Authorization Architecture

The control plane for your authorization policies

Big ACL is a central Policy Administration Point (PAP) that lets you author, version, test, and deploy authorization policies — then distribute them to the policy decision points (PDPs) already running in your ecosystem.

Why authorization management is broken

Policies scattered in code

Authorization logic is buried in if-statements, middleware, and config files across dozens of services — impossible to review holistically.

Audit is a nightmare

When the auditor asks "who can access patient records?", no one can answer confidently — because there's no single source of truth.

PDP vendor lock-in

Writing policies directly for one engine ties your governance to that vendor. Switching later means rewriting everything.

Every change requires a deploy

Policy updates are coupled to application releases. A simple role change turns into a sprint task with CI/CD pipelines and downtime risk.

How Big ACL fits in your stack

Big ACL sits at the center of your authorization architecture. It ingests identity context, lets you author and govern policies, and distributes them to any PDP — while collecting decision logs for audit.

Identity & context in Policies & data out Decision logs

PDP deployment patterns

Big ACL is PDP-agnostic. Whether your OPA sidecars pull bundles or you sync policies to a managed service, Big ACL delivers the right policies to the right place.

Sidecar / embedded PDP

OPA runs alongside each service and pulls Rego bundles from Big ACL. Decisions are made locally with sub-millisecond latency.

Centralized PDP

A managed PDP service evaluates all requests. Big ACL syncs Cedar policies via API. Simpler to operate but adds a network hop.

From business intent to enforcement

Author

Write access rules in natural language or structured form. Business teams and security teams collaborate on the same policy.

Formalize

AI-assisted formalization turns natural language into structured, unambiguous rules with subjects, resources, and conditions.

Translate

Policies are automatically translated into the native language of your PDP — Rego for OPA, Cedar for AVP, and more.

Version

Every policy change is versioned. Compare revisions, roll back, and maintain a complete audit trail of who changed what and when.

Deploy

Promote versions across environments — staging, production — and distribute bundles or sync policies to your PDPs automatically.

Monitor

Collect decision logs from your PDPs. Detect anomalies, verify enforcement, and feed compliance dashboards in real time.

Key principles

Multi-model

Combine RBAC, ABAC, and ReBAC in a single platform. Model roles, attributes, and relationships side by side — no need to pick one pattern for all use cases.

Multi-PDP

Write policies once, deploy everywhere. Big ACL translates and distributes to OPA, Cedar/AVP, and future engines — no vendor lock-in.

Version-controlled

A Git-like policy lifecycle with snapshots, diffs, and promotion across environments. Every change is traceable, reviewable, and reversible.

Compliance-ready

Built-in audit trails, access reviews, and decision log collection. Demonstrate compliance with SOC 2, ISO 27001, HIPAA, and other frameworks out of the box.

Ready to centralize your authorization?

Start authoring, versioning, and deploying your access policies from a single control plane — free for small teams.

Get started for free Read the docs →