This is an entry into the application AuthZ world. The space is in need of a general approach to get away from ad hoc solutions in every application or in the IDP. Cedar falls somewhere between OPA with its datalog (prolog) based search approach and a Zanzibar based approach. It’s not clear which direction will win out, but it is time that this problem got some attention.

>"Cedar falls somewhere between OPA with its datalog (prolog) based search approach and a Zanzibar based approach."

I understand the OPA from your description of it as a "datalog(prolog) based search approach" but you didn't characterize what the "Zanzibar based approach" is. Is there a similar short descriptive summary of its approach?

jschorr

Zanzibar is an authorization system Google built and describes in a paper [1], which uses relationships to make authorization decisions (aka ReBAC): if there exists a path of such relationships between a resource's permission and, say, a user, then the user is considered to have that permission on the resource. This structural approach to permission checking allows for high levels of scaling and low latency on checks.

Disclaimer: I am the cofounder of AuthZed, where we are building an open source version of Zanzibar known as SpiceDB [2]

[1] https://zanzibar.tech [2] https://github.com/authzed/spicedb