The recurring theme of the Zanzibar approach to authorization is that it's prescriptive. The data format, logic language, and API are all tightly specified in order to define authorization in terms of relations between objects and users.<p>This approach makes a lot of sense at google, which has a famously monolithic culture and the ability to enforce top-down standards. But not so much at other companies.