Skip to main content

Authorization Engines Landscape

Policy as Code is not one engine — it is a discipline. EnforceAuth supports multiple PDP families over time.

Open Policy Agent (OPA) — available today

Enterprise OPA (EOPA) — extended CNCF distribution

EOPA is not a different policy language — it is an extended OPA build donated to the CNCF OPA project for enterprise PDP features:

FeatureWhy teams choose it
Decision log maskingRedact PII before logs leave your network
Delta bundlesSmaller updates at large fleet scale
PartitioningMultiple policy slices from one release
Datasource integrationsSQL, DynamoDB, Kafka, LDAP, S3, Vault — native PDP data access
Fleet efficiencyDesigned for data-heavy workloads and large PDP fleets

Styra DAS™, the former commercial control plane, was decommissioned April 30, 2026. EnforceAuth is the enterprise authorization platform for policy lifecycle, promotion, audit, and fleet operations. EOPA was donated to CNCF as the PDP subproject for enterprise runtime features. That migration path is documented separately; greenfield teams should start with OPA vs EOPA and default to OSS OPA.

OPA vs EOPA decision guide · (Migrating?) Migration from DAS™ / EOPA

Cedar — coming soon (Arbi)

  • Language: Cedar policy + schema
  • Strengths: Analysis, is_authorized batch patterns, AWS ecosystem
  • EnforceAuth codename: arbi in environment config

Zanzibar / relationship-based — coming soon (iBar)

  • Model: Relationship tuples, graph queries
  • Strengths: Consistent relationship store, team/org hierarchies
  • EnforceAuth codename: ibar in environment config

Choosing an engine

NeedOften fits
General ABAC across servicesOPA
Embedded app authorization with schemaCedar
Google-style relationship graphsZanzibar / SpiceDB

EnforceAuth's AuthZEN-oriented control plane is designed so PEP integration stays stable as you adopt or migrate engines.