[dboreham]

You are not wrong. And this pattern shows up everywhere. e.g. do you need a SaaS for "feature flags", since they're just an if statement?

In the case of authz, the argument for separating it as a concern is that many applications can share the same scheme, and you can have specialized tools for provisioning, auditing, etc.

[ogazitt]

Exactly. When you cross a certain complexity threshold, it's worth separating concerns. It's true for configuration, it's true for IaC, and also for authorization policy.

[danans]

> do you need a SaaS for "feature flags", since they're just an if statement?

If you want the ability to remotely enable/disable a feature, then yes.

[OJFord]

It'd be remiss of us to let left-pad aaS [0] go unmentioned in this thread... For those in today's 'lucky 10,000'^, you're welcome.

There are definitely good arguments for it, services like feature-flagging I mean, and such things are generally relatively low-cost; it's more the risk of adding a 'disappearable' dependency for anything and everything that'd put me off.

(^And if you don't know about this, OMG how can you not have heard about lucky 10k?! Just kidding. [1])

[0] - http://left-pad.io/

[1] - https://xkcd.com/1053/