Hi I am new to Cerbos. And also to Ory.sh . I am evaluating both platforms to use with our ML based open-source tool we are developing. I have few questions, please help. Which product of Ory's open-source tools can I compare with Cerbos?  https://www.ory.sh/open-source/ Ory Kratos is a fully customizable, API-only platform for login, two-factor authentication, social sign in, passwordless flows, registration, account recovery, email / phone verification, identity and user management. Ory Hydra is an API-only OAuth 2.0 and OpenID Connect provider that can interface with any identity and user management system (e.g. Ory Kratos, Firebase, your PHP app, LDAP, SAML ...). Ory Oathkeeper is a zero trust networking proxy and sidecar for popular ingress services and API gateways. It checks if incoming network request are authenticated and allowed to perform the requested action. Ory Keto is the world's first implementation of Google's Zanzibar research paper, an infinitely scalable and blazing fast authorization and permission service. Think RBAC on globally distributed steroids. Among the Ory's tools, which one I can use along with Cerbos? Or, Does Cerbos have full set of tools for all the access control purposes like Ory has?

I don't think you can directly compare Ory and Cerbos. Most of Ory products are identity management products and Cerbos does not try to provide identity management because we believe it's a solved problem. Our focus is on declarative access controls using a hybrid of RBAC and ABAC models. Ory Keto is the closest product that tries to address access management. It's a Zanzibar implementation. Zanzibar is great if you need ACL-like access controls but the downside is that you have to keep replicating your data to the Zanzibar system to keep the relationship data fresh because that's what it relies on. Also, it is not quite possible to model contextual decisions like "user can only access this between 9am and 5pm". So, I would say it's not a straightforward decision like either Ory or Cerbos or <insert product here>. Most likely you'll need both.

Just to build on that: Cerbos is independent of identity provider - not limited to Kratos/what Hydra supports Cerbos can run similarly to how Oathkeeper is deployed but goes beyond just authorising network requests and integrates into your business logic allowing for more contextual authorization making use of information on both the user and the resource being accessed (as well as other request time variables like a JWT, IP address or even time of day etc). Cerbos isn't just another Zanzibar implementation rather a fully featured, cloud-native authorization service that enables flexible, dynamic policies to be defined and checked from any point in your application stack (backend, frontend, sidecar, in-process - you are limited). Supporting both RBAC and more fine-grained ABAC we believe this approach is far more applicable to the majority of use cases rather than a Google-scale on problem of sharing permissions logic that Zanzibar was created for.