top | item 39685582

(no title)

I work in a highly regulated environment and evaluated using Cedar or OPA.

The biggest advantage to OPA was the flexibility. This enabled not just an authorization decision, but the why behind it. No more questions of why did this person/system gain (or was denied) access, combing through dozens of rules to find the matching statements. Just pull up the log and read the results… This is incredibly useful during audits.

Cedar could not provide that level of detail (or so I was told by AWS representatives selling their hosted version).

discuss

grinich|2 years ago

Is that issue with Cedar related to their design or just the current way it's exposed by AWS?

the_newest|1 year ago

It's a cedar related issue. I like to know every check that was run for a policy and the result. Cedar will only provide the name of the policy that granted/denied.