Aserto Topaz: Cloud-native authorization for modern applications and APIs

Aserto announces a new open-source project, Topaz, providing fine-grained, policy-based, real-time access control for applications and APIs.

Topaz is built on top of the CNCF OPA decision engine and supports the Google Zanzibar (ReBAC) authorization model. With Topaz you can scale your authorization model from RBAC to ABAC and ReBAC, while retaining the benefits of policy-as-code, decision logging, and a local deployment model.

“Authorization involves really hard problems that I want experts to solve. Aserto allows us to do just that, at a small fraction of the cost it would take to build and maintain it ourselves.” – David Kerber, VP Technology at Spreetail.

A modern access control system needs to provide the following:

• Unified authorization service with a decentralized architecture to ensure low latency with high availability.
• Real-time access checks to eliminate the threat of authorizing using stale permissions (or access tokens).
• Fine-grained authorization so that your organization can easily evolve simple role-based access control (RBAC) into attribute-based access control (ABAC), and relationship-based access control (ReBAC), or a combination of these.
• Policy-based access management so that the authorization logic is extracted from the application code and built into an immutable, signed policy image and managed centrally, just like any other application artifact.
• Decision logs of every authorization decision performed for compliance, forensics, and auditability.

The Topaz open-source project was built with these goals in mind. It uses OPA as its decision engine, incorporates a directory modeled after Google’s Zanzibar, and is a great place to start when building out a flexible authorization system for cloud applications.

The Aserto authorization service is built on top of Topaz and provides a control plane which enables central management of policies, users, groups, objects, relations, and decision logs. And it syncs any changes to these with every locally-deployed authorizer over a real-time data fabric.

“Building & managing an authorization system is a huge pain, especially at enterprise scale. So stop! Aserto has a distributed, millisecond latency, 100% availability API for that.” – Tom Preston-Werner, Co-founder of Github.

Open-source fine-grained access control for applications

Currently, only large organizations with sizable engineering teams, such as Google, Intuit, Netflix, Airbnb, and Carta can build fine-grained authorization systems that fulfill all the requirements.

Topaz democratizes this capability with a single, unified authorization service that combines the best of the Open Policy Agent and the Google Zanzibar ReBAC model, providing developers with the best attributes of each.