At AuthZed, they are building a platform around SpiceDB - an open-source, ReBAC-based authorization system inspired by Google Zanzibar. They have explored the differences between policy-based access control (PBAC) and ReBAC, highlighting that while PBAC solutions often use standard software development lifecycle tools and techniques, ReBAC systems like SpiceDB store relationships as facts and define a schema to relate these facts into a graph. This approach allows for more flexibility in handling authorization questions, including RBAC and ABAC. The authors argue that when all data for a policy decision can be statelessly derived from a policy engine, they tend to shine, but when external data needs to be queried, the performance of policy engines may not guarantee fast evaluation times. The authors also discuss their own use case at AuthZed, where they mix different approaches, including using a dedicated SpiceDB instance for permissions in the Serverless platform and leveraging policy-like features from Kubernetes projects. They highlight that whether PBAC or ReBAC is better suited depends on the authorization problems encountered.