[obiwanpallav1]

I had a nice experience in building a multi tenant system in which RBAC was done by Openpolicy Agent(OPA)[0].

Our data model was N Level hierarchies of entities for each tenant and these hierarchies followed inheritance for roles.

We made some policies in OPA and the membership data was present in the DB which was sent to OPA at startup. Then any diff made in membership was subsequently also sent to the OPA as well.

[0] https://www.openpolicyagent.org/docs/latest/

[magicpointer]

Did you use OPA as a sidecar or a separate service? I have a similar setup but with a separate service the "diff pushing" approach adds quite some complexity, due to OPA and the data source having separate lifecycles.

[obiwanpallav1]

It was a separate service. The other service, that was using it, was a monolith.