Skip to main content

Architecture

Aserto has two major components:

  • Authorizer: where authorization decisions are made.
  • Control Plane: manages all the artifacts that the Authorizer uses to make authorization decisions.

architecture

Authorizer

The Authorizer is an open source authorization service which uses the Open Policy Agent (OPA) engine to compute a decision based on a policy, user context, and resource data. It is most commonly deployed close to your application, to offer the lowest latency and the highest level of availability to your application.

In addition to using OPA as its decision engine, the Authorizer includes an embedded database that caches all the data that's needed for authorization decisions. This data is sourced from the Aserto Directory, which is inherits its design from Google's Zanzibar system.

Control Plane

The Aserto Control Plane manages the lifecycle of policies, user context, and resource data that are used by the authorizer. The Control Plane makes it easy to manage these artifacts centrally, and takes care of the details of synchronizing them to the Authorizer instance(s) deployed at the edge.

The Control Plane also aggregates all of the outputs from the Authorizers, including decision logs, to give an administrator a centralized, single-system view of a complex distributed system.

Next Steps

If you're new to authorization, check out the Authorization Basics topic to learn more about the differences between AuthN and AuthZ, and also about the various styles of authorization.

Otherwise, let's dive deeper into the Aserto Concepts.