Authorization Engines Landscape
Policy as Code is not one engine — it is a discipline. EnforceAuth supports multiple PDP families over time.
Open Policy Agent (OPA) — available today
- Language: Rego
- Distributions: OSS OPA (CNCF graduated — default for new teams) and Enterprise OPA (EOPA) (CNCF subproject) when specific PDP features are required
- Choose your PDP: OPA vs EOPA — read before you pick a container image
- Deployment: Sidecar, host daemon, centralized service, embedded SDK, gateway/mesh — see Deployment patterns
- Strengths: General-purpose ABAC/RBAC, broad ecosystem, CNCF graduated
- Learn more: Getting Started with OPA · Application integration
Enterprise OPA (EOPA) — extended CNCF distribution
EOPA is not a different policy language — it is an extended OPA build donated to the CNCF OPA project for enterprise PDP features:
| Feature | Why teams choose it |
|---|---|
| Decision log masking | Redact PII before logs leave your network |
| Delta bundles | Smaller updates at large fleet scale |
| Partitioning | Multiple policy slices from one release |
| Datasource integrations | SQL, DynamoDB, Kafka, LDAP, S3, Vault — native PDP data access |
| Fleet efficiency | Designed for data-heavy workloads and large PDP fleets |
Styra DAS™, the former commercial control plane, was decommissioned April 30, 2026. EnforceAuth is the enterprise authorization platform for policy lifecycle, promotion, audit, and fleet operations. EOPA was donated to CNCF as the PDP subproject for enterprise runtime features. That migration path is documented separately; greenfield teams should start with OPA vs EOPA and default to OSS OPA.
→ OPA vs EOPA decision guide · (Migrating?) Migration from DAS™ / EOPA
Cedar — coming soon (Arbi)
- Language: Cedar policy + schema
- Strengths: Analysis,
is_authorizedbatch patterns, AWS ecosystem - EnforceAuth codename:
arbiin environment config
Zanzibar / relationship-based — coming soon (iBar)
- Model: Relationship tuples, graph queries
- Strengths: Consistent relationship store, team/org hierarchies
- EnforceAuth codename:
ibarin environment config
Choosing an engine
| Need | Often fits |
|---|---|
| General ABAC across services | OPA |
| Embedded app authorization with schema | Cedar |
| Google-style relationship graphs | Zanzibar / SpiceDB |
EnforceAuth's AuthZEN-oriented control plane is designed so PEP integration stays stable as you adopt or migrate engines.