[gneray]

This is the single-biggest drawback to purely Zanzibar-based architectures. The problem with requiring the authorization system to own all authorization data is that there’s really very little pure authorization data in any application. The majority of it is just application data that is sometimes used to make authorization decisions.

Here's a technical post that details these implications in practice: https://www.osohq.com/post/authorization-for-the-rest-of-us

And another post that describes an alternative approach, Oso: https://www.osohq.com/post/local-authorization

(Shocker: I'm cofounder/CEO of Oso)