If you're willing to take the pain of setting up an actual authz model, I've found OpenFGA^ to be really nice. We used it to set up some pretty complex authz involving cross-agent/user/org creation and sharing of data. It's not _simple_, but it is effective.
It's Apache 2.0 and a CNCF incubating project.
Thank you. This is very interesting. I'm excited to see an open source project adopt a zanzibar-oriented approach to resource management. This is exciting!
Just before I hurl myself at this for several days/weeks -- where were the pain points? I'm usually wary of new projects in this space but OpenFGA looks pretty mature already