A blueprint for building a generic authorization service for your organization
Ashwin Sidhalinganahalli, Fletcher Ramee
BSidesSF 2026 · Day 2 · AMC Theatre 09
In the modern landscape of distributed systems, managing access control across thousands of microservices has become an intractable problem, leading to significant security vulnerabilities and hindering developer velocity. This talk, presented by Ashwin Sidhalinganahalli and Fletcher Ramee from Roblox's Platform Security team, introduces a battle-tested blueprint for establishing a generic, scalable, and highly available authorization service within an organization. Their solution aims to decouple authorization logic from application code, centralize policy management, and enable distributed enforcement using open-source tools.
AI review
A competent, well-structured case study on building a centralized authorization plane at Roblox using OPA/Topaz — honest about trade-offs, grounded in real production numbers, and contains a few genuinely useful engineering details. Nothing here will surprise anyone who's read the Zanzibar paper or run OPA in prod, but it's delivered with enough operational specificity to be worth the slot at BSides SF.