What is the difference between the policy-as-code and policy-as-data approaches? Which is better? Do you really have to choose? Find out more in this post. 

Policy-as-Code or Policy-as-Data? Why Choose?

OPA can now consume policy bundles packaged as OCI images. Used together with the Policy CLI, you can build, tag, push, and pull policies just like docker images.

OPA natively consumes OCI images

By bringing together OPA, OCI, and Sigstore, Aserto enables organizations to achieve an end-to-end policy-as-code solution using three trusted open source projects.

Aserto delivers comprehensive access control by bringing together trusted Cloud Native Ecosystems

In this post, we'll explore how Aserto uses Policy-as-code to centrally define our important engineering best practices and share them amongst a diverse set of teams and microservices.

Policy-as-code for Docker and Kubernetes with Conftest / Gatekeeper

Aserto can collect and manage decision information from all your authorizers, including sidecar and other kinds of locally deployed ones. In this post, we will give an example of how to tap into the data generated by Aserto’s decision logging. 

Feature Review: Decision Logging

Aserto uses the Open Policy Agent (OPA) as the decision engine for evaluating authorization decisions. Rego is the policy language for defining rules that are evaluated by the OPA engine. In this tutorial, we’ll demonstrate building a Rego policy for a simple Todo application.

Creating a Rego policy for a Todo application

Today we’re happy to announce that Aserto supports GitLab as a source-code provider! You can now use both GitLab and GitHub to store and version your authorization policy code.

GitLab Integration is here!

In this tutorial, we'll learn how to add authorization to a Todo app written in Go, using the Aserto Go SDK.

Adding Authorization to a Go app with Aserto

Today, we are happy to announce that the Policy CLI can interact directly with Github Packages (GHCR)! You can now use the Policy CLI to manage your policy images with GHCR as well as the Open Container Registry and the Aserto Container Registry. In this post, we’ll walk through using the Policy CLI with GHCR.

The Policy CLI and Github Packages

Today, we're excited to announce that Aserto is sponsoring the KubeCon and CloudNativeCon events in the EU and US with a physical and virtual booth presence. We look forward to connecting with the community!

Aserto Sponsors KubeCon

If you're looking to implement RBAC with Go, there are several options to choose from. In this post, we'll review some of the existing tools in the Go ecosystem.

Building RBAC in Go

The cornerstone of any decision made by the Aserto authorizer is the authorization policy. The policy encapsulates the authorization logic, allowing for a clear separation of concerns between the application code and the authorization-specific logic. In this post, we explore how policies are structured and how they work.

How do Aserto Rego Policies Work?

Edge Authorizers are autonomous authorizer instances running as close to your application as possible. In this post, we'll discuss the benefits of using edge authorizers and review the process that allows the control plane to discover new edge authorizers as well as keep them up to date with policy and user information.

Aserto Edge Authorizers

An integral part of creating a policy is testing the policy to ensure it behaves as we expect it to. The OPA engine provides a straightforward way to test policies. In this post, we'll walk through the process of testing a policy created with Aserto.

Testing Rego Policies

Flask is one of Python's most popular web frameworks. It's lightweight, easy to master, and extensible. There are few, if any, applications that you can't tackle with Flask, including role-based access control (RBAC).

In this post, we'll look at setting up RBAC with Flask. We'll start with a simple Flask application and roll our own RBAC system.

Flask RBAC Demystified: A Developer's Guide

Aserto is now in open beta! No one should have to build permissions and RBAC on their own. Learn more about Aserto's solution and create your free account today!

Aserto, the developer API for permissions and RBAC, is open to all!

So you’ve decided to build authorization into your application. Sounds pretty straightforward, right? All it takes is a couple of tables in the database for roles and permissions, and we should be fine. Let’s take a deeper look at some design considerations you should be aware of from the get-go.

How hard can Authorization be?

If you're looking to implement RBAC with Node.js, there are many options to choose from. In this post, we'll review some of the existing tools in the Node.js ecosystem.

Building RBAC in Node

Authorization and authentication are often mistaken to be interchangeable concepts. In this post, we clarify the difference between the two. 

Isn't Authorization part of Authentication?

Role-based access control is a powerful pattern for handling many authorization use-cases, but in some cases - a more nuanced approach may be needed. In this post, we'll explore Attribute-Based Access Control, an authorization model that allows us to leverage dynamic user attributes to make fine-grained authorization decisions.

From RBAC to ABAC

When thinking about implementing an authorization solution, we are faced with the choice of whether to use a library that would be embedded in our application code, or to set up a service to which our application will make authorization calls. In this post, we'll examine the implications of choosing between the two in the context of authorization.

Authorization: Library or Service?

The Open Policy Agent project is an incredibly flexible and powerful policy engine. In this post, we explore some of the challenges facing developers using OPA for application authorization, and we propose some ways of overcoming those challenges.

The Challenges of Using OPA for Application Authorization

In this post, we'll cover essential best practices for role-based access control (RBAC) including examples and a tool that can help.

3 Essential RBAC Best Practices

Adding an authorization layer to your React.js and Node.js application has never been easier! Learn how to create a role-based access control policy and how to use it to make authorization decisions in your application. 

Building a React and Node app with Aserto Authorization 

Zero-trust architectures encourage defense in depth. Fine-grained authorization solutions are emerging that complement coarse-grained ones.

Modern authorization requires defense in depth

Fine-grained authorization is essential for selling B2B SaaS into larger accounts. Here’s how to evolve your model to meet those requirements.

Fine-grained authorization: what’s all the buzz about?

Passing data into the decision engine is a critical design choice for a robust authorization system. Here are four common patterns, each with their own tradeoffs.

Handling data in OPA policies

A Docker-inspired workflow for OPA policies, now available at openpolicyregistry.io!

Introducing the Open Policy Registry (OPCR) project

Building awesome apps with OPA just got easier.

Composing OPA Solutions

How we've built Aserto's authorization model by "eating our own dogfood".

Aserto on Aserto: an OPA authorization policy for Aserto tenants

Figuring out how to version your project can be a pain... let sver do the hard work - producing versions that are unique, sortable, human readable, and semantically correct.


sver: easy semantic versioning of your artifacts

Rego is a declarative language for writing policies. Here are a few tips and tricks for how to get started reading and writing Rego.

Rego: getting started

Github's authorization model uses a combination of roles and scopes, which makes it hard to pre-compute a user's access ahead of time.

Addressing challenges with Github's authorization model

Unlike most developer APIs, authorization is in the critical path of every application request, and requires a different architecture.

The Architectural Challenge of Authorization

Why we started Aserto: the missing developer API for application authorization.

Welcome to Modern Authorization

OAuth2 scopes were never intended to be an authorization mechanism, and indeed are a bad idea when used as a substitute for a real authorization architecture.

OAuth2 Scopes are NOT Permissions

Authentication is a solved problem. But authorization remains a far bigger problem, and is far from solved.

Authentication != Authorization

Five principles that any developer solution for application authorization should adhere to.

The Five Principles of Authorization

Embedding your authorization logic inside your application is a constant source of pain. Separating policy from code brings many benefits.

Why separate policy from your code?

Authorization for SaaS applications is painful for developers, administrators, SecOps, and compliance. It's time to fix this!

Blog

Company Updates & Technology Articles

Policy-as-Code or Policy-as-Data? Why Choose?