I've been interested in this problem space for a couple of years, have tried a whole bunch of products but settled on using cedar policy engine[1] wrapped in some custom code and using the application database and static files to generate policies that can be concatenates to make decisions. A useful property is that they can be indexed based on the "subject verb object" triplet used to represent authorisation queries (e.g. Can "John" download "File 1"?)
Have tried a whole bunch of other FGA providers with their own storage and retrieval services, I think that fundamentally all the DSLs are just variants on prolog and can be quite easily transformed into one another. Another thing to consider is that authorisation is in the critical path of everything, so if you need to call out to an external service it's going to add latency and becomes a single point of failure. Not to mention that it creates an explosion of complexity by distributing the system more widely, so if you can leverage your existing database and file storage to manage policies it's probably easier to build and mange long-term.
Overall I think it's worthwhile using an FGA solution to separate authorisation from business logic, I expect this will become industry standard in the years to come.
Have tried a whole bunch of other FGA providers with their own storage and retrieval services, I think that fundamentally all the DSLs are just variants on prolog and can be quite easily transformed into one another. Another thing to consider is that authorisation is in the critical path of everything, so if you need to call out to an external service it's going to add latency and becomes a single point of failure. Not to mention that it creates an explosion of complexity by distributing the system more widely, so if you can leverage your existing database and file storage to manage policies it's probably easier to build and mange long-term.
Overall I think it's worthwhile using an FGA solution to separate authorisation from business logic, I expect this will become industry standard in the years to come.
[1] https://www.cedarpolicy.com/en