[itsronenh]

Aserto takes a hybrid approach. It runs a hosted control plane where you configure your user-directory, authorization policies, etc. But the authorization logic itself can run alongside the application that uses it, ensuring high availability and low latency.

[rad_gruchalski]

This can be done with Keycloak Authorization Services and custom logger. Keycloak loggers can be essentially anything, and they can listen and react to any kind of event happening inside. For example: policy create, update, delete. Those events can be forwarded to whatever needs to build your OPA policies.

Keycloak is a very solid product. The main aspect speaking in favor of Keycloak is its extensibility. Nothing beats it.

The problem with Keycloak is that people generally don't want to invest too much into learning it.