tools and best practices, evolves rapidly – I’ve seen significant shifts even in the last few years. I make it a point to follow discussions on platforms like Reddit (e.g., r/microservices, r/kubernetes), official CNCF channels, key technology blogs, and vendor announcements. This helps me discover new tools, emerging patterns, and common pitfalls to avoid, which I can then share with the teams I work with. However, I always temper this with a critical eye: I advise teams to critically evaluate new trends against their specific organizational needs and constraints before adopting them. In my experience, chasing the newest shiny object without a clear purpose can lead to unnecessary complexity and wasted effort. I typically try to do a proof-of-concept or a small-scale trial before any large-scale adoption of a new, trending tool.
So, you're juggling microservices and wondering how to make sense of all that client traffic, right? That's where an API Gateway often steps in. Think of it as the friendly bouncer for your backend – it’s that single, unified entry point for every client request heading to your microservices application. In my experience working with these architectures, I've seen how an API Gateway, sitting between your clients and your array of microservices, can be a game-changer. It intelligently manages and routes requests, simplifying how your clients talk to your backend and hiding all that internal complexity.
In today's world, we're usually not building for just one type of client. You've got your responsive web app, your native mobile apps for iOS and Android, and maybe even external developers hitting your APIs. Each one has its own quirks and needs. A mobile app chugging along on a spotty connection needs lean data payloads, while your web app might be hungry for more comprehensive data to paint a richer picture. This is where an API Gateway, especially when you start looking at patterns like Backend for Frontends (BFF) , really shows its worth by helping you tailor the API experience for each.
But is an API Gateway the silver bullet for every microservice setup? Not always. While it's incredibly useful, its necessity really boils down to the complexity and specific demands of your system. We'll dig into scenarios where you might happily skip it, but for many, especially as systems grow and client needs diversify, it becomes a pretty crucial piece of the puzzle.
Let's explore when and why API gateways matter, and how to use them effectively without overcomplicating things.
When You Might Not Need an API Gateway (Seriously, It's Okay!)
API Gateways are not a one-size-fits-all solution. I've seen situations where teams can happily live without one, and it's good to know when that might be you.
First off, if you're dealing with a small number of microservices and maybe just one type of client app, direct client-to-service communication can be perfectly fine. I mean, if your setup is simple, why add an extra layer? If your clients can easily find and chat with your services, and you're not juggling a ton of cross-cutting concerns (like auth, logging, etc.) across every service, you might just defer the gateway for now. Keep it simple.
Then there are systems where everything's buzzing along asynchronously, driven by message brokers like RabbitMQ or Kafka. If that's your world, and clients and services are mostly interacting through message queues, the traditional role of a synchronous API Gateway might not be as critical for those particular flows. The broker itself is already doing a lot of the heavy lifting in terms of decoupling and routing messages. Now, that's not to say you'll never need a gateway in such a system – you might still have some synchronous API needs for specific features that could benefit. But for the core async stuff, the broker has you covered.
And finally, think about those small, internal-only applications. If it's just for your team, with a handful of services, and everyone knows how to find what they need (simple service discovery), and your security is managed within your trusted network, then yeah, an API Gateway could be overkill. If there's no significant value add, why bother with the extra hop and management overhead? In my experience, it's all about picking the right tool for the job, and sometimes the simplest approach is the best.
When an API Gateway Really Shines (And Makes Your Life Easier)
Okay, so we've covered when you might skip an API Gateway. But there are plenty of times when one becomes incredibly valuable. I've seen these scenarios play out many times, and the benefits are clear.
One of the biggest wins is when you're dealing with client-specific needs. Think about it: your sleek mobile app, your feature-rich single-page application (SPA), and maybe even third-party developers hitting your APIs – they all have different appetites for data. Mobile clients, for instance, are often on less reliable networks and have smaller screens, so they need concise data payloads. Your web app, on the other hand, might want more comprehensive data to create a richer user experience. An API Gateway excels here. It can act as a translator, taking a generic backend response and tailoring it specifically for each client type. This is where the Backend for Frontends (BFF) pattern really comes into its own. With BFF, you create a dedicated gateway (or a dedicated part of your gateway) for each frontend. This means your mobile team can get exactly the data they need, formatted perfectly for them, without over-fetching or making a dozen calls. I've found this dramatically simplifies client-side logic and improves performance, especially by reducing chattiness between client and server.
Speaking of reducing chattiness brings us to aggregation logic. Instead of your client app having to make separate calls to service A, then service B, then service C, just to pull together the information it needs for a single view, it can make one call to the API Gateway. The gateway then plays conductor, orchestrating those calls to the downstream microservices, gathering the responses, and maybe even mashing them together into a neat package. This is a core part of what a BFF does, and it significantly improves performance by cutting down on those round trips. My teams have often seen noticeable speed improvements for users by implementing this.
Then there's the whole world of centralized cross-cutting concerns. Imagine having to implement security, throttling, logging, and route management in every single one of your microservices. Nightmare, right? An API Gateway gives you a central choke-point to handle these things consistently:
Security: You can handle things like authentication (who is this user?) and coarse-grained authorization (are they even allowed to hit this part of the API?) right at the gateway. This takes a huge load off your individual services. We'll touch on how this plays with more fine-grained authorization (like Oso helps with) later.
Rate Limiting/Throttling: This is your bouncer, protecting your backend services from getting slammed by too many requests from a single client or from denial-of-service attacks. Essential for stability.
Logging & Monitoring: With all traffic passing through it, the gateway is the perfect spot for centralized logging of requests and responses, and for gathering metrics on API usage and system health.
Route Management: As your microservices evolve – maybe they move, or you split a service into two – the gateway can handle routing requests to the right place without your clients ever needing to know about those internal changes.
And that last point leads to another topic: hiding your service topology from clients. The gateway provides a stable, consistent API endpoint. Clients talk to the gateway; they don't need to know (and shouldn't care) how your services are deployed, how many instances are running, or if you've just refactored three services into one. This loose coupling is golden. It means you can evolve your backend architecture, scale services up or down, and refactor to your heart's content without breaking your client applications. In my experience, this flexibility is one of the key enablers for moving fast with microservices.
Single Gateway vs. Multiple Gateways: What's the Play?
So, you're sold on the idea of an API Gateway. The next big question I often see teams wrestle with is: do you go for one big, central gateway to rule them all, or do you split things up into multiple gateways? Both approaches have their strengths, and the best choice really depends on your setup.
Let's talk about the single, central gateway first. There's a certain appeal to its simplicity, right? One place to manage all your routing rules, apply consistent security policies across the board, and scale the entry point to your entire system. For smaller to medium-sized applications, I've found that a single gateway is much easier to deploy and maintain. You've got one spot to check for request logs, one place to configure global rate limits, and a single point for SSL termination. It keeps things tidy.
But what happens when your system starts to grow, or when you have wildly different types of clients with unique needs? This is where splitting into multiple gateways often becomes the more practical and scalable strategy. I've seen this become necessary for a few key reasons:
The Backend for Frontends (BFF) Pattern: We touched on this earlier. If you're embracing BFF, you're inherently looking at multiple gateways. You'll have a dedicated gateway for your web app, another for your mobile app, maybe even one for your public API consumers. Each BFF gateway can then be laser-focused and optimized for its specific client, without carrying baggage for others. For example, the gateway doesn't have to transform responses for different clients when each client has its own gateway. My experience is that this leads to cleaner, more maintainable gateway code.
Other Client-Specific APIs: Even if you're not strictly doing BFF, you might have distinct groups of clients with very different API requirements. For example, your internal admin tools might need access to a different set of APIs or have different security considerations than your external partners. Separate gateways can provide better isolation, customization, and security boundaries for these distinct client groups.
Domain Ownership and Team Autonomy: This is a big one in larger organizations. Different teams might own different sets of microservices that logically group together (e.g., the "Ordering" domain vs. the "Inventory" domain). Having separate API Gateways aligned with these domain boundaries can significantly improve team autonomy. Each team can manage and deploy their gateway independently, without stepping on other teams' toes or creating a deployment bottleneck around a single, monolithic gateway. I've seen a single gateway become a point of contention and slow down development in rapidly evolving systems, and splitting it can alleviate that pain.
So, the choice isn't always black and white. It’s common to start with a single gateway and evolve to multiple gateways as your system matures and your needs become more complex. The key, as I always advise, is to understand the trade-offs and choose the approach that best supports your current scale, team structure, and the diversity of your client applications.
Common Concerns and Misconceptions (Let's Bust Some Myths!)
Whenever I talk about API Gateways, a few common worries always pop up. It’s natural to be a bit skeptical about adding another piece to your architecture, so let's tackle these head-on. I’ve heard them all, and usually, there are good answers or ways to mitigate the concerns.
“Isn’t the gateway a bottleneck?”
This is probably the number one fear I hear. And it's a valid question – you're funneling all your traffic through one point (or a few points, if you have multiple gateways). The good news is that modern API Gateways are built for this. They're typically designed using high-performance, non-blocking, event-driven technologies that can handle a massive number of concurrent connections very efficiently. Plus, just like any other service in your microservices architecture, you can horizontally scale your API Gateway. You can run multiple instances and load balance across them. While it is another hop, the risk of it becoming a performance bottleneck can be managed with proper design and scaling.
“Won’t it add latency?”
Okay, fair point. Yes, an API Gateway introduces an extra network hop, and technically, that adds some latency. There's no magic wand to make that disappear completely. However, and this is a big however, the net effect on the user's perceived latency is often positive. How? Because the gateway can significantly reduce the number of round trips a client needs to make. Imagine a mobile app on a high-latency network. Making one call to a gateway that then orchestrates three quick internal calls is usually much faster for the user than the mobile app making those three calls itself over that slow network. Additionally, if the gateway tailors the response payload to the client, you’ll be sending less data across the wire for lower-bandwidth clients, which will also increase responsiveness. Your gateway can also do smart things like caching responses for frequently accessed data to dramatically improve response times. So, while there's a small added hop, the overall impact on performance can actually be a win.
“Why not just use a reverse proxy?”
This is another classic. People see an API Gateway routing traffic and think, "Hey, my NGINX (or other reverse proxy) can do that!" And they're partially right. An API Gateway often includes reverse proxy functionality – that's part of its job. But it does so much more. A simple reverse proxy primarily deals with request forwarding and load balancing, usually at the network level (Layer 4). At most, it handles basic application-level (Layer 7) operations at the level ofHTTP headers. An API Gateway, on the other hand, operates more deeply at the application layer and offers a richer set of features specifically for managing APIs. For instance, it might inspect request or response payloads and transform them based on their destination.
It's about using the right tool for the specific job of managing and securing your API interactions.
Real-World Patterns & Functionalities (Where the Gateway Really Works for You)
So, we've talked a lot about the "what" and "why" of API Gateways. Now, let's get into the "how" – some common patterns and functionalities that I see making a real difference in practice. These are the things that turn a gateway from just a router into a powerful enabler for your microservices. We’ve covered a lot of this already, so feel free to use this section as a chance to go deeper on any patterns that you particularly care about.
BFF (Backend for Frontend) Pattern
We've mentioned this a few times, but it's worth diving into a bit more because it's such a popular and effective pattern. The Backend for Frontend (BFF) pattern is all about creating separate, tailored API gateways – or distinct configurations within a more sophisticated gateway – for each unique frontend or client type you have. So, your web team gets a BFF, your iOS team gets a BFF, your Android team gets a BFF, and maybe your third-party API consumers get their own BFF.
Why do this? Because each of these frontends has specific needs. As I've seen many times, a mobile app might need data shaped differently, require different authentication mechanisms, or prefer different communication protocols than a web app. Trying to serve all these needs from a single, generic API endpoint can lead to a bloated, complicated gateway and a lot of conditional logic. With BFF, each frontend team can work with an API that's perfectly optimized for them. This often leads to faster development cycles, simpler client-side code, and better performance because you're only sending the data that specific client needs. Netflix is a classic example of a company that uses this approach extensively.
API Composition / Request Aggregation
This is a core function that often goes hand-in-hand with the BFF pattern, but it's valuable on its own too. API Composition (or Request Aggregation) is where the API Gateway takes on the role of a data consolidator. Instead of your client application having to make, say, three separate calls to three different microservices to get all the data it needs for a single screen, it makes just one call to the API Gateway.
The gateway then fans out those requests to the necessary downstream services, collects their responses, and potentially transforms or merges them into a single, cohesive response before sending it back to the client. I can tell you from experience, this dramatically reduces the number of round trips between the client and your backend, which is a huge win for performance, especially on mobile networks. It also simplifies your client-side logic because the client doesn't have to deal with orchestrating multiple calls and stitching data together.
Cross-Cutting Concerns: Handled at the Gateway
This is where an API Gateway truly earns its keep by centralizing functions that would otherwise be duplicated (and likely inconsistently implemented) across all your microservices. Here are some key ones I always look to handle at the gateway level:
Authentication & Authorization: The gateway is a strategic place to handle initial authentication – verifying who the client is (e.g., validating JWTs, API keys). It can also perform coarse-grained authorization – deciding if this authenticated client has permission to access a general endpoint or a broad category of resources (e.g., "Is this user allowed to access the /orders API at all?"). This takes a significant burden off your individual microservices. Now, for the more detailed, resource-specific permissions (e.g., "Can this user view this specific order #12345?" or "Can they update its status?"), that’s where fine-grained authorization comes in, and that logic typically lives within the microservice itself, often with the help of an authorization system like Oso. So, it's not about Oso being the gateway, but Oso working alongside the gateway in a defense-in-depth strategy. The gateway handles the front door security, and Oso helps each service manage its own specific access rules. This layered approach is a best practice I strongly advocate for.
Rate Limiting & Throttling: Essential for protecting your backend services from abuse, accidental or intentional. The gateway can enforce policies to limit the number of requests a client can make in a given set of conditions (per IP, per API key, per user, etc). This ensures fair usage and helps maintain system stability. I’ve seen this save services from being unintentionally DDoSed by a buggy script more than once!
Caching: For data that doesn't change too often but is frequently requested, the gateway can cache responses from backend services. This can massively improve response times for clients and reduce the load on your downstream systems. It’s a simple but effective performance booster.
Protocol Translation: Your clients might be most comfortable speaking HTTP/REST, but perhaps your internal microservices are optimized to communicate using gRPC, WebSockets, or other protocols. The gateway can act as a mediator, translating between these different protocols. This allows your internal services to use whatever protocol is best for them, while still exposing a consistent, web-friendly API to the outside world.
Circuit Breaker: This is a crucial pattern for resilience. If a downstream microservice starts failing or responding very slowly, the API Gateway can implement a circuit breaker. It will detect the failures, "trip the circuit," and temporarily stop sending requests to that unhealthy service. Instead, it might return a cached response, a default error, or fail fast. This prevents your gateway (and your clients) from getting bogged down waiting for a failing service and gives that service time to recover. It’s a key pattern for preventing cascading failures in a distributed system.
Logging and Monitoring: Since all (or most) client traffic flows through the API Gateway, it's the perfect place for centralized request/response logging and metrics collection. You can log details about each request, the response status, latencies, and other useful metrics. This data can then be fed into your monitoring, alerting, and analytics systems, giving you invaluable insights into how your APIs are being used and how your system is performing. When something goes wrong, these logs are often the first place I look.
What Tools Are Out There?
Okay, so how do you actually implement an API Gateway? The good news is there’s a rich ecosystem of tools available, both open-source and commercial. The choice often depends on your existing tech stack, the scale of your application, the specific features you need, and your team’s operational preferences. Here are some of the players I often encounter:
Cloud Provider Solutions: All the major cloud providers offer managed API Gateway services. Think Amazon API Gateway, Azure API Management, and Google Cloud API Gateway. These are often very convenient if you’re already heavily invested in a particular cloud ecosystem, as they integrate well with other cloud services.
Library-based/Framework-integrated: If you’re in the Java/Spring world, Spring Cloud Gateway is a very popular choice. For a long time, Netflix Zuul was a big name here too (though Spring Cloud Gateway is often seen as its successor in Spring-based projects).
Standalone Gateway Servers/Platforms: These are dedicated gateway products. Kong (an open-source API gateway) is a very well-known option, built on NGINX and famous for its plugin architecture. Tyk and Express Gateway are other names in this space.
Service Mesh (with Gateway Capabilities): Tools like Istio, while primarily service meshes, can also manage ingress traffic and apply policies at the edge, sometimes overlapping with or complementing the role of a dedicated API Gateway. Envoy proxy, which is the data plane for Istio, is also a powerful building block for many custom and commercial gateway solutions.
Reverse Proxies with Gateway Capabilities: As we discussed, good old NGINX itself can be configured with modules and Lua scripting to perform many API Gateway tasks. In fact, as mentioned, NGINX and Envoy are often the high-performance engines underneath many dedicated gateway products.
Integration Platforms: Some tools, like MuleSoft Anypoint Platform, offer API Gateway functionality as part of a broader integration and ESB-like (Enterprise Service Bus) suite.
When I advise teams, I tell them to look at their current language/framework, whether they prefer a managed cloud service versus self-hosting, the complexity of the routing and policy enforcement they need, and, of course, budget. There’s usually a good fit out there.
Practical Guidance (Making it Work in the Real World)
Theory is great, but how do you actually put an API Gateway into practice without tripping over yourself? Based on what I’ve seen work (and not work), here’s some practical advice.
When to Start with a Gateway?
This is a common question. My general advice is to consider starting with an API Gateway if you can foresee a few things from the get-go:
Multiple Client Types: If you know you'll be supporting a web app, mobile apps, and maybe third-party developers, a gateway (especially with a BFF mindset) will save you headaches down the line.
Need for Centralized Cross-Cutting Concerns: If you anticipate needing consistent security enforcement, rate limiting, or centralized logging across many services, implementing this at a gateway early on is much cleaner than trying to retrofit it later or, worse, building it into every service.
Complex Service Interactions: If you envision clients needing to aggregate data from several microservices for a single view, planning for API composition at the gateway can simplify client logic significantly.
Evolving Backend: If you expect your microservice landscape to change frequently (services being split, merged, or scaled independently), a gateway provides a stable facade for your clients.
If you're starting really small, with just a couple of services and one client type, you might defer it. But if you see complexity on the horizon, it’s often better to lay the foundation early. I’ve seen teams regret not doing it sooner when things started to scale.
Keeping it Lean and Performant
Gateways can do a lot, but that doesn't mean they should do everything. A common pitfall I've observed is letting the gateway become a dumping ground for all sorts of business logic. This can make it bloated, slow, and a bottleneck .
Keep Business Logic in Services: The gateway should primarily handle routing, composition, and cross-cutting concerns. Complex business rules and domain-specific logic belong in the microservices themselves.
Optimize for Performance: Choose a gateway technology known for performance. Monitor its latency and resource usage closely. Use caching effectively, but be mindful of data freshness.
Asynchronous Operations: Where possible, if the gateway needs to call multiple services, explore options for making those calls in parallel (asynchronously) rather than sequentially to reduce overall response time.
Security Best Practices
Security is paramount, and the gateway is a critical control point.
Defense in Depth: As we discussed with Oso, use the gateway for authentication and coarse-grained authorization. Implement fine-grained authorization within your services.
Secure Communication: Enforce HTTPS/TLS for all external communication. Use mTLS (mutual TLS) for communication between the gateway and your backend services if they are in a trusted network, or if you need that extra layer of security internally.
Input Validation: While services should validate their own inputs, the gateway can perform initial validation (e.g., checking for malformed requests, expected headers) to offload some basic checks.
Limit Exposed Surface Area: Only expose the necessary endpoints through the gateway. Keep internal service-to-service APIs hidden from the public internet.
Don't Forget Observability
Your gateway is a goldmine of information.
Comprehensive Logging: Log key details for every request and response, including latencies to downstream services. This is invaluable for debugging.
Metrics and Monitoring: Track error rates, request volumes, response times, and resource utilization of the gateway itself. Set up alerts for anomalies.
Distributed Tracing: Integrate your gateway with a distributed tracing system so you can follow requests as they flow from the client, through the gateway, and across your microservices.
Iterate and Evolve
Your API Gateway strategy isn't set in stone. As your system grows and your needs change, be prepared to revisit your gateway architecture. You might start with a single gateway and later decide to split it into multiple BFFs. You might introduce new plugins or policies. The key is to treat your gateway as a living part of your system that evolves with it. I always encourage teams to regularly review if their gateway setup is still meeting their needs effectively.
Frequently Asked Questions (FAQ)
Q: Is an API Gateway always necessary for microservices?
A: Not always, no. In my experience, if you have a very simple setup with few services and one client type, or if your system is primarily asynchronous via message brokers, you might not need one initially. It really shines when complexity, client diversity, or the need for centralized concerns like security and request aggregation grows.
Q: What's the main difference between an API Gateway and a simple reverse proxy?
A: Think of it this way: a reverse proxy mostly just forwards traffic. An API Gateway does that too, but it also handles a lot more application-level tasks like request transformation, authentication/authorization, rate limiting, and API composition. It’s a much more specialized tool for managing your APIs.
Q: Can an API Gateway become a performance bottleneck?
A: It's a valid concern, as it's another hop. However, modern gateways are built for high performance and can be scaled horizontally. Often, the benefits of request aggregation and reduced client chattiness actually lead to better overall perceived performance for the end-user, in my observation.
Q: Should I use one API Gateway or multiple?
A: It depends. A single gateway can be simpler for smaller setups. But as you scale, or if you adopt patterns like Backend for Frontends (BFF) for different client types (web, mobile), or want more team autonomy, multiple gateways often make more sense. I've seen teams successfully evolve from one to many.
Q: Where should I implement fine-grained authorization if the gateway handles coarse-grained?
A: Great question! The gateway is perfect for initial checks (e.g., is the user authenticated and allowed to access this general API area?). For fine-grained rules (e.g., can this specific user edit this particular document?), that logic should reside within the individual microservices themselves, often using an authorization system like Oso to define and enforce those detailed policies.
As applications grow in complexity, traditional Role-Based Access Control (RBAC) often falls short of meeting nuanced authorization needs. Developers face challenges managing permissions that must adapt to dynamic user attributes, resource contexts, and evolving business rules. This gap calls for modern permission management approaches that go beyond static roles to deliver flexible, scalable, and performant authorization.
How Oso’s authorization API addresses complexity with low latency
Practical examples of implementing flexible permission logic
How Oso’s deployment flexibility and database integration empower developers
Why RBAC Alone Isn’t Enough for Complex Applications
RBAC organizes permissions into roles, which are then assigned to users to grant access rights. This model works well for straightforward scenarios but breaks down in fine-grained or context-dependent policies. For example, consider an app where access depends not only on a user’s role but also on attributes like department, project membership, or time of day.
Static roles can lead to role explosion—where the number of roles grows unwieldy as the number of permission combinations increases. This complexity makes managing and auditing permissions difficult, increasing the risk of errors or security gaps.
Modern applications demand permission management that adapts dynamically to user attributes, resource properties, and environmental conditions. This need has driven the adoption of more expressive models like ABAC and ReBAC.
Modern Permission Models Explained
Attribute-Based Access Control (ABAC)
ABAC evaluates access based on attributes of users, resources, and the environment. For example, a policy might allow access only if a user’s department matches the resource’s department and the request occurs during business hours.
This model offers fine-grained control without proliferating roles. It supports complex, context-aware policies that reflect real-world business logic.
Relationship-Based Access Control (ReBAC)
ReBAC bases permissions on relationships between entities, such as users, groups, and resources. For instance, a user may access a document if they are a member of the project team that owns it.
ReBAC is especially useful in social networks, collaboration tools, and multi-tenant systems where relationships define access boundaries.
Policy-Based Access Control (PBAC)
PBAC centralizes authorization logic into policies that specify conditions for access. These policies can combine roles, attributes and relationships, enabling sophisticated rules like “finance team members can access reports only during business hours.”
Centralized authorization policies are essential in modern applications, whose functionality may be defined across multiple application tiers, containerized services and even serverless functions.
Combining Models for Flexibility
Modern applications often blend RBAC, ABAC, and ReBAC to balance simplicity and expressiveness. RBAC handles broad access categories, while ABAC and ReBAC refine permissions based on context and relationships.
How Oso Simplifies Complex Permission Management
Oso supports these models natively, allowing you to express policies declaratively and enforce them efficiently. Here’s how Oso stands out:
Low Latency Authorization Service: Oso delivers permission checks in under 10 milliseconds, ensuring authorization does not become a bottleneck even in high-throughput applications.
Local Authorization Without Syncing: Oso is able to run authorization logic locally if desired, eliminating the need to sync permissions from a central server. This reduces latency and improves reliability.
Seamless Database Integration: Oso can use data from your existing databases at evaluation time, enabling authorization decisions based on live data without duplicating or migrating data.
Deployment Flexibility: For organizations that want additional resilience and peace-of-mind, Oso supports a hybrid deployment model. You can deploy a fallback node inside your VPC to ensure service continuity even in the event of an unexpected loss of communication to Oso Cloud. In addition, a private beta of Oso on-prem is available; please contact us for more information.
Deterministic, Testable Framework: Oso’s policy language and engine are designed for clarity and debuggability, making it easier to write, test, and maintain complex authorization rules.
Implementing Flexible Permission Logic with Oso
Consider a scenario where you want to allow users to edit documents only if they belong to the same team and the document is not archived. With Oso, you can express this logic clearly:
allow(user:User, "view", document:Document) if has_relation(user, "team", _team) and has_relation(document, "team", _team) and not is_archived(document);
This policy combines user attributes and resource state without creating new roles for every possible combination. Oso evaluates this efficiently, returning a simple yes/no answer.
You can also incorporate relationships, such as allowing access if a user is a manager of the document owner:
allow(user:User, "view", document:Document) if has_relation(_owner, "manager", user) and has_relation(document, "owner", _owner);
This flexibility supports evolving business rules without rewriting your entire permission system.
Deployment and Integration: Making Authorization Work for You
Oso’s ability to integrate with your existing Postgres database schema means you don’t have to restructure your data or maintain separate data stores. This reduces operational overhead and keeps authorization aligned with your application state.
Moreover, this lets you run authorization close to your data, minimizing exposure and meeting strict regulatory requirements.
Summary: Moving Beyond RBAC with Oso
RBAC remains a useful foundation, but modern applications require permission management that adapts to complex, dynamic contexts. Models like ABAC and ReBAC provide this flexibility, but implementing them efficiently is challenging.
Oso offers a robust authorization service that supports multiple models, incorporates local application data, and delivers low-latency, local authorization. Its deterministic framework makes policies testable and maintainable, while deployment flexibility meets diverse infrastructure needs.
If you’re building complex apps and want a permission management solution that scales with your business logic, Oso provides the tools and expertise to get it right.
Explore Oso’s documentation to see how you can implement modern authorization in your applications today.
Microservices are great—until you have to deploy them. They’re flexible, scalable, and let teams move fast. But the moment you break things into smaller parts, you inherit a new kind of complexity.
Unlike monolithic applications deployed as one tightly knit unit, a microservices architecture requires a more attentive approach. I’ve learned (sometimes the hard way) that deploying microservices becomes less about code and more about orchestration.
Here are a few of the pain points I’ve run into:
Service interdependencies: Individually managing each service is not enough. You need to understand how it connects to the entire system.
Traffic distribution: Each service has different needs, and balancing these keeps each one “happy.”
Fault tolerance: No single service should be a point of failure. But designing for that takes real effort and planning.
These challenges have taught me the importance of being extra careful with deployments. In the rest of the article, I’ll walk through deployment strategies I’ve seen work and the tradeoffs between them. I will also discuss the unavoidable challenges during deployments and how to manage them. Let’s get started.
4 Key Microservices Deployment Strategies
The goal of a deployment strategy is to update services safely. Each strategy has its own process, offering distinct benefits and drawbacks for different use cases.
Blue-Green Deployment
Blue-green deployments take advantage of having two identical production environments: one active (blue) and one idle (green). The idea is to deploy updates to the idle environment and switch traffic from the active one after the changes have been validated.
Workflow
Deploy new version to green environment: Deploy changes to the idle environment (green), which mirrors the current production (blue) as closely as possible.
Test the green environment: Use automated tests, manual checks, and smoke tests to validate the safety of the deployment.
Switch traffic: Redirect the production traffic from blue to green using a load balancer or another routing mechanism (DNS switching, container orchestration tool, etc.).
Rollback option: In the case of unintended consequences in the green environment, reroute traffic back to blue.
Benefits
Zero downtime (with caveat): Traffic switches between environments without taking the application offline. However, if there are database schema changes, careful coordination is required (more on this later).
Straightforward rollback: If something goes wrong with the green environment, traffic can simply be rerouted back to the blue environment.
Production-level testing: The green environment replicates the production environment (blue) to test against production-like traffic.
Drawbacks
Resource-intensive: Maintaining both environments means duplicating infrastructure (servers, storage, orchestrators, traffic routing, load balancing, testing, monitoring, and more). We are effectively doubling resource consumption.
However, for companies where uptime is non-negotiable, this cost is justified.
“Netflix is deployed in three zones, sized to lose one and keep going. Cheaper than cost of being down.” — Adrian Cockroft, former Cloud Architect at Netflix
Database Challenges: When a deployment includes schema changes (e.g., adding a new column), the Green environment must be compatible with both the old and new application versions.
Expert Insight: In a previous role, we followed a strict policy: no breaking database changes. Every schema update was done in two phases. First, we updated (only) the database and made sure the code still ran. Then, we updated the app code to use the new schema. This way, rollback was always an option since we could always revert the app without worrying about compatibility.
Ideal Scenarios
Blue-green deployments work well in systems that require feature rollouts with no downtime. Companies like Amazon, where every millisecond is a massive hit on revenue, rely on the direct traffic transfer to keep their site operational even during major shopping events like Prime Day or Black Friday.
Canary Deployment
Canary deployments take an iterative approach, beginning with a small user base and expanding as confidence builds from real-world feedback.
Workflow
Initial release to small user group: The new version is deployed to a small percentage (1-5%) of the user base (known as the “canary” group).
Monitoring: System performance, error rates, user feedback, and crash reports are tracked and compared between the canary group and a control group.
Gradual rollout: The deployment is progressively expanded with validation at each stage (e.g., 20%, 50%, and eventually 100%).
Rollback option: If metrics indicate instability, the system can roll back to the previous version, limiting its impact on the number of users.
Benefits
Risk reduction: A limited rollout serves as a safety net, allowing teams to catch issues before they affect a larger percentage of users.
Data-driven rollout: Rather than relying on assumptions, canary deployments use live data for validation.
Drawbacks
Complex traffic management: When a service is updating, it may still need to interact with an older version of a dependent microservice. Canary deployments must carefully route traffic (to subsets of users) across mixed-service versions.
Expert Insight: In my experience, directing users to the canary environment isn’t just about traffic percentage: it’s about stickiness. You can’t let users bounce between old and new versions. In stateless environments, this becomes tricky. We used feature flags as a workaround, specifying a flag variation as the canary group. It added some overhead, but it was needed for this situation.
Load-increase issues: While canary deployments excel at validating behavior on a small scale, they often miss problems that come with volume, such as API rate limits or too many database connections.
Ideal Scenarios
Canary deployments help roll out features while minimizing risks tied to assumptions. Spotify, for example, tests updates to its recommendation algorithm by releasing them to the “canary” group and then gradually expanding the rollout, using user engagement as its North Star.
Rolling Deployments
Like canary deployments, rolling deployments minimize risk by avoiding sudden exposure. However, instead of targeting users, they target servers, gradually replacing old instances across the infrastructure.
Workflow
Initial release to a subset of instances: A limited number of instances (containers, virtual machines, etc.) are updated with the new changes.
Monitoring: Each updated instance is tested with performance metrics like response times and error rates.
Gradual rollout: Traffic progressively shifts to updated instances, with the deployment considered complete once all servers are verified stable.
Rollback option: If any issues are detected during the rollout, the system can redeploy the old version to affected instances.
Benefits
Performance-driven rollout: The gradual updating of select instances allows teams to gain insight into how the system behaves as load scales and helps enable continuous development.
Minimal downtime: Traffic is continuously served to both the older and newer instance versions throughout the transition.
Cost-efficient: Since rolling deployments reuse current instances, there’s no need to add duplicate infrastructure.
Drawbacks
Traffic Routing and Compatibility Issues: During a rolling deployment, different service versions (both old and new) run simultaneously. This means that for a period of time, both versions are handling live traffic and sharing resources. Just like canary deployments, extra overhead is needed to ensure stickiness and keep instances in their corresponding groups.
Slower rollouts: Each batch of instances must be validated for stability before moving to the next. If a server crashes during the rollout, it must be investigated to see if the newly deployed changes caused the issue.
Ideal Scenarios
Rolling deployments help large-scale systems, like Dropbox, minimize the risk of compute spikes (which are quite common in microservices). When updating their file-sharing platforms, clusters are rolled out one by one, ensuring that files remain accessible throughout the deployment process.
A/B Testing
A/B testing revolves around exposing two (or more) versions of a feature to different groups of users.
Workflow
Create multiple versions: Develop different versions of a feature (can test functionality, design, performance, etc.).
Divide user traffic: Split traffic into segments that represent a balanced distribution (typically 50/50 for A/B).
Monitor: Track key performance indicators (KPIs), such as conversion rates, to assess how each version is doing numerically.
Analyze: Use the KPI metrics to determine which version performed better.
Iterate and Optimize: Roll out the “winning” version to all users, or run additional tests to refine the feature further.
Benefits
User-centric improvements: A/B testing directly compares how different versions perform across groups, using user actions as the basis for decisions.
Optimized for conversions: Testing one variable at a time is a proven way to identify which features, elements, or design changes have the most effect.
Expert Insight: A/B testing only works if you isolate variables. I’ve seen teams run multiple overlapping tests simultaneously, which made it very difficult to determine which change caused the observed behavior. Every extraneous variable adds unnecessary noise.
Feature flagging:Feature flags can be used to switch between versions without requiring new deployments.
Drawbacks
Requires a large user base: Test results are only as accurate as the sample size. Low traffic can skew data.
Fragmented user experience: A/B testing intentionally exposes different users to various versions for research purposes. However, this can frustrate users if their experience feels incomplete.
Data bias: External factors such as marketing campaigns or seasonality must be accounted for, as they can change test results. Another often overlooked challenge is that running an experiment can “lock” a feature in place since any changes to that feature would risk invalidating the test. This can create difficult tradeoffs between the integrity of the experiment and fixing a bug.
Ideal Scenarios
A/B testing is powerful when used by high-traffic companies to fine-tune features. Facebook, for example, experimented with various ways to express approval (ranging from text-based reactions to visual icons). By continuously tweaking subtle design elements, they collected massive research on user behavior patterns—ultimately leading to the birth of the modern Like button.
Lessons Learned From Using (and Combining) Deployment Strategies
After working with a variety of deployment setups, one thing’s clear: no single deployment pattern is universally the “best”. Just like any technology solution, each pattern has its advantages and disadvantages. The key is to understand and strategically combine strategies to meet the needs of your entire system.
For example:
A social media app could use blue-green deployments to safely release a new major feature like a redesigned feed. Once that’s stable, it could then layer in a canary release to test a more targeted change, such as a new UI design. You get safety and feedback.
A streaming service might use rolling deployments for backend updates while simultaneously running A/B tests on different recommendation engines, using both deployment and experimentation as two sides of the same strategy.
These patterns are a solid foundation, but they don’t eliminate the risks that come with deploying microservices. Every deployment introduces potential points of failure. What we need to do is recognize where it’s most likely to happen and build safeguards around it.
Deployment Challenges and How to Handle Them
Let’s take look at what can go wrong, and what to do about it.
Service to Service Communication
Challenge
During deployments, microservices are often packaged independently, and downstream services must be considered to avoid disrupting communication.
Version incompatibility: Modifying software components can change the way data is expected to be handled. For example, if an authorization service removes a field in its HTTP request, older versions of dependent services might send the wrong format.
Expert Insight: One way to handle breaking changes between services is by versioning your API endpoints. For example, if you add a change to the orders service, you can expose it as /api/orders/v2 while keeping the original at /api/orders/v1. This lets clients migrate on their own timeline.
Bonus tip: Use endpoint level versioning (/api/orders/v2) over global versioning (/api/v2/orders). This makes it easier to version API endpoints independently of one another.
Increased latency: During updates, services can incur additional network overhead. If a notification service is experiencing a high load, other microservices will have to wait for their requests to be processed.
Best Practices
As Sam Newman, author of Building Microservices, emphasizes:
"The golden rule: can you make a change to a service and deploy it by itself without changing anything else?"
Decoupling services allows each microservice to operate independently, meaning that updates in one area don’t necessarily disrupt others.
Event-driven architectures: Using tools like Kafka or RabbitMQ lets services process requests without waiting for an immediate response.
API gateway: Acts as a gatekeeper, detecting which instances are being updated and routing client requests only to stable ones.
Docker: Bundles microservices along with all their dependencies into a container. If a service experiences issues during an update, a new container can be spun up instantly.
Circuit breakers: Isolate failing services by blocking requests when the service becomes unstable, giving the system time to recover.
Service mesh: Routes traffic internally to healthy instances during updates. It manages service-to-service traffic (at the network layer), unlike an API Gateway that handles client-to-service traffic.
Service Discovery and Scaling
Challenge
During deployment, microservices can be in a scaling, updating, or failure state. The system should be capable of migrating them to new instances when needed.
Service Discovery: When a service updates or scales, its location changes. For instance, an alert service connected to a fraud detection system must know the new IP when a service moves to another cluster.
Scaling: Microservices are designed to scale dynamically. However, resource needs should be anticipated to avoid under-provisioning (leading to delays) or over-provisioning (leading to wasted costs). A shopping service might need more instances during an update to handle the extra overhead, but could scale down afterwards.
Expert Insight: It’s smart to scale up preemptively when you know a traffic surge is coming (like Black Friday). This is particularly helpful for services with long startup times or heavy initialization logic.
Best Practices
Having a centralized management system provides a bird’s-eye view of the entire ecosystem, making coordination, automation, and infrastructure management easier.
Kubernetes: Abstracts complexities by using a DNS-based routing system that tracks services as they move across clusters. Its Horizontal Pod Autoscaler and Cluster Autoscaler automatically adjust resources based on demand.
Helm Charts: Kubernetes-native YAML templates that define how services should be configured and deployed, ensuring consistency.
Zookeeper: Uses a hierarchical structure (similar to a filesystem) to maintain configuration information, naming, and synchronization. When a service changes state, Zookeeper notifies dependent services, alerting them of potential conflicts.
Data Inconsistencies
Challenge
In a microservices architecture, each service typically has its own database or data store. When services are updated independently, changes in business logic can lead to mismatches between expected and actual data structures.
Schema Changes: When the schema is altered, older services that rely on the previous schema can break. For example, if a billing service adds a field into its event payload, an invoice generation service might miss that data.
Data Synchronization: During deployments, shared data can become stale. If an order service sends a stock update while the inventory service is being updated, the message might be routed to the wrong (or unavailable) instance.
Best Practices
Rather than overwriting state, systems should preserve the full timeline of events to maintain consistency throughout deployments.
CQRS (Command Query Responsibility Segregation): Separates systems into models for handling queries (reads) and commands (writes), allowing each to evolve independently.
Event Sourcing: Stores writes as a sequence of immutable events, which serve as the single source of truth and allow past actions to be replayed.
Backward-compatible Schema Changes: As mentioned earlier, always avoid breaking database changes. Use a two-phase approach: first, make non-breaking schema updates and second, update your actual application logic in a subsequent release. This ensures that you can roll back app versions without worrying about schema incompatibility.
Monitoring
Challenge
Monitoring during and after deployment is especially challenging due to the dynamic nature of microservices.
Limited Visibility: During service updates, some instances may enter transitional states. Data collected during these periods cannot be treated the same as data from fully stable services.
Best Practices
The key question during a deployment is: “What changed after the release?”
Answering this requires system-wide visibility across all affected services, noting shifts in behavior before and after the deployment.
Centralized Logging: Tools like ELK Stack or Fluentd provide a unified interface for collecting logs from all services.
Distributed Tracing: Tools such as Jaeger, Zipkin, and OpenTelemetry tag each request with a unique trace ID, tracking its path across services to pinpoint exactly where failures occur.
Metrics Collection:Prometheus scrapes metrics from services during deployments and stores them as time-series data. These metrics can be visualized in Grafana, allowing teams to compare performance against previous versions.
Synthetic Testing: External systems like Pingdom or Datadog Syntentics can simulate real user behavior such as navigating pages or submitting forms. These tests can be brittle, but are a great way to catch bugs that affect site behavior.
Conclusion
Working with a microservices architecture has taught me that their greatest strength, decentralization, is also what makes them so challenging to deploy. You get the scalability and flexibility modern systems need, but only if you’re intentional about how things roll out.
Whether you’re using Blue-Green, Canary, or anything in between, the hard part of deploying microservices is dealing with the ripple effects—service communication, failure handling, and making sure your changes don’t break things in production.
One such challenge is authorization across services. As discussed in Oso’s blog on microservices authorization patterns, tools like OSO can help simplify this by letting you pull authorization logic out of individual services and centralize it. This preserves the loose coupling that microservices rely on, and also makes it easier to define, manage, and understand your authorization policies.
FAQ
What is microservices deployment?
Microservices deployment refers to the process of releasing, updating, and managing small, independently deployable units of software into production. It requires careful coordination of multiple services, ensuring each one operates as part of a larger system.
What are the phases of microservices deployment?
The phases include planning (defining strategies and testing plans), building and packaging (containerizing services), testing (unit, integration, and performance tests), deployment (using strategies like Blue-Green or Canary), monitoring (tracking performance and errors), and rollback (reverting to previous versions if necessary).
What are the deployment strategies for microservices?
Deployment strategies include (but are not limited to) Blue-Green (switching traffic between two environments), Canary (gradual release to a small user group), Rolling (incremental updates to servers), and A/B Testing (testing different versions for performance).
What are the best tools for microservices deployment?
Key tools include Kubernetes (for orchestration), Docker (for containerization), Helm (for managing Kubernetes apps), Spinnaker (for continuous delivery), Istio (for service mesh), CI/CD tools (e.g., Jenkins, GitLab CI), Prometheus & Grafana (for monitoring performance), and tools provided by your cloud provider.
Today, microservices architecture is popular, accounting for the infrastructure of 85% of enterprise companies. Microservices are modular, with each service (e.g., authentication, billing, data access) developed and scaled independently. However, microservices architecture also creates a challenge; every node is a possible entry point for an exploit. Accordingly, companies building with microservices need to take robust security measures to protect themselves against attacks.
As a baseline, each service should be treated with the same microservices security standard afforded to a monolithic stack. Otherwise, a microservices infrastructure is only as secure as the weakest service. The network that microservices transact across—while typically private—should also be treated with the same zero trust as the common internet. This attitude mitigates the damage of an attack if a microservice becomes compromised.
I’ve worked with microservices security for over a decade and have encountered my fair share of learnings on how to secure them. I’ve noticed a few themes—most practices follow the principle of least privilege, where a client (e.g., a service or user) is granted only the necessary permissions. Others involve invoking the right protocols to verify only good actors are participating in data transactions.
Today, I’ll cover my learnings, discussing nine different principles that’ll protect a microservices stack.
1. Secure API Gateways and Perimeter Defense
Because a microservices architecture typically exposes multiple endpoints, it’s wise to establish a strong first line of defense. You can achieve this by implementing secure API gateways—which receive traffic through well-monitored and protected entry points. Companies often consolidate access with a single gateway.
Think of a gateway as airport security.
It checks IDs (authentication).
It determines who gets access to VIP areas (authorization).
It keeps troublemakers (malicious traffic) from entering in the first place.
Without this strong, single entry point, you’d need extreme security at every gate in the airport. Instead, with API gateways, you get strong protection where you need it most.
Consider using a proven solution, like Amazon API Gateway, when implementing a gateway. Solutions like this offer built-in security features designed specifically for microservices architectures. Additionally, you can deploy a web application firewall (WAF) to detect and block common attack patterns before they even reach the gateway.
2. Secure Network Communications
Once you’ve secured your gateway, it’s easy to assume that communication between services is secure. After all, the network is strictly private. This couldn’t be further from the truth. Good security measures should not only protect against attacks but also limit them. By treating inter service communication with the same zero trust that we afford Internet transactions, you’ll create a network that’s robust against a network-wide breach.
Notably, traffic between nodes can be subject to even stronger security than traffic across the Internet. Servers traditionally use TLS (Transport Layer Security) to communicate with client devices, where the client can ensure that only the server can decrypt transmitted data. However, with microservices architecture, engineers have access to both nodes. In this case, you should use mutual TLS (mTLS), where both nodes must verify each other’s identity through trusted credential certificates before they can exchange data.
mTLS reduces reliance on the total system’s security perimeter. It combats man-in-the-middle (MITM) attacks, where an attacker intercepts data between nodes (a very common security risk in data breaches).
3. Authentication and Authorization
Beyond the network layer, you should protect communication between nodes (and access to nodes) with authentication and authorization. While often conflated, authentication and authorization are distinct concepts. Authentication is a matter of identity, e.g., “Who are you?”. Authorization is a measure of permissions, e.g., “Are you allowed to do this?”.
Robust microservices architecture could employ various authentication and authorization measures. Common frameworks I’ve used:
RBAC (Role-based access control), where users or services receive assigned roles, each with established permissions
ABAC (Attribute-based access control), where characteristics of the requester, the target of the request, and the operating environment determine permissions
PBAC (Policy-based access control) is similar to ABAC, but it adds permission-granting attributes to a request through predefined company policies
ReBAC (Relationship-based access control), where relationships between resources—such as data ownership, parent-child relationships, groups, and hierarchies—determine permissions
Unfortunately, no single model is sufficient for real-world authorization policies. For robust security, you’ll end up with elements of various models. For example, authorization in multi-server applications is often determined by relationships between the resources managed by services. ReBAC alone isn’t sufficient; sometimes, siloed attributes are better at defining security for an instance. Authorization patterns for microservices are generally complex, and delivering strong security is a matter of mixing models to fit your application’s features.
Irrespective of authorization and authentication patterns, every service (and node) should have a separate identity. For example, if an attacker breaches a service with a database account that only has access to relevant data, the security risk is significantly limited.
4. OAuth and JWT
The downside of a centralized authorization service is traffic: It can be burdened by thousands (or millions) of authorization requests for the entire backend system. To combat this, you can implement JSON Web Tokens (or JWT Tokens) to authenticate systems at scale without dispatching an authorization query for each request.
Here’s how it works:
Services fetch a JWT from a token service once, outlining the user’s authorization.
The JWT will exclusively grant access without making subsequent round-trip calls to the service.
They reduce traffic by minimizing round trips to the server and limiting load.
They lower latency by keeping communication between services.
They lighten backend load by carrying authorization data in the token itself.
However, there are challenges too:
JWTs might carry a lot of authorization data depending on granted permissions
JWTs must be cancelable if permissions change, or companies need to tolerate some misaligned permissions until a JWT expires.
To facilitate JWTs and server-to-server communication, you should implement OAuth 2.0. OAuth 2.0 provides an out-of-the-box system for implementing authentication, supporting JWTs, JWKS, and attribute-based authorization. When your authorization needs outgrow your JWTs, you can use an external provider like Oso that provides an authorization language for modeling complex access policies.
5. Rate Limiting and DDoS Protection
Any service that’s publicly exposed could potentially face a barrage of requests. This might be due to a legitimate usage spike or a malicious distributed denial-of-service (DDoS) attack. Either way, the result is the same: Your services can’t keep up with the requests, meaning your users can’t access your application. This hazard is multiplied with microservices architecture if multiple nodes are publicly facing.
To protect against this, nodes should implement DDoS protection, where a service monitors traffic and identifies IP addresses that might be participating in a DDoS attack. Additionally, in systems where an API key provides access, keys can be rate-limited to avoid abuse. This protects against malicious and innocuous sources of traffic spikes.
6. Use Your Service Mesh for Telemetry
Maintaining good microservices security also requires assuming that a vulnerability exists. Because of this, it’s important to heavily monitor systems.
Most microservices architecture will use a service mesh to register services and make them discoverable. Common providers include Istio and Linkerd. A service mesh uses sidecar proxy services to handle routing between independent services. This positions it as a fantastic observability candidate: the control mesh can study traffic to flag discrepancies (which are often found through dynamic analysis security testing).
You can also implement these meshes to rate-limit traffic between microservices, serving as another measure to minimize damage in the case of an attack.
7. Secrets Management
Microservices often have to use secrets (e.g., API keys) to access external services—or even internal services within the private network. By definition, these secrets are sensitive data that should never be hard-coded. To implement secrets robustly, you should use a secrets management system (e.g., Doppler, HashiCorp Vault, AWS Secrets Manager) to avoid hard-coding secrets.
You should also routinely rotate secrets to minimize the impact of an undetected theft of keys. This ensures that even if your secrets are compromised, the intruder can only access key systems or sensitive data for a set duration. The more often you rotate your keys, the shorter that duration will be.
Finally, you should create different secrets for different services. When possible, these keys should be scoped to the minimum set of required permissions, reinforcing the principle of least privilege and strengthening overall microservices security. Additionally, if a key is breached, you can cut off access by deleting the key without breaking other services.
8. Logging
Microservices security architecture should always include logs with high cardinality to ensure there’s a record system in the case of an attack. And, because microservices talk to each other, a single request should have a unique ID to generate a trace: a child-parent hierarchy of transactions as they percolate through the entire microservices system. Each service should identify itself in the trace so you can aggregate traces on a per-service basis.
A common open-source library for implementing this tracing process is OpenTelemetry, with events dispatched to an analysis tool (e.g., HyperDX, Datadog). Enterprise-grade solutions like Splunk combine traffic across networks, devices, nodes, and more to identify attacks. These tools make identifying anomalies easier through visualizations.
9. Strong Container Security
Microservices are typically run within containers (e.g., Docker) and managed by container orchestrators (e.g., Kubernetes). These services are only as secure as the containers they’re embedded within.
To protect your microservices against a container exploit, make sure to:
Keep containers and orchestrators up to date with the latest versions.
Use trusted base images when spawning new containers.
Run services with non-root user permissions to minimize potential damage.
These practices will help you avoid a host-wide exploit.
Conclusion
Microservices architecture security is a layered and modular process. Over the years, I’ve learned to reinforce microservices security at the system, service, and container level. You should protect every ingress and egress from breach. Generally speaking, strong microservices security requires consistent application of the principle of least privilege and achievement of zero trust between nodes.
By applying these comprehensive measures, you can minimize the likelihood of an attack and reduce the damage if an attack happens. You will also improve your security posture, earn the trust of your customers, and enable your system to scale without the headache.
FAQ
How do I implement security in microservices?
In my experience, the two core principles of microservices security are are:
Zero-trust policy: Do not assume that any device or user is inherently trustworthy, even within your own systems
Principle of least privilege: Services should have the minimum access necessary to complete their task.
You also want to secure every access point and communication between nodes. And finally, it’s important to use strong authentication and authorization for every request, implement an API gateway, encrypt data, manage secrets securely, and perform dynamic/static analysis security testing.
What are the security challenges of a microservices architecture?
Unlike monolith architecture, where a single service needs to be secured, microservices architecture multiplies the attack surface, as every service is a potential attack vector. Communications between services are also vulnerable. Accordingly, you need to implement adequate security measures such as API gateways, authorization, authentication, service mesh observability, secrets storage, data access, etc.
How can I implement authorization within microservices?
Implementing authorization in microservices is challenging due to the distributed nature of the architecture. Popular models like RBAC, ABAC, and ReBAC each solve different parts of the problem—but most complex systems need a combination to fully secure their services. To simplify implementation, teams often rely on identity providers (like OAuth 2.0) for authentication and use purpose-built authorization services like Oso to manage access consistently across services.
Watch to learn why authorization is so difficult in microservices—and how to approach it.
Fine-grained authorization (FGA) controls who can do what, on which resource, and under what conditions based on roles, relationships, and context.
Traditional models like RBAC (role-based access control) are too rigid for modern, dynamic systems, often leading to over-permissioning or patchy enforcement.
FGA enables precise, contextual decisions like allowing access only during business hours, within certain departments, or on specific resource fields.
With tools like Oso, you can define policies once and enforce them consistently across APIs, services, UIs, and even AI agents.
Imagine this: a customer support agent logs into your admin dashboard and uses the impersonation tool to investigate an issue. Nothing wrong with that until they accidentally access and edit sensitive billing data. No malicious intent. But the impact? Real. Unintended data changes, compliance violations, and hours of rollback effort.
The problem wasn’t just human error. It was the authorization logic that was too coarse. Anyone with the "Support" role could impersonate any user, access any feature, at any time.
These kinds of failures are more common than you think. And as modern systems get more complex, with layers of automation, multi-tenant environments, and integrations with AI agents, the need for real-time, contextual access control is no longer optional. It’s critical.
That’s where fine-grained authorization comes in.
FGA lets you move beyond one-size-fits-all roles and build access rules based on context, relationships, and intent. Instead of saying, "Support agents can impersonate users," you can say:
"Support agents can impersonate users in their region, during business hours, and only on non-sensitive resources."
FGA is about precision. About ensuring that permissions reflect the real-world boundaries your business needs.
Coarse vs. Fine-Grained Authorization
Here’s a quick comparison between Coarse and Fine-Grained Authorization:
Feature
Coarse-Grained (RBAC)
Fine-Grained (FGA)
Permissions assigned by
Roles
Rules, context, relationships
Resource scope
Application-level
Field-, record-, or attribute-level
Flexibility
Low
High
Auditability
Moderate
Strong
Enforcement
Hardcoded
Declarative and centralized
The Limitations of Coarse-Grained Access Control
Coarse-grained models like RBAC and even ReBAC (Relationship-Based Access Control) were designed for simpler systems where everyone can access each and every resource or with more than required permissions. They assume permissions can be defined by either what role a user has or how they relate to a resource. And in some cases, they work well enough.
But as your system grows, so does its complexity. Here are the cracks that start to show:
Rigid roles: Want to give a user edit access to just one project, but read access to the rest? Tough. You’ll need a new role or worse, custom logic.
Over-permissioning: With broad roles like "Admin" or "Manager," users often get more access than they actually need.
Inconsistent enforcement: One service checks for roles, another checks relationships, and a third bypasses checks entirely for performance. There’s no uniform standard.
Hard-to-audit systems: With rules spread across controllers, YAML, and SQL, answering "Who can do what?" becomes guesswork.
This sprawl not only makes debugging a nightmare, but it also creates real security risks. Without clear, context-aware rules, your system becomes a patchwork of special cases and exceptions.
Why Coarse-Grained Access Control Doesn’t Scale
Modern systems don’t live in a monolith anymore. They’re made up of dozens, sometimes hundreds of services, each with its own responsibilities, data models, and deployment lifecycles. And these services interact with external partners, embedded AI agents, federated identity providers, and region-specific infrastructure.
Here’s where things start falling apart:
Dynamic organizations: A user’s permissions can’t be defined by a static role if they inherit access via departments, projects, or org charts that change weekly.
Shared data: Multi-tenant architectures make it dangerous to apply the same role globally, and permissions must be scoped per tenant, project, or environment.
API layers: Data moves through internal APIs, public APIs, and third-party integrations. If your access control isn’t enforced consistently, you’re relying on trust.
Microservices: Each service might enforce authorization differently or not at all. Without a shared policy, your enforcement logic becomes fragmented.
What Is Fine Grained Authorization (FGA)?
Fine grained authorization (FGA) is an access control approach where permissions are determined not just by a user’s role, but by a combination of attributes, relationships, and contextual data. It answers more than just “who are you?”. It asks:
What are you trying to access?
What are you trying to do?
Under what conditions should that be allowed?
Unlike traditional models that rely on fixed roles (RBAC) or just resource ownership (ReBAC), FGA considers multiple data points to make smarter, safer, and more dynamic decisions.
How FGA Works in Practice
Let’s break it down into components:
Roles: What position or function does the subject hold?
Relationships: How is the subject linked to the resource (e.g., owner, teammate)?
Context: What’s happening right now - time, location, device, or action type?
Attributes: Metadata about users or resources, like department, sensitivity level, or subscription tier.
Put together, these factors enable highly specific and enforceable rules. For example:
"Allow a user to view medical records only if they are the patient’s assigned doctor, and they’re accessing from a hospital IP address, during business hours."
That’s FGA in action - layered, dynamic, and secure.
Real-World Examples of Fine-Grained Access Control
Here’s where FGA stands out over coarse-grained models:
Scenario
Why FGA Is Needed
Traditional Approach Falls Short Because…
File system access
Permissions vary by file, folder, and user context (e.g., read-only access to archived files)
RBAC can’t handle folder-level exceptions or temporary access rules
Conditional impersonation
Support agents can impersonate users, but only within their region and non-sensitive contexts
ReBAC can say “you can impersonate,” but not when or how
Tiered entitlements
SaaS users with “Pro” plans can export data and get API access, while “Free” users can only view
Roles alone can’t reflect product entitlements or usage limits
Field-level visibility
HR can see employee names and job titles, but only Finance can view salary
RBAC doesn’t support visibility restrictions at the field or attribute level
AI/LLM access boundaries
AI agents should only access content the invoking user is permitted to see
Context isn’t preserved in role-based systems leading to potential data leaks
FGA isn’t just about security, it’s about precision. It lets you confidently say yes when it’s safe, and no when it’s not, without guessing or over-restricting. And as your product, team, or automation layer scales, that nuance becomes non-negotiable. So let’s look at how FGA works.
How Fine-Grained Authorization Works
At its core, fine-grained authorization (FGA) is about evaluating access based on multiple dimensions and not just “who” someone is, but what they’re doing, what they’re trying to access, and under what conditions.
The Key Elements of a Fine-Grained Policy
Fine-grained authorization operates on four fundamental inputs:
Subjects: These are the entities performing an action, which are commonly users, service accounts, AI agents, or even automation scripts. For example: a support agent, a CI/CD bot, an AI assistant answering customer queries
Resources: The application being accessed. This could be a document, a product, a database row, a UI component, or even a field within a record. For example: a specific user account, a product listing in a multi-tenant database, a salary field in an employee record, etc.
Actions: What the subject is attempting to do in the application. For example: view, edit, delete, transfer, or impersonate
Conditions: Additional context is used to approve or deny access. These are dynamic factors that change depending on the situation. For example: time of day (e.g., business hours only), geo-location (e.g., office IP address), device type (e.g., company-issued laptop), or organizational membership (e.g., only team leads in “Region A”)
Together, these inputs are evaluated by a policy engine like Oso that returns a decision: allow or deny.
Conditions = Dynamic filters like geo-location, time, and org scope
This table shows how access decisions vary not just by subject and resource, but also based on the action attempted and the conditions applied in context.
Models that Enable FGA
Several access control models enable or contribute to fine grained permissions. Here’s how they break down:
1. ABAC – Attribute-Based Access Control
Access is granted based on attributes (tags, labels) of users and resources.
Example: Allow a user with department=Finance to access invoices with region=APAC.
Weaknesses: Can become complex to manage and debug if uncontrolled.
2. ReBAC – Relationship-Based Access Control
Access is based on the relationships between subjects and resources.
Example: Allow users to comment on a project only if they are listed as collaborators.
Strengths: Great for multi-tenant systems and collaborative platforms.
Weaknesses: Doesn’t account for dynamic context (e.g., time, location).
3. Hybrid Authorization (e.g., Oso’s Model)
Combines RBAC, ReBAC, ABAC, AnyBAC into a unified, declarative policy system.
You define roles, model relationships, and layer on attributes and conditions.
Example: “Allow a Collaborator to edit a document if they are assigned, and the document is not archived, and it’s accessed during business hours.”
RBAC vs ABAC vs ReBAC vs FGA
Here’s a quick RBAC vs ABAC vs ReBAC vs FGA comparison to understand how each model stacks up
Feature
RBAC
ABAC
ReBAC
FGA (Hybrid)
Based on roles
✅
❌
❌
✅
Based on attributes
❌
✅
❌
✅
Based on relationships
❌
❌
✅
✅
Contextual conditions
❌
✅
❌
✅
Ideal for microservices
⚠️ Limited
⚠️ Can be hard to maintain
✅
✅
Best for dynamic decisions
❌
✅
⚠️ Not always enough
✅
Example use case
“Admins can edit all”
“Editors in US region only”
“Users in team can comment”
“Assigned editors, in US, during work hours”
What Makes Fine Grained Permissions Hard (and How to Get It Right)
Fine-grained authorization promises powerful, precise access control but it also comes with real challenges. When done wrong, it leads to brittle systems, unscalable policies, and developer frustration. To understand why, let’s break it down.
The Complexity Problem
Fine-grained means more conditions, more rules, more precision. But all of that comes at a cost:
More rules lead to more edge cases: It’s no longer enough to check if someone is an "Admin". You might need to evaluate whether they're accessing a resource in a specific region, during a specific time window, under a certain project tag. That’s a lot more surface area for bugs.
Conditional logic vs. deterministic logic: Role checks are usually binary. You’re either an admin or you’re not. But with FGA, permissions can depend on runtime context. For instance, "A user can view this report if they’re in the same department, and it’s not older than 30 days." These conditions can’t always be cached or assumed, making testing and reasoning harder.
Transient permissions: Time-based or event-driven permissions (e.g. "access valid for 24 hours" or "access granted during incident response") require systems that understand expiry, state, and revocation. Traditional models don’t handle this well, and rolling your own logic is error-prone.
Multiple layers of enforcement: You can’t just enforce permissions at the UI. You need to enforce them at the API layer, database layer, and even in internal automation, each of which might have different enforcement patterns or caching logic.
FGA is powerful, but with power comes complexity. Unless you manage it well, you’ll end up with policies nobody understands and behavior nobody can predict.
The Solution: Central Policy + API Enforcement
The good news? These challenges can be solved with the right architecture.
The key is to decouple policy logic from enforcement logic. That means:
Define your access rules once, using a declarative language in a central policy engine.
Keep your policies versionedand testable, just as you would treat code.
Push enforcement to the edges, but always reference the central policy when making decisions.
This separation allows teams to:
Maintain a single source of truth for all access decisions
Re-use policy logic across services, UI, and tools
Easily update or audit access rules without touching application code
You define the “who, what, when” in a centralized authorization engine. APIs, microservices, UIs, and agents query that logic via API or SDK calls (e.g., isAllowed(user, action, resource)). The authorization engine returns deterministic results based on real context.
All components query the central engine for authorization decisions. This decoupled architecture turns fine-grained authorization from a tangled mess of “if” statements into a maintainable, scalable part of your infrastructure where changes are safe, reviewable, and fast to propagate.
With tools like Oso, you can express complex policies across roles, relationships, attributes, and conditions and enforce them across your stack without rewriting business logic.
Next, let’s look at how Oso makes this practical.
How Oso Makes Fine-Grained Authorization Practical
Fine-grained authorization sounds powerful in theory, but in practice, it’s only useful if your team can implement and maintain it without tearing your app apart. That’s where Oso comes in. It lets you express RBAC, ReBAC, and ABAC all in one consistent, readable language, so you don’t have to pick just one model or rewrite your logic when your access needs evolve.
With Oso, policies are defined in a declarative .polar file that acts as a centralized source of truth for permissions. These policies are:
Reusable: Define access rules once, use them across APIs, services, and UI
Testable: Unit test your policies like any other logic, with clear input/output behavior
Auditable: Review changes to access logic in Git just like you would with code
This means your access model is no longer buried in controller files, YAML, or ad-hoc middleware. It’s structured, versioned, and consistent, ready to scale as your team or product grows.
Oso Cloud Lifecycle
Here is the end-to-end flow of how Oso Cloud makes fine-grained authorization decisions in real-time across your stack:
User or Client Sends a Request: A user (human or machine) interacts with your app: e.g., trying to view a file, delete a project, or run a task.
Application Receives the Request: Your application captures this request and uses the Oso SDK to ask, “Is this user allowed to do this?” oso.authorize(user, action, resource)
Oso SDK Sends an Authorization Check: The SDK sends a query to Oso Cloud, including the actor (who’s asking), the action (what they want to do), the resource (what they want to do it to)
Oso Cloud Loads the Policy and Facts: Oso Cloud retrieves the .polar policy (your declarative access rules) and looks up any required facts (e.g., relationships, roles, attributes)
Rule Evaluation: The engine matches the incoming request (actor, action, resource) against the rules and facts using its logic engine.
Authorization Decision: If rules and context align, then permitted. If not, then Denied.
Response to Application: Oso Cloud returns a simple boolean: True is authorized, False if denied.
Application Responds to User: Your app proceeds accordingly, serves the page or data, or blocks the request with an error or warning.
Here’s a flow diagram explaining the complete flow of the authorization request in Oso Cloud:
How to Start Implementing Fine-Grained Authorization (FGA)
Getting started with FGA doesn’t require a full rewrite. The goal is to bring structure and flexibility to your existing access logic, one layer at a time.
1. Audit Existing Access Logic
Begin by identifying where access decisions currently happen, such as controllers, middleware, and database queries, and where they might be missing or inconsistent. This gives you a baseline for improvement.
2. Define a Base Policy (Start Simple)
Start with clear, role-based, or relationship-based rules on a core resource. You can create the policies in Oso Cloud’s Data tab:
This creates a strong foundation before introducing complexity.
3. Add Attributes and Context
Extend rules with dynamic conditions like region, time, environment, or resource sensitivity in the rules editor. Here’s an example of fine-grained policy in the rules editor of Oso Cloud:
This is where your logic becomes fine-grained.
4. Use Oso as the Policy Engine
Once you have defined your policies, then use Oso SDKs or Oso Cloud to evaluate permissions across APIs, services, or agents without scattering logic everywhere.
5. Enforce at the Query and API Layer
Use built-in helpers like .authorized() with ORMs or apply authorize() calls directly in your backend to ensure data-level enforcement. Here’s an example express API calling authorize() function of the Oso SDK for authorization:
Treat authorization as code. Log denials, test rules, and track coverage so you can catch gaps early and gain visibility into access decisions.
Best Practices for Fine-Grained Authorization
Implementing FGA isn’t just about writing more rules; it’s about designing access logic that’s scalable, maintainable, and transparent. These best practices will help you get there:
1. Centralize Policy Logic
Don’t scatter access checks across files and services. Define policies once (e.g., in .polar or a central engine like Oso Cloud), and enforce them everywhere. This creates a single source of truth.
2. Keep Policies Readable
Write clean, expressive rules. Use meaningful names (e.g., has_role, is_owner), add comments for clarity and stick to consistent patterns across resources. Readable policies are easier to maintain and safer to update.
3. Decouple Policy from Code
Avoid hardcoding logic inside controllers or DB queries. Treat authorization as its own layer, separate from business logic, but deeply connected to it. This unlocks reusability across services and platforms.
4. Add Visibility and Logging Early
Log every denied access attempt, unexpected fallback, or override. This helps you debug faster, detect misconfigurations, and satisfy audit/compliance reviews. You can also add metrics around authorization outcomes (e.g., deny rates, top failing rules).
5. Monitor Edge-Case Failures
Watch for edge cases where rules don’t behave as expected. These often surface in unusual user states (e.g., temporary access), newly added roles or environments, and interactions between automation (bots/agents) and human permissions. Set alerts or write tests for known gotchas.
Policy Engine Triangle
🔺
Policy
/ \
Data -------- Enforcement
Policy: Your declarative rules (e.g., in Polar)
Data: Facts like roles, relationships, attributes
Enforcement: Where you apply the decision (API, DB, UI, etc.)
Access control used to be an afterthought, with a few if-statements here and a couple of roles there. That doesn’t cut it anymore.
With modern, distributed systems, especially those integrating AI and automation, authorization is core infrastructure. It affects everything from security and compliance to developer velocity and user trust. Fine-grained authorization isn’t just about “more” permissions. It’s about better ones that are more specific, more contextual, and more reliable across systems
Start using Oso Cloud to re-architect your stack to get there. Define once. Enforce everywhere. Scale securely.
FAQs
What Is the Difference Between Fine-Grained and Coarse-Grained Access Control?
Fine-grained access control offers detailed, specific permissions to resources or actions, while coarse-grained access control provides broader, less specific access, typically at the module or system level.
What Are the Two Types of Permissions?
The two main types are coarse-grained permissions, which use static roles like “admin,” and fine-grained permissions, which consider roles plus attributes, relationships, and context for more precise control.
What Is an Example of Fine-Grained Authorization?
A user can delete a project only if they created it, belong to the same department, and the project is still active, demonstrating role, relationship, and resource-based conditions.
What Is the Difference Between RBAC and FGA?
RBAC assigns permissions based on predefined roles, while FGA evaluates additional factors like user-resource relationships, attributes, and context to allow or deny access more precisely.
An application with microservices architecture consists of a collection of small, independent services. Each service is self-contained, handling a specific function and communicating with other services through clearly defined APIs. Unlike traditional monolithic applications, which bundle all functionality into one large codebase, microservices allow individual services to be developed, deployed, and scaled independently. Across several large-scale architecture initiatives, I’ve seen how this independence boosts both team productivity and deployment speed.
With that being said, microservices aren’t a silver bullet. I’ve learned (sometimes the hard way) that they introduce a whole new layer of complexity. Without careful planning, these complexities can overshadow the benefits.
In this article, I’ll walk through 13 microservices best practices to get the most out of this investment. We will highlight the importance of maintaining clear service boundaries, using dedicated databases, and employing API gateways to facilitate external interactions.
We’ll also cover the use of containerization and standardized authentication strategies to ensure scalability and security across your services and provide a roadmap to deploy microservices in diverse operational environments effectively.
monolith vs microservices
When should you use microservices?
The microservices architecture has strengths—particularly if you expect your application will scale rapidly or experience varying workloads. This is because it allows precise control over resource allocation and scaling. It’s also useful if you want independent engineering teams to develop and deploy their services without requiring constant cross-team coordination.
Benefits of microservices architecture
Easier development: Each service is responsible for a small slice of business functionality. This enables developers to be productive without requiring them to understand the full architecture.
Faster deployment: Each service is relatively small and simple, making testing and compilation faster.
Greater flexibility: A siloed service allows development teams to choose the tools and languages that enable them to be most productive without affecting other teams.
Improved scalability: You can run more instances of heavily used services or allocate more CPU to computationally intensive services without affecting other services.
Microservices do introduce additional complexity, though. Without careful planning, these complexities can overshadow the benefits. This article will dive into 13 best practices for designing and managing a microservices-based application to ensure you get the most out of the investment. We will highlight the importance of maintaining clear service boundaries, using dedicated databases, and employing API gateways to facilitate external interactions.
Additionally, we’ll cover the use of containerization and standardized authentication strategies to ensure scalability and security across services, providing a roadmap to deploy microservices in diverse operational environments effectively.
1. Follow the single-responsibility principle (SRP)
The single-responsibility principle is a core tenet of microservices development. It states that each microservice should be responsible for one and only one well-defined slice of business logic. In other words, there should be clear and consistent service boundaries. By extension, most bug fixes and features should require changes to only one microservice.
This principle helps your development teams ship code faster by ensuring developers can work independently within their area of expertise.
Features that require collaboration between multiple teams are at higher risk of delay due to technical and organizational issues. When teams can move independently, the likelihood of one team being blocked by another is low, and you can ensure your teams make steady progress.
To highlight this, let’s walk through two scenarios that follow and don’t follow this principle:
Example of Following the Single-Responsibility Principle
A food delivery app splits functionality clearly into separate microservices:
Order management service: Handles order creation, status tracking, and customer notifications
Restaurant service: Manages restaurant details, menus, and availability
Payment service: Handles payments, refunds, and receipts
When the app needs to update the refund logic (e.g., to support new payment gateways), developers only need to update the payment service. As long as the developers don’t modify the API signature of the payment service, the order management or restaurant service won’t be impacted. This allows the payment team to work independently and ship quickly without being blocked by other teams or creating unintended bugs in unrelated parts of the system.
Example of Violating the Single-Responsibility Principle:
Suppose developers added payment processing logic directly into the order management service, thinking it would be simpler or quicker initially. Over time, this microservice becomes increasingly complicated—handling orders, payments, and customer notifications in the same codebase.
When the payments team later needs to implement a new payment gateway, they have to work within the order management code, potentially impacting order functionality. To avoid this, they must now coordinate closely with the order management team, causing delays in software development cycles. A change intended only for payments could accidentally break order tracking or notifications, causing confusion and disruption to multiple parts of the business.
2. Do not share databases between services
To follow microservices database best practices, services should not share data stores. Sharing databases between services can be tempting to reduce operational overhead, but sharing databases can make it harder to follow the single responsibility principle and make independent scaling more difficult.
If two services share one PostgreSQL deployment, it becomes tempting to have the two services communicate directly via the database. One service can just read the other’s data from the shared database, right? This issue is that this creates tight coupling, because schema changes in the database now affect both services.
Using an API allows developers to make changes to a service as needed without fear of affecting any other service. As long as what’s returned in the API doesn’t change, consumers of the service don’t need to worry about its implementation details. Now let’s assume you didn’t use an API and any consumer can pull your data from the database directly. If you decide that you need to change the shape of the data or modify the database, you now need to coordinate with any team who’s accessing that database. That coordination might be doable if you know who’s accessing your database, but sometimes it’s hard to keep track of who’s using your data and for what reason. Even if you were able to coordinate across team for your database change, you’re defeating the entire purpose of building microservices.
Expert Insight:
While the recommended best practice is for each microservice to have its own database to prevent tight coupling, there might be specific contexts—such as closely related services within a single bounded context—where limited database sharing is acceptable. For instance, if you have both “User Management” and “Account Management” microservices that deal with overlapping user data, you could justify a shared database to reduce duplication—provided you maintain strict separation at the schema or namespace level.If choosing to share, ensure clear logical separation (such as schemas or namespaces) and strict enforcement of data access to maintain clear service boundaries and data integrity.
Sometimes, smaller teams (or teams migrating from a monolith) start with a shared database for convenience and use separate schemas/tables for each microservice. However, this is generally seen as a transitional approach. As microservices mature, most teams push toward isolating each service’s data.
3. Clearly define Data Transfer Object (DTO) usage
Data Transfer Objects (DTOs) are used to send data between services. Using clearly defined DTOs makes communication between services easier, keeps services loosely coupled, and simplifies version management.
To achieve this:
Separate your internal domain models from external DTOs.
Doing this prevents tight coupling between your internal structures and your external APIs. That way, you can change your internal data structures without needing to update your APIs every time.
Clearly define your DTO contracts.
Contracts are explicit schemas that clearly state the data format and content. Tools such as OpenAPI or Protocol Buffers can help you create these schemas, which improve clarity, simplify data validation, and make team collaboration easier.
Version your DTOs carefully.
Whenever the structure of your data significantly changes, create a new DTO version. This approach allows dependent services to adapt gradually, preventing breaks in existing functionality. It's important to note that if multiple services share the same database, DTO versioning becomes difficult.
4. Use centralized observability tools
Centralized observability tools are crucial for monitoring and troubleshooting microservices. These tools ensure that logs and events from all your services are accessible in a single location. Having your logs in one place means you don’t need to stitch together data from multiple logging services. This simplifies the identification and resolution of issues during continuous integration and the deployment process.
Centralized tools such as Amazon CloudWatch, HyperDX, or Honeycomb are popular choices. These tools also provide distributed tracing with correlation IDs, which greatly enhances observability. Tracing enables you to track requests end-to-end across multiple services, facilitating faster and more precise troubleshooting.
Example: Let's say you're trying to identify the root cause of a performance spike in your system. You notice that messages in your queue are taking longer to process. As the queue grows, upstream services start experiencing timeouts, creating a feedback loop where delays further worsen the backlog. By using a centralized logging system, you can quickly visualize relationships between queues in one service and timeouts in another. This top-down view makes it easy to pinpoint the root cause, accelerating resolutions.
At first glance, centralizing observability data might appear to clash with not sharing databases across microservices. However, databases should remain independent to maintain loose coupling and avoid tight interdependencies. Observability data, meanwhile, is write-only and should be consolidated to provide a holistic view of your entire service.
Expert Insight: Internally with my team, I talk about the topic of “shared concerns” in distributed software development - notions that span service boundaries in decomposed applications.
System health is one of those. Even though you’ve broken your app up into multiple services, it’s still one app and its health is a composite property. Centralizing the observability allows you to view system health in composite rather than having to stitch it together yourself from separate service-level observability systems.
Authorization is another shared concern. You can split your authorization logic up across services, but there’s still one policy. My access to a file might depend on my global role in the org, my position on a team, the folder that contains the file, whether I’m currently on shift, etc. That could span 2 or 3 services. We’ll touch on this next.
Authorization rules often require data from multiple different services. For example, a basic question like "can this user edit this document?" may depend on the user's team and role from a user service, and the folder hierarchy of the file from a document service.
Leave data where it is. Each service is responsible for authorization in its domain. For example, a documents service is responsible for determining whether a given user is allowed to edit a document. If it needs data from a user service, it gets it through an API call.
Use a gateway to attach the data to all requests. The API gateway decodes a user's roles and permissions from a JWT, and that data is sent along with every access request to every microservice. For example, the documents service receives a request which indicates that the given user is an admin, so they are allowed to edit any document.
Centralize authorization data. Create an authorization service that is responsible for determining whether a user can perform an action on a resource. Add any data that is needed to answer authorization questions to the service.
At Oso, we recently launched support for a new pattern: local authorization. With local authorization, there is still a centralized authorization service that stores the authorization logic, but it no longer needs to store the authorization data.
Each approach comes with tradeoffs. Letting each single service in your microservices architecture be responsible for authorization in its own domain can be better for simpler applications. Applications that only rely on role-based access control can do well with the API gateway approach. Centralizing authorization data can take substantial upfront work, but can be much better for applications with complex authorization models.
6. Use an API gateway for HTTP
An API gateway acts as a single point of entry for external HTTP requests to your microservices. It simplifies interactions by providing a clean, consistent interface for web and mobile apps, hiding the complexity of your backend services.
Use your API gateway to route external requests to the correct microservices. It should manage authentication and authorization to secure interactions. It also handles HTTP logging for easier monitoring and troubleshooting. Finally, it applies rate-limiting to protect your services from excessive load.
Avoid using the API gateway for internal microservice-to-microservice communication. That is best handled by direct service calls or a service mesh.
Expert Insight:
I use an API Gateway primarily to abstract external requests. For example, mapping endpoints like myapp.com/users to my user service, while enforcing authentication, rate-limiting, and logging. Internal calls between microservices don't need to go through the gateway; instead, communicate directly or via a service mesh.
7. Use the right communication protocol between services
Use the right communication protocols for interactions between your microservices. API gateways are suitable for external access, but internally, choose protocols that match your specific needs.
HTTP/REST is ideal for synchronous communication. It is simple, widely supported, and easy to implement, making it perfect for typical request-response scenarios like fetching user profiles.
For efficient, high-performance communication, consider using gRPC. It supports binary communication with automatic schema validation and code generation. This makes gRPC particularly suitable for internal services that need rapid data transfer or streaming, such as log streaming or handling large datasets.
Message queues, like Kafka or RabbitMQ, are excellent for asynchronous communication. Publishers send messages to the queue, and subscribers listen for new messages in the queue and process them accordingly. This helps decouple services, enabling each service to process messages at its own pace. Message queues effectively manage backpressure. They are especially useful in event-driven architectures and real-time processing scenarios, like order processing workflows.
Expert Insight: Use message queues when strong decoupling and scalability are priorities. If your primary concern is quickly transferring large amounts of data, then gRPC is typically the better choice.
8. Adopt a consistent authentication strategy
Authentication can be tricky in a microservices architecture. Not only do services need to authenticate the users that are making requests, they also need to authenticate with other services if they are communicating with those services directly.
If you are using an API gateway, your API gateway should handle authenticating users. JSON web tokens (JWTs) are a common pattern for authentication in HTTP. You can also use access tokens (which are very common in microservices security), but you would need an access token service.
If your microservices communicate with each other via HTTP or some other protocol that doesn't explicitly require authentication, you should also ensure services authenticate requests to ensure requests are coming from other services, not potentially malicious users.
9. Use containers and a container orchestration framework
Each instance of a service should be deployed as a container. Containers ensure services are isolated and allow you to constrain the CPU and memory that a service uses. Containers also provide a way to consistently build and deploy services within a microservices architecture regardless of which language they are written in.
Orchestration frameworks make it easier to manage containers in complex software development environments . They let you easily deploy new services, and increase or decrease the number of instances of a service. Kubernetes has long been the de facto container orchestrator, but managed offerings like ECS on Fargate and Google Cloud Run enable you to easily deploy your microservices architecture to a cloud provider’s infrastructure with much less complexity. They provide UIs and CLIs to help you manage and monitor all your microservices. Container orchestration frameworks give you a lot of logging, monitoring, and deployment tools, which can substantially reduce the complexity of deploying microservices architectures.
10. Run health checks on your services
To better support centralized monitoring and orchestration frameworks, each service should have a health check that returns the high-level health of the service. For example, a /status or /health HTTP API endpoint might return whether the service is responsive. A health check client then periodically runs the health check, and triggers alerts if a service is down.
Health checks help monitoring and alerting. You can see the health of all your microservices on one screen and receive alerts if a service is unhealthy. Combined with patterns like a service registry, health checks can enable your architecture to avoid sending requests to unhealthy services.
11. Maintain consistent practices across your microservices
The biggest misconception about a microservices architecture is that each service can do whatever it wants. While hypothetically true, microservices require consistent practices to remain effective. Some, like the single responsibility principle, apply to all microservices architectures. Others, like how to handle authorization, may vary between implementations, but should be consistent within a given microservices architecture. For example, if you decide each microservice is responsible for updating a centralized authorization service, you need to carefully ensure that every microservice is sending updates and authorization requests to that service. Similarly, each microservice should log using a consistent format to all your architecture’s log sinks, and define a consistent health check that ties in to your orchestration framework.
Ensuring that every service abides by your microservices architecture's best practices will help your team experience the benefits of microservices and avoid potential pitfalls.
12. Apply resiliency and reliability patterns
There are several microservices security patterns you can use that minimize the impact of failures and maintain system stability.
Circuit Breaker Pattern
The Circuit Breaker pattern helps prevent cascading failures by temporarily stopping requests to backend services that are failing or slow. Common tools like Resilience4j or Polly can handle this automatically, ensuring that one faulty service doesn’t disrupt your entire system.
Retry Mechanisms
A Retry Mechanism automatically retries failed operations, usually employing exponential backoff. This is especially useful for handling temporary issues such as network glitches or brief outages without manual intervention.
Bulkhead Isolation
Bulkhead Isolation is another important secure microservices technique. It allocates dedicated resources to individual services, ensuring that if one service becomes overloaded or fails, it won’t negatively impact other services. This isolation keeps your system stable even during unexpected issues.
Timeouts and Fallbacks
Finally, implement clear Timeouts and Fallbacks to define how long services should wait for responses and what alternative responses should be provided when delays or errors occur. This ensures users experience graceful degradation rather than complete failure.
13. Ensure idempotency of microservices operations
You only want to implement retries if your operations are idempotent. An idempotent service is one where performing the same operation multiple times will always produce the same result. Without idempotency, retries can result in unintended side effects like duplicated transactions or inconsistent data.
One way to achieve idempotency is by using idempotency keys. These are unique identifiers attached to each operation. These keys allows services to recognize and safely ignore duplicate operations. When coupled with a message queue like RabbitMQ, this can be a great way to prevent duplicate operations.
For example, consider an order-processing service that receives multiple “Create Order” messages due to network retries. By including an idempotency key, the service can recognize and discard repeated messages, ensuring the order is created only once.
Conclusion
Throughout this guide, we’ve explored key best practices that make microservices manageable and resilient in production. From following the Single Responsibility Principle to ensuring Idempotency in operations, each practice exists to protect the independent nature that makes a microservices architecture so easy to scale.
But microservices isn’t just about splitting things into smaller parts. Shift your mindset to viewing your system as an interconnected whole. Your goal is to coordinate this system across teams, applications, and environments.
Done wrong, microservices can create more complexity than they solve. But done right, teams can iterate faster and have fewer cross-team dependencies. Treat these best practices not as rigid rules, but as guardrails. Use them to guide decisions and keep services loosely coupled.
FAQ: Implementing and managing microservices
1. How to create microservices?
Creating microservices involves designing small, isolated services that communicate over well-defined APIs. Each microservice should be developed around a single business function, using the technology stack that best suits its requirements. Ensure that each microservice has its own database to avoid data coupling and maintain a decentralized data management approach, following microservices database best practices.
2. How to implement microservices?
Implementing microservices involves breaking down an application into small, independently deployable services, each responsible for a specific function. Start by defining clear service boundaries based on business capabilities, ensuring each microservice adheres to the Single Responsibility Principle. Use containers for consistent deployment environments and orchestrate them with tools like Kubernetes or ECS on Fargate for managing their lifecycle.
3. How to deploy microservices?
Deploying in a microservices architecture effectively requires a combination of containerization and an appropriate orchestration platform. Containers encapsulate the microservice in a lightweight, portable environment, making them ideal for consistent deployments across different infrastructures. Use orchestration tools like Kubernetes to automate deployment, scaling, and management of your containerized microservices, ensuring they are monitored, maintain performance standards, and can be scaled dynamically in response to varying loads.
4. How to secure microservices?
Securing microservices requires implementing robust authentication and authorization strategies to manage access to services and data. Utilize API gateways to handle external requests securely and ensure internal communications are authenticated using standards like JSON Web Tokens (JWTs). Adopt authorization models that manage permissions effectively across different services without compromising the scalability and independence of each microservice.
Attribute-based Access Control (ABAC for short) is a pattern for determining whether a user is authorized to perform a certain action based on attributes associated with the actor or the subject of the action.
ABAC is a broad pattern that is a superset of many other authorization patterns, like role-based access control (RBAC) and relationship-based access control (ReBAC). Both RBAC roles and ReBAC relationships can be thought of as attributes of the actor and the subject.
In this blog post, you will learn what ABAC is, the differences between ABAC and other access control models, and how you can implement ABAC with Oso Cloud.
How does ABAC use attributes to express access control rules?
Authorization can be represented as a question: does the given actor have permission to perform a certain action on a given resource. An attribute is any property that is associated with the actor, the action, or the resource. You can think of an attribute as a column in a SQL database.
For example, consider GitHub repositories. Repositories have an is_public attribute: if a repository is public, any actor can read the repository. Users have an is_copilot_subscriber attribute: if a user has a paid subscription, they can access GitHub copilot. These are both examples of attribute based access control policies.
What are the differences between ABAC vs RBAC?
ABAC is a broad, almost vague pattern that encompasses just about any authorization pattern. RBAC can be represented as a subset of ABAC where the only attribute you consider is the actor’s role. When you’re building a new app, you’re more likely to use RBAC than ABAC when you first introduce authorization. Because roles are easier to compose and easier to reason about, particularly when they line up with real world job titles and roles.
At Oso we believe that the standardized nomenclature the industry has ascribed to authorization is limiting. Firstly, ABAC, RBAC and ReBAC are all related. The higher order models are like Russian dolls, subsets of different types of access control patterns, and also subsets of each other. ABAC encompasses all access control models effectively (“Anything can be expressed as an attribute!”); ReBAC is a subset of ABAC; and RBAC is a subset of ReBAC.
Authorization Patterns as Russian Dolls
Additionally, when you’re implementing access control, you’re often implementing a pattern which is a subset of RBAC, ABAC or ReBAC. At Oso, we’ve documented ten of the most common types of access control that we’ve seen with our customers.
How do I implement ABAC?
Oso Cloud has several neat features that can help you implement ABAC. If you haven't already, create a free Oso Cloud account and log in. For the purposes of this tutorial, we will have one type of actor, a User, and one type of resource, a Repository. Below is how we can represent these entities in Polar, Oso's declarative authorization language.
Let's add an is_public attribute to repositories, and a rule that says users can read repositories that are public.
Navigate to Oso Cloud's "Explain" tab, which lets you simulate authorization queries. By default, the user Bob can't read the repository website because the repository website does not have is_public set.
In Oso Cloud, facts are how you represent authorization data, including ABAC attributes. You can represent whether a repository is public as a fact. Navigate to the "Data" tab in the Oso Cloud UI, and add a new fact that indicates that the repository website has is_public set to true.
Now, navigate back to Oso Cloud's "Explain" tab. Now that the repository website has is_public set to true, Oso Cloud can infer that the user Bob can read the repository website.
The “users can read public repositories” rule is an example of the “Attribute checks” pattern from Oso’s 10 Types of Authorization blog post. Another ABAC pattern from that blog post is called “Attribute add-ons”, which mixes ABAC patterns with RBAC and ReBAC. For example, the following rule tells Oso that “users can write public repositories if they have the member role.”
What is an example of ABAC in practice?
One of the most common places developers see ABAC in practice is AWS ABAC, which allows developers to write authorization rules for AWS resources using AWS' custom syntax. AWS ABAC is an example of the “Custom policies” pattern from Oso’s 10 Types of Authorization blog post because it allows developers to define arbitrary policies.
For example, the following JSON defines an AWS policy that allows actors (AWS calls actors principals) with tag "project" to invoke Lambda functions with tag "project". In this case, a tag is an attribute on both actors and resources.
The example shows why ABAC is such a blanket definition. Rename “tag” to “role” and the same logic still works: actors with role “admin” can invoke any Lambda function with tag “project”. So this AWS ABAC example can be represented as a mix of RBAC and ABAC.
RBAC and ABAC are two of the most popular authorization patterns. ABAC is more powerful and flexible, but RBAC is similar and easier to work with. With Oso Cloud, you don't have to chose between RBAC and ABAC: Oso Cloud makes it easy to implement both when you need to. So sign up for Oso Cloud.
When building applications with user permissions, Role-Based Access Control (RBAC) provides a structured way to define who can perform specific actions. Instead of scattering authorization logic throughout your codebase, RBAC organizes permissions into roles that determine access across different parts of an application. This guide walks through implementing RBAC in a Node.js application using Oso Cloud.
It covers defining role-based rules, and filtering data based on user roles. Whether managing organizational roles, resource-specific roles, or cross-organization access, this approach ensures consistent authorization decisions across your system.
What is Role-Based Access Control (RBAC) in Node.js?
Roles are a common way to simplify authorization logic for engineers and users. Authorization logic that’s based on roles is called “role-based access control."
A role is a way to group permissions. When a user is assigned a role, the user gets every permission that the role has.
A permission is an action that a user can take on a resource. For example, we might say that a user in an organization has permission to read repositories.
There are a number of variations on role-based access to allow for more flexible groupings of permissions, like:
Oso’s Node SDK provides tools for defining and enforcing RBAC policies. It supports declarative policy definitions and integrates with existing applications. Oso can be used for new implementations or to enhance existing authorization systems.
For detailed implementation guidance, refer to the Node SDK documentation.
4 reasons to build RBAC in Node with Oso:
1. Oso Cloud is fully-managed and deployed across multiple regions for low-latency and high availability. 2. Oso Cloud comes out of the box with primitives for role-based access control (RBAC). It also includes built-ins for other access control models like relationship-based access control (ReBAC) or attribute-based access control (ABAC).
3. You provide Oso Cloud with the requisite authorization data, then your RBAC policy operates that data to make authorization decisions at runtime. 4. Oso can provide yes/no authorization decisions, as well as filter lists of data.
Express RBAC in Node with Oso Cloud
To authorize whether a user has the role required to perform an action on a resource, call Oso in your controller.
// This will return `false` if the current user does not// have access to the Repository that they're trying to readconst user = {id: User.getCurrentUser(), type: "User"};
const repo = {id: repoName, type: "Repository"};
await oso.authorize(user, "read", repo);
You’ll also write an Oso policy—that is, a set of rules—to implement role-based authorization. Here, we’ll show a policy for an app for source code hosting like GitHub or GitLab.
In this policy, users may or may not be able to read or make changes to a repository, depending on whether they’re members or owners. That means we need authorization based on users’ roles.
actor User {}
resource Organization {
roles = ["owner"];
}
resource Repository {
permissions = ["read", "push"];
roles = ["contributor", "maintainer"];
relations = { parent: Organization };
# An actor has the "read" permission if they have the "contributor" role."read"if"contributor";
# An actor has the "push" permission if they have the "maintainer" role."push"if"maintainer";
# An actor has the "contributor" role if they have the "maintainer" role."contributor"if"maintainer";
# An actor has the "maintainer" role if they have the "owner" role on the # "parent" Organization."maintainer"if"owner" on "parent";
}
For a guide on other authorization models, such as ReBAC or ABAC, check out our authorization modeling guide covering roles, hierarchies, groups, and other patterns.
Filter data based on a user’s role
Your app needs to be able to return all the repos that a user can see based on their role and any other relevant criteria. To do this we can use the list method.
Here's that in the Node app again:
const user = {id: User.getCurrentUser(), type: "User"};
let repos = await oso.list(user, "read", "Repository");
Learn how to implement authorization in Node.js
Key steps for implementing authorization in Node.js is as below:
1. Setting up your project with the necessary packages (such as the Oso Cloud Node SDK);
2. Defining policies and mapping roles to permissions;
3. Integrating authorization checks into route handlers or middleware;
4. Filtering data based on assigned roles; and
5. Testing and debugging the authorization logic.
Learn more about RBAC concepts, architecture, and best practices
We've written an Authorization Academy to help you get started with RBAC and other authorization topics. The guide is language and technology-agnostic and covers industry-standard authorization concepts. Learn:
b. Common access control models like role-based access control (RBAC) and relationship-based access control (ReBAC) – like when to use them and how to implement them.
This guide has examined the implementation of Role-Based Access Control in a Node.js environment using Oso Cloud.
It outlined the process of defining roles and permissions, integrating authorization checks into Node code, and filtering data based on user roles. Additional resources, including the Node SDK documentation and the Authorization Academy, offer further insights into alternative access control models and architectural considerations for authorization.
You can implement ReBAC and ABAC as well in Node.js with Oso Cloud. Check out the following sources to learn how:
Join the community of thousands of developers in the Oso Slack (including many Node devs!) or feel free to set up a 1x1 with an Oso engineer to learn more about RBAC in Node, Oso Cloud, or just authorization in general. We'd love to talk about what you're working on and answer any questions you have.
Zanzibar is Google's purpose-built authorization system. It's a centralized authorization database built to take authorization queries from high-traffic apps and return authorization decisions. An instance of Zanzibar hosts a list of permissions and responds to queries from many apps. Google published a paper on their global authorization system that they presented at 2019 USENIX Annual Technical Conference and it has since become a popular resource for developers who are building authorization services.
A Zanzibar instance is made up of a cluster of servers, a distributed SQL database, an indexing system, a snapshotting system, and a periodic jobs system.
This blog covers why Zanzibar was built and how it tackles the challenges of scaling authorization decisions, handling billions of objects, and ensuring low-latency, error-free results. Developers will learn about its architecture, including caching, replication, and consistency strategies, as well as the benefits and potential challenges of using a centralized authorization system, along with alternative services to such systems.
Abhishek Parmar, the creator of Google Zanzibar, is a technical advisor to Oso. Abhishek led the design, implementation and rollout of this service that is now used by Google's consumer and enterprise products.
You can read more about his work and perspective in this interview.
Why did Google develop Zanzibar for access control?
Google has many high-traffic apps, like Search, Docs, Sheets, and Gmail. Google accounts are shared between those systems, so authorization decisions (that is, what actions a Google account can take) need to be coordinated. These apps operate at huge scales, so constant inter-service communication isn't practical. Their authorization system needs to handle billions of objects shared by billions of users and needs to return results with very low latency. Also, their system needs to handle filtering questions, like "what documents can this user see?"
In short, their authorization system needs to be:
a. Error-free. An incorrect authorization decision might let someone see a document that wasn't meant for their eyes.
b. Fast. All other apps will be waiting on authorization decisions from Zanzibar. Google's target was <10ms per query.
c. Highly available. Authorization must be at least as available as the apps that depend on it.
d. High-throughput. Google handles billions of queries per day.
To learn more about Google Zanzibar permissions, read our interview with Abhishek Parmar, co-creator of Google Zanzibar.
How does Google Zanzibar solve for authorization?
Correctness
Zanzibar limits both user errors and system errors. To quote one of the designers, Lea Kissner, "The semantics in Zanzibar are very carefully designed to try and make it very difficult for you to shoot yourself in the foot." For a resource like a git repository, Zanzibar's API exposes who can see (or edit/delete/act upon) that repository, why they can see it, and how to stop it from being seen.
Zanzibar also limits system errors. Zanzibar authorization is a distributed system, which means it takes time to propagate new permissions. To avoid data staleness, Zanzibar stores permissions in Google's Spanner database. Spanner provides strong consistency guarantees, so Zanzibar never applies old permissions to new content.
Speed and availability
Zanzibar uses several tricks to reduce latency. First, it uses several layers of caching. The outermost cache layer is Leopard, an indexing system built to respond quickly to authorization checks. Then, read requests are cached across the servers that store permissions. Also, calls between services inside Zanzibar are cached.
Secondly, Zanzibar replicates data to move it closer to its physical access point. This system works like a CDN—Google maintains many instances of Zanzibar throughout the world.
On top of that, Zanzibar relies on some hand-tuning. In any authorization policy, some common permissions are used far more often than others. Zanzibar's team hand-tunes these hot spots, for instance by enabling cache prefetching.
Scale
With Zanzibar's replication and caching, it can store trillions of access control rules and handle millions of requests per second.
What does Google Zanzibar do well?
Zanzibar is a centralized source of authorization decisions. That can be a useful approach for two reasons. First, it is a single source of truth. Each of your services can call Zanzibar and get a "yes" or "no" answer in response, and those answers are consistent between services. Second, each of those services calls the same API, which makes it easier to use across many services.
Zanzibar also supports reverse indexing (also known as data filtering). This means that after assigning a user many individual permissions, you can also ask, "what resources does this user have access to?" This is a common authorization request (e.g., for list endpoints). It's also useful for maintaining and debugging access controls.
What doesn't Google Zanzibar do?
A Zanzibar-like solution requires centralizing all authorization data in the solution. This includes obvious things like roles, but it also encompasses org charts, file and folder hierarchies, document creators - anything you may ever use in an authorization query. The problem is that you also need that data in your application, so you have to duplicate it between the two. Google has the culture to impose this requirement and the resources to support it, but most companies don’t. We talk about our own experiences with data centralization and how we relieve this tension in our post on Local Authorization.
The overlap between application data and authorization data
Zanzibar provides few abstractions to work with. Its authorization logic is a flat list of access controls. You can define relationships between users and resources, but you can't use properties of resources (like public/private switches) to make authorization decisions. It’s up to you to work out how to represent whatever authorization model you may have as a set of relationships. Google's engineers recommend that you use a policy engine alongside Zanzibar to close the gap.
Finally, Zanzibar is a major technical investment. Building your own Zanzibar takes at least a year of effort from a dedicated team. Airbnb's Himeji (a Zanzibar-alike) took more than a year of engineering work from a dedicated team.
Using Zanzibar also takes engineering effort. At Google, the service is supported by a full-time team of engineers, plus several engineers from each service that uses Zanzibar. Most apps that use Zanzibar-like systems require hand-tuning to avoid hot spots.
Looking for an authorization service?
Engineering teams are increasingly adopting services for core infrastructure components, and this applies to authorization too. There are a number of authorization-as-a-service options available to those who want something like what Google made available to its internal engineers via Zanzibar.
Oso Cloud is a managed authorization service that provides the benefits of Zanzibar while filling in a number of Zanzibar’s gaps. You use Oso Cloud to provide fine-grained access to resources in your app, to define deep permission hierarchies, and to share access control logic between multiple services in your backend.
Oso is built for application authorization. It comes with built-in primitives for patterns like RBAC and ReBAC, and it is extensible for other use cases like attribute-based access control (ABAC). It is built using a best practices data model that makes authorization requests fast and ensures that you don’t need to make schema changes to make authorization changes. It provides APIs for enforcement and data filtering. Oso Cloud is also deployed globally for high availability and low-latency.
Fun fact: Abhishek Parmar, one of the co-creators of Google Zanzibar and Airbnb Himeji, is a technical advisor to the Oso engineering team.
Oso Cloud is free to get started – try it out. If you’d like to learn more about Oso Cloud or ask questions about authorization more broadly, come say hi to us on Slack.
When building applications with user permissions, Role-Based Access Control (RBAC) provides a structured way to define who can perform specific actions. Instead of scattering authorization logic throughout your codebase, RBAC organizes permissions into roles that determine access across different parts of an application. This guide walks through implementing RBAC in a Golang application using Oso Cloud.
It covers defining role-based rules, and filtering data based on user roles. Whether managing organizational roles, resource-specific roles, or cross-organization access, this approach ensures consistent authorization decisions across your system.
What is Role-Based Access Control (RBAC) in Golang?
Roles are a common way to simplify authorization logic for engineers and users. Authorization logic that’s based on roles is called “role-based access control.” It allows access control decisions to be based on predefined roles rather than individual users.
Authentication vs. Authorization
Before diving deeper into RBAC, it's important to distinguish between authentication and authorization:
a. Authentication verifies a user’s identity (e.g., logging in with a username and password, using OAuth, or biometric authentication). Most developers integrate third-party authentication providers (e.g., OAuth, OpenID Connect) rather than building authentication from scratch.
b. Authorization determines what a user is allowed to do after authentication. Unlike authentication, developers often implement authorization logic in-house, as it can be tightly coupled with business rules.
Why is RBAC needed?
Without RBAC, managing permissions in an application can become complex and error-prone, especially as the number of users and resources grows. Hardcoding permissions or managing them on a per-user basis leads to security risks and maintenance challenges. RBAC addresses these issues by:
Providing a structured way to group permissions under roles, reducing duplication.
Making it easier to modify access rules without changing application code.
Improving security by ensuring least privilege access.
For example, in a SaaS application, RBAC can help:
Restrict access to admin panels to only users with an "admin" role.
Control API endpoints so that only users with the "developer" role can modify application settings.
Protect databases, allowing only "database administrators" to execute ALTER statements.
Common RBAC concepts
Roles: A role is a way to group permissions. When a user is assigned a role, the user gets every permission that the role has. Some examples of roles are: `admin`, `editor`, `viewer`.
Permissions: A permission is an action that a user can take on a resource. For example, we might say that a user in an organization has permission to `read` repositories.
Policies: A policy defines how roles and permissions interact. For example, we might say an `admin` role has `delete` permission on all resources.
There are a number of variations on role-based access to allow for more flexible groupings of permissions, like:
When implementing RBAC in Golang, developers have two main options: building RBAC in-house (DIY) or using a third-party authorization service like Oso Cloud.
Challenges of DIY RBAC
Manually implementing RBAC often starts simple—storing roles and permissions in a database—but quickly becomes complex as requirements grow:
a. Scalability issues – Managing permissions across multiple microservices or tenants becomes difficult.
b. Policy changes require code updates – Hardcoded permissions lead to frequent deployments.
c. Difficult to extend – Adding fine-grained controls (e.g., resource-based permissions, hierarchical roles) increases complexity.
d. Security risks – Maintaining audit logs and preventing privilege escalation requires extra effort.
DIY vs. third-party authorization service
a. Setup: DIY requires custom role structures, databases, and enforcement logic. Authorization services provide prebuilt policies and integrations.
b. Scalability: Every time you add a new type of authorization logic to a DIY system, you have to build it yourself. Services handle things like hierarchy and multi-tenancy automatically.
c. Security: DIY needs manual audits and debugging. Services offer built-in validation (logging, auditing, etc.) and reduce misconfigurations.
d. Performance: DIY relies on database queries. Services use optimized, low-latency authorization checks.
e. Flexibility: DIY only supports what you build. Services support RBAC, ReBAC, and hybrid models.
Declarative RBAC policies – Define roles and permissions without modifying application code.
Hybrid models – Supports RBAC + ReBAC + ABAC, enabling fine-grained, relationship and attribute based access.
Centralized management – Enforce consistent authorization across services and teams in microservices architectures.
For teams that need more than basic role checks—such as cross-organization roles or hierarchical permissions—Oso Cloud offers a scalable alternative to DIY solutions. Let's dive into it.
Oso Cloud is an authorization service for building RBAC in Go
a. Oso Cloud is fully-managed and deployed across multiple regions for low-latency and high availability
b. Oso Cloud comes out of the box with primitives for role-based access control (RBAC). It also includes built-ins for other access control models like relationship-based access control (ReBAC) or attribute-based access control (ABAC).
c. You provide Oso Cloud with the requisite authorization data, then your RBAC policy operates over that data to make authorization decisions at runtime.
d. Oso can provide yes/no authorization decisions, as well as filter lists of data.
Express RBAC in Go with Oso Cloud
To authorize whether a user has the role required to perform an action on a resource, call Oso in your controller.
// This will return `false` if the current user does not// have access to the Repository that they're trying to readuser := NewValue("User", GetCurrentUser())
repo := NewValue("Repository", repoName)
oso.Authorize(user, "read", repo)
You’ll also write an Oso policy—that is, a set of rules—to implement role-based authorization. Here, we’ll show a policy for an app for source code hosting like GitHub or GitLab.
In this policy, users may or may not be able to read or make changes to a repository, depending on whether they’re members or owners. That means we need authorization based on users’ roles.
actor User {}
resource Organization {
roles = ["owner"];
}
resource Repository {
permissions = ["read", "push"];
roles = ["contributor", "maintainer"];
relations = { parent: Organization };
# An actor has the "read" permission if they have the "contributor" role."read"if"contributor";
# An actor has the "push" permission if they have the "maintainer" role."push"if"maintainer";
# An actor has the "contributor" role if they have the "maintainer" role."contributor"if"maintainer";
# An actor has the "maintainer" role if they have the "owner" role on # the "parent" Organization."maintainer"if"owner" on "parent";
}
For a detailed guide on RBAC concepts, read our technology-agnostic Authorization Academy.
Oso isn’t limited to Role-based access control. It comes with primitives for other common access control models, like Relationship-based access control, or ReBAC. For a guide on other authorization patterns, take a look at our guide on authorization modeling covering roles, hierarchies, groups, and other patterns.
Filter data based on a user’s role
Your app needs to be able to return all the repos that a user can see based on their role and any other relevant criteria. To do this we can use the list method.
Here's that in the Go app again:
user := NewValue("User", GetCurrentUser())
repos, err := oso.List(user, "read", "Repository")
Learn how to implement authorization in Go
To implement authorization in Go using Oso, start by installing the Oso Go SDK (go get github.com/osohq/go-oso-cloud/v2).
Define roles and permissions using the declarative Polar language, such as granting "admin" users permission to edit documents. Once your policies are defined, load them into your Go app and enforce authorization checks to determine if a user can perform an action.
Learn more about RBAC concepts, architecture, and best practices
We've written the Authorization Academy to help you get started with RBAC and other authorization topics. The guide is language and technology-agnostic and covers industry-standard authorization concepts. Learn:
b. Common access control models like role-based access control (RBAC) and relationship-based access control (ReBAC) – like when to use them and how to implement them.
Join the community of thousands of developers in the Oso Slack (including many Gophers!) and feel free to set up a 1x1 with an Oso engineer to learn more about RBAC in Go, Oso Cloud, or just authorization in general. We'd love to talk about what you're working on and answer any questions you have.
When building applications with user permissions, Role-Based Access Control (RBAC) provides a structured way to define who can perform specific actions. Instead of scattering authorization logic throughout your codebase, RBAC organizes permissions into roles that determine access across different parts of an application. This guide walks through implementing RBAC in a Python application using Oso Cloud.
It covers defining role-based rules, and filtering data based on user roles. Whether managing organizational roles, resource-specific roles, or cross-organization access, this approach ensures consistent authorization decisions across your system.
What is Role-Based Access Control (RBAC) in Python?
Roles are a common way to simplify authorization logic for engineers and users. Authorization logic that’s based on roles is called “role-based access control.”
A role is a way to group permissions. When a user is assigned a role, the user gets every permission that the role has.
A permission is an action that a user can take on a resource. For example, we might say that a user in an organization has permission to read repositories.
There are a number of variations on role-based access to allow for more flexible groupings of permissions, like:
To implement RBAC in Python, you can use either built-in logic or third-party libraries
Built-in logic approaches:
a. Using Python classes – Create a Role class and a User class to manage roles and permissions.
b. RBAC with JSON for configurable roles – Store roles and permissions in a JSON file, allowing dynamic updates without modifying the code.
c. RBAC with a SQL database – Store roles and permissions in an SQL database for easy querying.
d. RBAC with environment variables – Configure permissions dynamically in serverless functions or cloud environments.
Third-party libraries:
a. Flask-Principal – For managing RBAC in Flask applications.
b. Oso – A declarative authorization framework.
Why use RBAC in Python?
RBAC in Python centralizes permission management by assigning roles to users instead of handling individual permissions. This approach reduces complexity and ensures consistent access control.
Key benefits of implementing RBAC in Python:
a. Groups permissions into roles, simplifying authorization logic.
b. Enforces the principle of least privilege by restricting access based on roles.
c. Supports large user bases by structuring access control at different levels.
d. Integrates with databases and frameworks like Django, FastAPI, and Flask.
e. Works alongside models like ABAC or ReBAC for fine-grained access control.
f. Helps meet compliance requirements for standards like GDPR and HIPAA.
Python’s libraries and frameworks provide tools for implementing RBAC with structured policies and data management.
Oso Cloud is an authorization service for building RBAC in Python
Oso’s Python SDK provides tools for defining and enforcing RBAC policies. It supports declarative policy definitions and integrates with existing applications. Oso can be used for new implementations or to enhance existing authorization systems.
1. Oso Cloud is fully managed and deployed across multiple regions for low latency and high availability.
2. Oso Cloud comes out of the box with primitives for role-based access control (RBAC). It also includes built-ins for other access control models like relationship-based access control (ReBAC) or attribute-based access control (ABAC).
3. You provide Oso Cloud with the requisite authorization data, then your RBAC policy operates that data to make authorization decisions at runtime.
4. Oso can provide yes/no authorization decisions, as well as filter lists of data.
Express RBAC in Python with Oso Cloud
To authorize whether a user has the role required to perform an action on a resource, call Oso in your controller.
# This will return `False` if the current user does not# have access to the Repository that they're trying to readuser = Value("User", User.get_current_user())
repo = Value("Repository", repo_name)
oso.authorize(user, "read", repo)
You’ll also write an Oso policy—that is, a set of rules—to implement role-based authorization. Here, we’ll show a policy for an app for source code hosting like GitHub or GitLab.
In this policy, users may or may not be able to read or make changes to a repository, depending on whether they’re members or owners. That means we need authorization based on users’ roles.
actor User {}
resource Organization {
roles = ["owner"];
}
resource Repository {
permissions = ["read", "push"];
roles = ["contributor", "maintainer"];
relations = { parent: Organization };
# An actor has the "read" permission if they have the "contributor" role."read"if"contributor";
# An actor has the "push" permission if they have the "maintainer" role."push"if"maintainer";
# An actor has the "contributor" role if they have the "maintainer" role."contributor"if"maintainer";
# An actor has the "maintainer" role if they have the "owner" role on the # "parent" Organization."maintainer"if"owner" on "parent";
}
For a guide on other authorization models, such as ReBAC or ABAC, check out our authorization modeling guide covering roles, hierarchies, groups, and other patterns.
Filter data based on a user’s role
Your app needs to be able to return all the repos that a user can see based on their role and any other relevant criteria. To do this we can use the list method.
Here's that in the Python app again:
user = Value("User", User.get_current_user())
repos = oso.list(user, "read", "Repository")
Learn more about RBAC concepts, architecture, and best practices
We've written Authorization Academy to help you get started with RBAC and other authorization topics. The guide is language and technology-agnostic and covers industry-standard authorization concepts. Learn:
b. Common access control models like role-based access control (RBAC) and relationship-based access control (ReBAC) – when to use them and how to implement them.
What are the challenges of implementing RBAC in Python?
Building an RBAC system from scratch in Python involves:
a. Defining and managing roles and permissions.
b. Scaling as the number of users increases.
c. Integrating with authentication systems and APIs.
Using an authorization software like Oso addresses these challenges by providing a pre-built system that integrates into Python applications.
Should you build your own RBAC solution or use an existing framework like Oso?
Building an RBAC system in-house requires significant time and maintenance. Tools like Oso reduce engineering effort by providing a ready-to-use authorization framework. You can read more on this topic in our blog post "Build or Buy".
Can Oso be used with popular Python frameworks like Flask or FastAPI?
Yes, Oso integrates with Flask and FastAPI using its Python SDK, allowing role-based permissions to be enforced within existing application structures. The Oso SDK provides web framework middleware for oso-cloud, the Oso Cloud Client for Python. You can install it by running:
pip install oso-sdk
How do I get started with RBAC in Python using Oso?
1. Install the Oso library: pip install oso-cloud
2. Define roles and permissions in a policy file using Oso’s declarative syntax.
3. Embed Oso in your application to enforce these permissions.
Join the community of thousands of developers in the Oso Slack (including many Pythonistas!) and feel free to set up a 1x1 with an Oso engineer to learn more about RBAC in Python, Oso Cloud, or just authorization in general. We'd love to talk about what you're working on and answer any questions you have.
.jpg)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
