Modernizing Authorization: A Technical Whitepaper on the Topaz Service for Cloud-Native Applications

1. Introduction: The Evolving Challenge of Application Authorization

Managing authorization in modern, distributed, cloud-native applications presents a significant strategic challenge. As applications become more complex and interconnected, traditional authorization models—often hard-coded directly into the application logic—prove brittle and difficult to audit. These legacy approaches are fundamentally insufficient for meeting today’s demanding security and compliance requirements; they introduce significant technical debt and create an ever-expanding audit surface.

Topaz is an open-source, modern authorization service designed specifically to address this challenge. It provides a platform for fine-grained, real-time, policy-based access control for applications and APIs. The core value proposition of Topaz lies in its unique synthesis of two powerful authorization paradigms: the declarative policy engine of the Open Policy Agent (OPA) and the relationship-based access control model of Google’s Zanzibar. This combination delivers a solution that is both exceptionally powerful and highly flexible.

This whitepaper provides a technical overview of the Topaz architecture, its core principles, and its practical benefits. It is intended for engineering leaders and system architects seeking a robust, scalable, and future-proof solution for modernizing their application authorization stack.

2. The Core Pillars of the Topaz Authorization Model

A robust authorization system must be built upon a foundation of clear, first-class principles. Topaz is architected around three core pillars that directly address the critical needs of scalable, secure applications: fine-grained control, policy-based management, and real-time performance. Together, these pillars enable organizations to build a sophisticated authorization layer that enhances security posture without compromising development velocity.

2.1. Fine-Grained, Evolvable Control

Fine-grained authorization refers to the ability to define and enforce access rules at a very granular level, moving beyond simple role assignments to consider a rich context of relationships, attributes, and permissions. A key strength of Topaz is its ability to support an authorization model that grows and evolves with an application’s lifecycle.

An organization can begin with a straightforward multi-tenant Role-Based Access Control (RBAC) model and, as requirements mature, seamlessly evolve to incorporate more sophisticated models. This includes Attribute-Based Access Control (ABAC), which makes decisions based on user or resource properties, and Relationship-Based Access Control (ReBAC), which evaluates the relationships between entities. Topaz allows for any combination of these models to coexist, providing the flexibility to apply the right control for the right situation.

2.2. Centralized, Policy-Based Management

Topaz champions a “policy-as-code” paradigm, which fundamentally decouples the authorization lifecycle from the application release lifecycle, enabling independent evolution and reducing deployment risk. By externalizing authorization rules into a separate, manageable policy artifact, organizations gain significant operational and security benefits, allowing security and development teams to manage, audit, and update access policies independently.

This approach delivers a profound security supply chain advantage. Authorization policies can be built into immutable, signed OCI images—the same standard used for container images. This allows policies to be versioned, tested, and securely distributed through a trusted pipeline, ensuring policy integrity from development to production and mitigating the risk of unauthorized or accidental changes to critical access rules.

2.3. Real-Time, Low-Latency Decisions

For authorization to be practical, it must be performed with minimal latency. Slow permission checks can cripple application performance and degrade the user experience. Topaz is designed for real-time decision-making by being deployed “right next to your application” within your own infrastructure.

This low-latency performance is achieved through its underlying architecture. Topaz stores the complete object graph—comprising all users, groups, objects, and their intricate relationships—in an embedded database. It leverages this local data store to perform highly optimized query evaluations, delivering lightning-fast authorization decisions without the network overhead of calling an external service for every check.

These principles are brought to life through a flexible, non-intrusive architecture designed to integrate seamlessly into modern cloud environments.

3. Topaz Architectural Blueprint

A modern security service must integrate seamlessly into an organization’s existing environment without forcing disruptive changes or compromising data sovereignty. The Topaz architecture is designed to be both flexible and non-intrusive, providing robust authorization while respecting an organization’s operational and security boundaries.

The Topaz deployment model is centered on self-hosting. The service is deployed within an organization’s own cloud environment, ensuring that all sensitive authorization data and policies remain under its direct control. Topaz connects to existing data sources, allowing it to synchronize the user, object, and relationship data necessary for making informed access decisions. This architecture provides several key benefits:

1. Data Privacy & Sovereignty: Sensitive identity and relationship data never leaves the organization’s control boundary.
2. Enhanced Security: The attack surface is minimized by avoiding reliance on external, multi-tenant authorization services.
3. Operational Control: Teams can manage, scale, and monitor the service according to their own operational standards and SLOs. This self-hosted model also grants teams full control over the performance and scalability profile of the authorization tier, allowing them to provision resources in line with their application’s specific load characteristics.

Broad Platform Compatibility

To facilitate rapid integration, Topaz provides support and resources for a wide range of popular languages and frameworks:

• Node.js
• Go
• Python
• Java
• ASP.NET
• Ruby

This broad support ensures that development teams can easily incorporate fine-grained authorization into their applications, regardless of their technology stack. This architecture sets the stage for implementing powerful and diverse authorization policies in practice.

4. Implementing Authorization Models: From Theory to Practice

The true power of Topaz is its ability to express a wide variety of authorization models using a single, unified policy engine. This section demonstrates the flexibility of its policy language by examining concrete examples for Role-Based, Attribute-Based, and Relationship-Based Access Control.

4.1. Role-Based Access Control (RBAC) Example

RBAC is a common model where permissions are granted based on a user’s assigned role. The following Topaz policy demonstrates a classic RBAC check for multi-tenancy.

Analysis: This policy is evaluated to determine if an action is allowed. It uses the ds.check function to query the Topaz data store, which contains the graph of users, objects, and their relationships. The query asks a fundamental RBAC question: “Does the user (subject_id) have the viewer relationship (relation) with the specified tenant (object_id)?” This pattern checks a relationship against a logical boundary or resource type (tenant), making it a coarse-grained check suitable for broad multi-tenant permissions.

4.2. Attribute-Based Access Control (ABAC) Example

ABAC makes dynamic authorization decisions by evaluating a set of attributes associated with the user, resource, or environment.

Analysis: This policy enforces a more dynamic rule. Access is allowed only if two conditions are met simultaneously: the current day of the week must be a defined workday, and the user’s department property must be “Sales”. This policy effectively implements a business rule such as, “Sales personnel can only perform this action during established workdays,” demonstrating how authorization can enforce dynamic, context-aware business constraints.

4.3. Relationship-Based Access Control (ReBAC) Example

ReBAC, inspired by Google Zanzibar, extends beyond static roles to check for specific permissions based on the direct or indirect relationships between subjects and individual objects.

Analysis: This policy demonstrates the defining characteristic of Zanzibar-style systems. Unlike the RBAC example that checks a role against a tenant, this policy checks for a specific permission (can_read) against a specific object instance (the document with a unique doc_id). This highly granular, object-centric pattern enables use cases like Google Docs-style sharing, where permissions are managed on a per-resource basis—a requirement that is impossible to satisfy with classic RBAC alone.

5. The Strategic Advantage: Combining OPA and Zanzibar

For architects designing modern systems, authorization often presents a difficult choice between the declarative policy flexibility of OPA and the scalable relationship model of Zanzibar. The fusion of these two paradigms is not merely a technical feature; it is the core strategic differentiator of Topaz. It resolves this architectural conflict, providing unparalleled flexibility and scalability by eliminating the need for a trade-off.

The heritage from OPA provides Topaz with its powerful, declarative policy language and the “policy-as-code” workflow. This enables the clean separation of authorization logic from application code, which is critical for modern software development and security operations. Policies become auditable, version-controlled artifacts that can be managed through a secure software supply chain, dramatically improving an organization’s security posture.

The principles from Zanzibar provide the foundation for Topaz’s highly scalable, fine-grained access control capabilities. By modeling the system as a graph of subjects, objects, and their relations, Topaz can efficiently evaluate complex permission checks, such as “can user X access resource Z through their membership in group Y?”. This model is the key to enabling both high-performance ReBAC and real-time decision-making, even across vast datasets with millions of entities and relationships.

Ultimately, this hybrid architecture is superior for modern cloud-native applications. It frees teams from the constraints of a single authorization model, allowing them to use the right tool for the right problem—RBAC for broad-strokes permissions, ABAC for dynamic context, and ReBAC for granular, resource-specific control—without the complexity and overhead of deploying and managing multiple disparate systems.

6. Conclusion and Next Steps

Topaz emerges as a powerful, open-source solution designed to solve the complex authorization challenges of the cloud-native era. By intelligently combining the policy-as-code strengths of OPA with the scalable graph model of Zanzibar, Topaz offers a unified platform for building flexible, secure, and high-performance access control systems. It empowers engineering and security teams to decouple authorization from application logic, evolve their access models as requirements change, and maintain control over their data within their own cloud environment. This architectural decoupling not only improves security posture but also accelerates feature development by enabling application teams to build securely by default, without becoming authorization experts.

Adopting Topaz provides three primary benefits that directly address the core needs of modern application development:

• Fine-Grained Control: Design and implement an authorization model that grows with your application, from simple RBAC to sophisticated ReBAC and ABAC combinations.
• Policy-as-Code Security: Enhance your security supply chain by managing authorization logic as versioned, signed, and immutable artifacts.
• Real-Time Performance: Ensure a seamless user experience with low-latency permission checks delivered by a service deployed right next to your application.

Getting Started with Topaz

To begin exploring the capabilities of Topaz, you can install the open-source service using Homebrew on macOS and Linux:

brew tap aserto-dev/tap && brew install topaz