chapter eight

8 Policy languages and frameworks

This chapter covers

How XACML, OPA/Rego, OpenFGA, and AWS IAM approach authorization in modern, large-scale systems
Using the PARC framework to analyze various policy languages
The structure of policies in each language using equivalent policy examples
Comparisons for choosing the right policy language or framework for your needs

ACME Corp wasn’t always a large company. ACME started small, and as it grew, so did the complexity of its authorization needs. What began as a handful of internal systems quickly turned into a sprawling network of cloud infrastructure, customer-facing platforms, and workflows that require strict compliance. Every new system introduced additional requirements, and often, a new approach to policy.

In the early days, ACME’s IT team adopted an off-the-shelf document management system that used XACML for access control. The standards-based approach seemed promising, especially for regulated workflows in HR and Finance. However, as the team tried to adapt it to changing business needs, the issues of verbosity, complexity, and tooling became increasingly difficult to ignore.

8.1 XACML: the first policy language standard

8.1.1 A XACML simple example

8.1.2 Applying the PARC model to XACML

8.1.3 Legacy and lessons

8.2 OPA and Rego: Policy for cloud-native systems

8.2.1 Rego policies example

8.2.2 Comparing Rego with Cedar

8.2.3 Applying the PARC model to OPA and Rego

8.2.4 Strengths and limitations

8.3 OpenFGA

8.3.1 How OpenFGA works

8.3.2 Document access example

8.3.3 Applying the PARC Model to OpenFGA

8.4 AWS IAM

8.4.1 How IAM works

8.4.2 Example: Confidential Document Access

8.4.3 Applying the PARC model to AWS IAM

8.5 Comparing policy languages

8.5.1 XACML

8.5.2 OPA/Rego

8.5.3 OpenFGA

8.5.4 AWS IAM

8.5.5 Cedar

8.5.6 From strengths to selection

8.6 Summary