I've been interested in this problem space for a couple of years, have tried a whole bunch of products but settled on using cedar policy engine[1] wrapped in some custom code and using the application database and static files to generate policies that can be concatenates to make decisions. A useful property is that they can be indexed based on the "subject verb object" triplet used to represent authorisation queries (e.g. Can "John" download "File 1"?)
Have tried a whole bunch of other FGA providers with their own storage and retrieval services, I think that fundamentally all the DSLs are just variants on prolog and can be quite easily transformed into one another. Another thing to consider is that authorisation is in the critical path of everything, so if you need to call out to an external service it's going to add latency and becomes a single point of failure. Not to mention that it creates an explosion of complexity by distributing the system more widely, so if you can leverage your existing database and file storage to manage policies it's probably easier to build and mange long-term.
Overall I think it's worthwhile using an FGA solution to separate authorisation from business logic, I expect this will become industry standard in the years to come.
I don't understand the purpose of this comment. It strikes me as a nonsequitur. How does it conform to the logical throughline of the previous two comments?
You bear all the risk as the merchant, the customers can simply reverse a transaction, repeatedly, without providing a reason, for up to couple months.
Grep is a performance sensitive program, it's not unusual to scan through thousands of files and millions of lines so small inefficiencies are noticeable.
If you tried this in python it would probably take hours to scan through something that ripgrep does in a few seconds
Have tried a whole bunch of other FGA providers with their own storage and retrieval services, I think that fundamentally all the DSLs are just variants on prolog and can be quite easily transformed into one another. Another thing to consider is that authorisation is in the critical path of everything, so if you need to call out to an external service it's going to add latency and becomes a single point of failure. Not to mention that it creates an explosion of complexity by distributing the system more widely, so if you can leverage your existing database and file storage to manage policies it's probably easier to build and mange long-term.
Overall I think it's worthwhile using an FGA solution to separate authorisation from business logic, I expect this will become industry standard in the years to come.
[1] https://www.cedarpolicy.com/en