[academia_hack]

It's a pity the state of the art here is still so dire for basic use cases. Things like managing group access to files in directories, or giving people field-level permissions to specific columns on specific database records.

All of these languages (OPA, Cedar) are nifty but assume you have a whole team of devops engineers dedicated to replicating slices of your database state and getting them to the policy engine at the right time without discrepancies. Likewise, systems like Permit.io, OPAL, Topaz and SpiceDB claim to solve this problem, but they do it by adding an extra API call to everything your application does and then potentially having a permissions database which is in a divergent state from your real application.

I was really hopeful about Oso for this since it is a policy engine that operates over the applications data as a library (rather than a service) but the development on the actual library appears basically abandoned in favor of their SaaS and it's currently full of weird quirks, bugs and outdated dependencies - especially around the filtering tasks (e.g. show me all the blog posts a user is allowed to read). I'd happily pay for a Oso library that worked, but it seems like they've hyper-focused on SaaS.

Really would love to see one of these languages solve the data access layer for regular applications, everyone immediately seems to run to kubernetes at Google scale when I'd kill for a nice way to write permissions that can sit on the same server as my application and do the job reasonably well.