Topaz is built on the CNCF OPA decision engine and supports the Google Zanzibar Authorization Model (ReBAC). With Topaz, you can evolve your authorization model from RBAC to ABAC and ReBAC, while retaining the benefits of policy-as-code, decision logging, and a local deployment model.
“The authorization involves some really difficult issues that I want experts to solve. Aserto allows us to do just that, at a small fraction of the cost it would take to build and maintain it ourselves. – David KerberVP Technology at Spreetail.
A modern access control system should provide the following:
- Unified authorization service with a decentralized architecture to ensure low latency with high availability.
- Real-time access checks to eliminate the threat of permissions using outdated permissions (or access tokens).
- Fine-grained authorization so your organization can easily scale from simple role-based access control (RBAC) to attribute-based access control (ABAC) and relationship-based access control (ReBAC), or a combination thereof.
- Policy-based access management so that authorization logic is extracted from application code and embedded in an immutable, signed policy image and centrally managed, like any other application artifact.
- Decision logs of every authorization decision made for compliance, forensics, and auditability.
The Topaz open source project was built with these goals in mind. It uses OPA as a decision engine, integrates Google’s Zanzibar-inspired repository, and is a great starting point for creating a flexible permission system for cloud applications.
The Aserto Authorization Service is built on top of Topaz and provides a control plane that enables centralized management of policies, users, groups, objects, relationships, and decision logs. And it syncs all changes to these with each locally deployed approver on a real-time data structure.
“Creating and managing an authorization system is a daunting task, especially at the enterprise level. So stop! Aserto has a distributed API, with millisecond latency and 100% uptime for it. – Tom Preston-WernerCo-founder of Github.
Open-source thin access control for applications
Topaz democratizes this capability with a single, unified authorization service that combines the best of the Open Policy Agent and Google Zanzibar ReBAC model, providing developers with the best attributes of each.