Aserto Introduces Topaz, an Open-Source Authorizer that Simplifies Adding Fine-Grained, Policy-Based Real-Time Access Control to Cloud Applications

Seattle, WA, October 24, 2022 — Aserto the authorization-as-a-service platform and creators of Open Policy Registry (OPCR), a docker-inspired workflow for Open Policy Agent (OPA) policies, today announces a new open-source project: Topaz. Topaz is a cloud-native authorization service, providing fine-grained, policy-based, real-time access control for applications and APIs. Topaz is built on top of the CNCF OPA decision engine and supports the Google Zanzibar (ReBAC) authorization model in a first-class way. With Topaz you can scale your authorization model from RBAC to ABAC and ReBAC, while retaining the benefits of policy-as-code, decision logging, and a local deployment model.

“A policy-centric authorization solution for developers is a glaring hole in the market, and there is no team on the planet better equipped to build it.” — James Lindenbaum, Founder of Heroku & Heavybit.

A modern access control system needs to provide the following:

– Unified authorization service with a decentralized architecture to ensure low latency with high availability.

–  Real-time access checks to eliminate the threat of authorizing using stale permissions (or access tokens).

–  Fine-grained authorization so that your organization can easily evolve simple role-based access control (RBAC) into attribute-based access control (ABAC), and relationship- based access control (ReBAC), or a combination of these.

–  Policy-based access management so that the authorization logic is extracted from the application code and built into an immutable, signed policy image and managed centrally, just like any other application artifact.

–  Decision logs of every authorization decision performed for compliance, forensics, and auditability.

The Topaz open-source project was built with these goals in mind. It uses OPA as its decision engine, incorporates a directory modeled after Google’s Zanzibar, and is a great place to start when building out a flexible authorization system for cloud applications.

The Aserto authorization service is built on top of Topaz and provides a control plane which enables central management of policies, users, groups, objects, relations, and decision logs. And it syncs any changes to these with every locally-deployed authorizer over a real-time data fabric.

Open-source fine-grained access control for applications

Currently, only large organizations with sizable engineering teams, such as Google, Intuit, Netflix, Airbnb, and Carta can build fine-grained authorization systems that fulfill all the requirements. Topaz democratizes this capability with a single, unified authorization service that combines the best of the Open Policy Agent and the Google Zanzibar ReBAC model, providing developers with the best attributes of each.


  • Topaz website
  • Topaz docs
  • Control plane documentation

Connect with Aserto

  • LinkedIn
  • Aserto Twitter
  • Aserto blog
  • Aserto website

About Aserto

Aserto helps developers build secure applications. We make it easy to add fine-grained, policy-based, real-time access control to cloud applications and APIs.

Built around established cloud-native, open-source technologies, like OPA and Zanzibar, Aserto handles all the heavy lifting required to achieve secure, scalable, high-performance access management.

Aserto authorizes locally and manages centrally, offering blazing-fast authorization of a local library, coupled with a centralized control plane for managing policies, user attributes, resource and relationship data, and decision logs. And it comes with everything you need to deliver fine-grained RBAC, ABAC, or ReBAC, as well as comprehensive developer resources for any language or framework – saving you months of engineering time.