I work in a highly regulated environment and evaluated using Cedar or OPA.
The biggest advantage to OPA was the flexibility. This enabled not just an authorization decision, but the why behind it. No more questions of why did this person/system gain (or was denied) access, combing through dozens of rules to find the matching statements. Just pull up the log and read the results… This is incredibly useful during audits.
Cedar could not provide that level of detail (or so I was told by AWS representatives selling their hosted version).
It's a cedar related issue. I like to know every check that was run for a policy and the result. Cedar will only provide the name of the policy that granted/denied.
OPA is much more wide ranging. You can use it for permissions, sure, but also just about anything else you can imagine. I think that makes it much more compelling as a technological investment.
The benefit of Cedar mainly comes down to the language. Cedar was designed to sit in the middle of a runtime call, so it has reliably low latency (see comparison here: https://twitter.com/Sarah_Cecc/status/1766141060370329748) even at high scale. It's way more readable so it's easier to author and debug. And it's validated against formal methods proofs so certain properties of the language (like default deny) are mathematically proven.
More about the benefits of Cedar here: https://cedarland.blog/design/why-cedar/content.html
