Hello everyone. Working at a rapidly growing startup which wants to implement authorisation policies. We're going through the typical steps that are described in this brilliant article by one of your competitors: https://www.osohq.com/post/why-authorization-is-hard. Our setup has nested relations, which are currently being handled through recursive SQL queries. (Group A -> Group B -> User A ...) Groups and users may have access to other groups, other users and various documents. So there is both inheritance, group level access and individual access to documents/users. I'm currently in the deciding process between a service-oriented solution, such as SpiceDB. Or going for something more "embedded" such as Casbin. Besides the obvious perks and downsides of having a separate service for authorisation, what else should I take into consideration? Reading through the Zanzibar papers, I understand the low latency, perks of Rebac, ... Everything that Google tried to solve (sorry for another oso article but: https://www.osohq.com/learn/google-zanzibar). Furthermore, in the aforementioned article it states: Google's engineers recommend that you use a policy engine alongside Zanzibar to close the gap. This, however, is already handled with SpiceDB if I'm not mistaken. I find it a hard decision to make. Posts such as https://news.ycombinator.com/item?id=30362395 describe solutions to several issues which are addressed in the. Zanzibar-papers as well. Though I'm still unsure about the tradeoffs. TL;DR: Casbin vs SpiceDB, articles/comparison/any advice? Why would we opt to go through the hassle of centralising the data, keeping it in sync?