Great article! Disclaimer: I'm a co-founder of Aserto [0], where we're building a platform for API / microservices authorization.
I couldn't agree more that the question of how to get the data to the policy decision point is one of the most interesting and hardest challenges for this scenario.
You don't want to replicate the entire world in both your application's data store and your authorization system. But you also want to follow the principle of separation of concerns as much as practical.
There may be scenarios where your authorization system has to make calls to an external system, but that can cause availability and latency concerns. Ideally the decision engine has all the data it needs to make an authorization decision, without having to query another system.
For filtering scenarios that involve returning too much data to the client (which the client would need to filter locally), you could also imagine the authorization system doing a "partial evaluation" and return you an AST which you can walk and attach as "where clauses" to your query. Here's an interesting read on how to do this with the OPA decision engine. [1]
I couldn't agree more that the question of how to get the data to the policy decision point is one of the most interesting and hardest challenges for this scenario.
You don't want to replicate the entire world in both your application's data store and your authorization system. But you also want to follow the principle of separation of concerns as much as practical.
There may be scenarios where your authorization system has to make calls to an external system, but that can cause availability and latency concerns. Ideally the decision engine has all the data it needs to make an authorization decision, without having to query another system.
For filtering scenarios that involve returning too much data to the client (which the client would need to filter locally), you could also imagine the authorization system doing a "partial evaluation" and return you an AST which you can walk and attach as "where clauses" to your query. Here's an interesting read on how to do this with the OPA decision engine. [1]
[0] https://www.aserto.com [1] https://blog.openpolicyagent.org/partial-evaluation-162750ea...