Skip to main content

Cloud-native authorization

Combining the best of OPA and Zanzibar

Topaz is an open source authorization service providing fine grained, real-time, policy based access control for applications and APIs

brew tap aserto-dev/tap && brew install topaz
Cloud-native authorization
Fine Grained

Design a fine grained authorization model that grows with your application. Evolve from a multi-tenant RBAC model to ABAC, ReBAC or any combination of models.

Policy Based

Extract authorization policy from application code and into its own artifact, implement a “policy-as-code” workflow for your organization. Build authorization policies into immutable, signed OCI images for a secure software supply chain.

Real-time

Deploy Topaz right next to your application for lightning-fast authorization decisions with local data. Topaz stores your users, groups, objects, and relationships in an embedded database, and optimizes query evaluation over the object graph.

Supported languages and frameworks
Get started quickly with docs and resources for popular languages.
Authorization Policy Examples
RBAC Policy example

allowed {
  ds.check_relation({
    "object": {
      "key": input.resource.tenant,
      "type": "tenant"
    },
    "relation": {
      "object_type": "tenant",
      "name" : "member" 
    },
    "subject": {"id": input.user.id}
  })
}
    
ABAC Policy example

allowed {
  ns := time.now_ns()
  day := time.weekday(ns)
  day == data.workdays[_]
  input.user.department == "Sales"
}
    
ReBAC Policy example

allowed {
  ds.check_permission({
    "object": {
      "key": input.resource.doc,
      "type": "document"
    },
    "permission": {"name": "read"},
    "subject": {"id": input.user.id}
  })
}