Netflix has over 220 million active users, and with that kind of scale, security isn’t just “nice to have” — it’s a fundamental building block. In this video I break down why authorization (who can access what) becomes increasingly important as a company grows, and why it’s not the same thing as authentication (verifying identity). I also explain how authorization can go way beyond “only paying users can watch,” like tailoring content by country and even adjusting pricing using purchasing power parity. Then I get into the real problem: writing authorization policies is hard to get right, especially at scale. A common approach is using OPA (Open Policy Agent), which is a powerful open-source policy engine that lets you define policy as code using Rego. But Rego adds a learning barrier, and Netflix didn’t want policy management to be limited to a tiny group of specialists. Their solution was to build a UI on top of OPA to abstract complexity, and then add unit testing to confirm the policy actually captured the intent. Finally, I show the open-source path that’s available to everyone: OPAL (Open Policy Administration Layer) from permit.io. OPAL wraps OPA with a layer that responds to live policy and data changes, keeping services in sync with the authorization data they need. It’s a great example of open source doing what it does best: transparent, community-built infrastructure that can make complex authorization feel dramatically simpler.