This is probably a pretty stupid question, or at least based on some misconception of mine about this space. But I don't really understand how permissions as a service or API can work efficiently.

If I request a single resource, of course this can work if I ask a second API on whether the request is allowed or not. But if I query a database for a list of items, to add access control I need to modify the database query. I can't just filter after the fact, it's too easy to cause pathological performance issues there e.g. if the user has only access to a very small subset of a large list of results. How does this work with a separate access control API that can't directly modify the database query?

There are a lot of new-ish products in the last 5 years in the auth/identity space. I have been meaning to dig into them: Kanadm, Keycloak, Ory, SuperTokens, Oso, FusionAuth, CAS, maybe Authzed. I hadn't heard of Aserto yet, adding them to the list. Although I'm most interested in OSS products and Aserto looks like it is hosted-only.

If anyone has already done an independent study of the ecosystem I'd love a link.

So much of authorization is context / application dependent, I'm struggling with this a bit.

For example, I have a cluster of services. I allow access to some of them, for certain actions, based on whether the user is part of a patient's care team.

That's very dynamic, I need to do a FHIR query to one of my services to determine that. Then there's a lot more logic, like what servicer / organization affiliation the user is part of, this is also a runtime lookup in a shared session state thing, etc...

I just list all that as a basic example, there are so many things that are application specific that require runtime evaluation, it's hard for me to understand the benefit of writing all that in a different language, in a different place, where I can't use the libraries and utilities that are already part of the application.

This looks so cool. I've always wanted something like this, especially being able to write the policies in Rego. I can't work out if it supports delegation though, i.e. service A temporarily allows service B to access a resource which normally only A has access to.

Can't I just use Auth0 for authorization?

I've been following Aserto for a while actually, really excited to see this development. Makes a great compliment to Auth0. Also the stuff they're doing for the OPA ecosystem is awesome!

Auth is a major challenge and pain point... and Aserto is really impressive. Love the open source vs. completely walled garden approach.

I've built my own authz too many times. The prospect of having a standard framework to do this is encouraging.