[orweis]

Thank you for the congrats and the good question. First of all building on your own, is a valid option- each application is a snowflake you should find what's best for you. That said, just like with cryptography, and authentication, it can be risky to roll your own. If you decide to roll on your own with OPA - I'd also recommend sticking to best practices [Gitops is just one] (checkout this talk I gave on OWASP- https://youtu.be/1_Iz0tRQCH4) , and also finding a solution for managing the authorization layer (e.g. https://opal.ac)

To this point specifically- "Do you offer a way of auditing and tracking who made changes to permissions" - Yes, check out Permit's audit-log interface

In general on top of the interfaces you get with OSS like OPA and OPAL, there are a lot more interfaces to build (e.g. audit logs, user mgmt, policy editing, approval flows, etc.) and none of them are unique to any application.