Today we are using OpenFGA and OPA together, as OPA does not provide a real solution managing our data and we only have a few real attribute based checks we need to make. OpenFGA is a nice data plane, but does not provide an attribute based solution, so we are http.Send integrating the two, which is not ideal.
In simple terms topaz brings a rebac data solution together with OPA, so you only have to create attribute based authorization rules when really needed, to compliment the relation authorization provided by the topaz directory.
I see it is a container based solution, is that a requirement, we (have to) run on Windows Server, can I run topaz without a container, just bare metal?
You can, simply use the topazd.exe binary from the topaz_windows_x86_64.zip from the GH releases page (https://github.com/aserto-dev/topaz/releases). Note this is currently not a Windows Service, so not net start topaz. Let me know if that would be interesting.
Thanks for the question! Those are both great projects. Topaz combines the best elements of both:
* It uses OPA as its decision engine and Rego as the policy language, and supports the "policy as code" methodology
* It also implements a ReBAC directory, much like OpenFGA, in the same container image. It goes further, by allowing you to store not just relationships between subjects and objects, but also properties... which makes it easy to author policies that combine attribute-based (ABAC) and relationship-based (ReBAC) rules.