From Complex Models to Clear Decisions

See how your existing authorization relationships transform into clear, evaluable Cedar policies

SCATTERED ACROSS YOUR CODEBASE Fragmented

api/documents.js:47

if (user.role === 'admin' ||
    user.teamId === doc.ownerId) {
  return doc;
}

middleware/auth.js:123

const allowed = await db.query(
  `SELECT * FROM permissions
   WHERE user_id = ?`, [userId]
);

utils/jwt.js:34

const decoded = jwt.verify(token, SECRET);
if (decoded.permissions.includes('write')
    && decoded.scope === resource.scope) {
  return true;
}

⚠ Logic duplicated in 12+ files

⚠ No single source of truth

⚠ Hard to audit or reason about

zstrike

ONE CEDAR POLICY Unified

permit(
    principal,
    action == Action::"view",
    resource
) when {
    // Team ownership check
    principal.team == resource.owner
};

permit(
    principal in Group::"editors",
    action,
    resource
);

permit(
    principal,
    action,
    resource
) when {
    resource.public == true
};

✓ All rules in one place

✓ Auditable and testable

✓ Consistent enforcement

TRACING "WHY WAS ACCESS DENIED?" Scattered

? User Bob couldn't access document. Why?

📁 api-gateway.log 10:23:41

INFO: Request /docs/123 from user_id=bob

📁 auth-service.log 10:23:41

DEBUG: Token validated for bob

📁 postgres.log 10:23:42

SELECT * FROM permissions WHERE...

📁 doc-service.log 10:23:42

WARN: Access check failed

📁 middleware.log ???

(no relevant logs found)

🤷 Still unclear. Check code? Ask developer?

⚠ Logs scattered across services

⚠ No clear decision trail

zstrike

UNIFIED DECISION LOG Traceable

#a]824f 10:23:42.031 DENY

Principal User::"bob"

Action Action::"view"

Resource Document::"123"

Policy team_ownership

Reason bob.team = "Sales" != doc.owner = "Engineering"

Full context available:

request_id policy_version evaluation_time entity_attrs

✓ Single source of truth

✓ Clear deny reason

✓ Full audit trail

✓ PERMIT

EVALUATE

Alice → view → design-docs

principal.team == resource.owner

Alice.team = "Engineering" == design-docs.owner = "Engineering"

Eliminate centralized bottlenecks

Traditional centralized authorization creates performance bottlenecks and single points of failure. ZStrike moves authorization to the last mile—right where your applications run.

Zero network round-trips for authorization decisions
Continue operating even when disconnected from control plane
Local context-aware decisions with real-time application state
Eliminate authorization as a scalability bottleneck

$ zstrike benchmark --requests 1000000

Running authorization benchmark...

✓ Completed 1,000,000 requests

Average: 0.18ms

P99: 0.31ms

$ zstrike health-check

✓ Control plane: Disconnected

✓ Local engine: Active

✓ Auth decisions: Operational

→ Serving from cached policies

Local Entity Store for instant decisions

Leverage locally cached data stored in the Entity Store for lightning-fast policy evaluation. Keep authorization data constantly up-to-date by syncing with your existing infrastructure—LDAP directories, databases, or REST APIs—ensuring fresh context without network latency.

Local Entity Store with cached user, group, and resource data
Real-time sync with LDAP, Active Directory, and identity providers
Database integration for dynamic attribute and permission updates
REST API connectors for custom data sources and services

Policy-as-Code at the edge

Define policies centrally, enforce them locally. Our Policy-as-Code approach combines centralized governance with distributed enforcement for the best of both worlds.

Declarative Cedar policies distributed to local engines
Cached policies for resilient, offline-capable authorization
Central control plane for consistent policy management
ABAC and ReBAC support for complex access patterns

permit(

principal == User::"alice",

action == Action::"read",

resource in Folder::"documents"

);

$ npm install @zstrike/sdk

+ @zstrike/sdk@2.4.1

$ zstrike init

✓ Project initialized

✓ Ready in 0.3s

Sidecar pattern for microservices

Deploy authorization as a sidecar alongside your applications. Perfect for Kubernetes and microservices architectures requiring service-level autonomy.

Co-located sidecars eliminate network latency
Language-agnostic enforcement across all services
Decouple authorization logic from application code
SDK integration for legacy applications

Last Mile Authorization

Stronger Security Seamless Scaling Reliable Performance Smarter Access Simpler Integration Enterprise Compliance Developer Agility

Local decisions, global control

From Complex Models to Clear Decisions

Eliminate centralized bottlenecks

Local Entity Store for instant decisions

Policy-as-Code at the edge

Sidecar pattern for microservices

Last mile vs centralized

Get in touch

Last Mile Authorization Stronger Security Seamless Scaling Reliable Performance Smarter Access Simpler Integration Enterprise Compliance Developer Agility

Local decisions, global control

From Complex Models to Clear Decisions

Eliminate centralized bottlenecks

Local Entity Store for instant decisions

Policy-as-Code at the edge

Sidecar pattern for microservices

Last mile vs centralized

Get in touch

Last Mile Authorization

Stronger Security Seamless Scaling Reliable Performance Smarter Access Simpler Integration Enterprise Compliance Developer Agility