Entity Model and Configuration
EnforceAuth organizes authorization work under entities — a hierarchy of organizations and systems that own policy sources, bundle destinations, environments, secrets, and API keys.
Manage the tree at System Settings → Entity Management (/system-settings/entities).
Entity types
| Type | Role |
|---|---|
| Organization | Tenant-scoped root or intermediate node; global defaults for policy source, bundle destination, and environments |
| System | Deployable unit — typically one application or service boundary that receives bundles and sends decision logs |
The API also supports user entities for identity graph use cases; the console create form offers Organization and System only.
Hierarchy rules
- Every new entity (except tenant bootstrap) must have a parent — you cannot create arbitrary root orgs after initial setup. The form error is explicit: Select a parent entity. New root entities can only be created during tenant setup.
- Root organizations have no parents and display a Root badge. Root entities cannot be deleted.
- Navigate Path to Root, Parents, and Children on the entity detail page. Empty states: No parent entities / No child entities.
Views on Entity Management:
- Table — flat list with type and relationships
- Graph — visual hierarchy
Subtitle on the page: Entity Structure with org/system counts.
What attaches to an entity
Entity detail groups operational config:
| Section | Purpose |
|---|---|
| Relationships | Parent/child links in the authz graph |
| Configuration | Policy source, bundle destination, environments |
| Secrets | Credentials for Git, cloud storage, etc. |
| API Keys | Service identities for decision log ingestion |
| CI/CD Tokens | Pipeline authentication for automated deploys |
Routes:
- List:
/system-settings/entities - Create:
/entities/new - Detail:
/entities/:id - Edit:
/entities/:id/edit
Legacy /entities redirects to System Settings.
Configuration types
Three config kinds drive deployments:
Policy source
Connects Git (GitHub today) with branch and policy_path. EnforceAuth clones the repo during deploy and runs opa test + bundle build.
Org-level note in UI: Global default, can be overridden at system level.
Bundle destination
Where PDPs fetch bundles — S3, GCS, Azure Blob, or Git output. System-level note: If blank, inherits from parent organization.
Environments
Maps environment names (e.g. dev, staging, prod) to promotion targets and optional per-environment branch/path or destination overrides. See Deployments.
Configuration inheritance
Child entities inherit effective config from ancestors unless they define an override.
The console resolves inheritance via the effective-config API and shows:
- Inherited from parent entity name — dashed border on inherited cards
- Will inherit from parent entity — placeholder when a field is empty
- InheritedPathDisplay — merged policy or bundle paths from ancestors
Depth in API responses: 0 = defined on this entity, >0 = from an ancestor.
Practical rules:
- Set policy source and bundle destination at the org if most systems share one repo or storage account
- Override at the system when a team needs an isolated repo or bucket
- Environment bundle destination overrides can be partial — storage backend identity may still come from the parent
Deploy eligibility uses effective config: a system with no local policy source still deploys if it inherits both source and destination from its org.
Policies and entities
On the Policies page, each row shows:
- System — owning entity name
- Inherited By / Imposed On — how policy packages flow through the hierarchy
This helps answer whether a Rego file applies only locally or propagates to descendant systems.
Deployability checklist
Before an entity appears in the Deploy dialog:
- Effective policy source exists (local or inherited)
- Effective bundle destination exists (local or inherited)
- Target environment is configured on the entity
Missing pieces surface as Not configured, Missing policy source, or Missing bundle destination in the deploy picker.
API keys and decision logs
API keys scoped to an entity authenticate OPA/EOPA instances that send decision logs for policies under that subtree. See Decision logs.
Common patterns
Single org, many systems
Acme Corp (org)
├── Payments API (system)
├── Admin Portal (system)
└── Data Pipeline (system)
Org holds default Git repo and S3 bucket; systems override only when teams need isolation.
Business unit per org
Enterprise Root (org)
├── Retail Division (org)
│ └── Storefront (system)
└── Wholesale Division (org)
└── B2B API (system)
Each division owns environments and promotion chains independently.
Verify success
- Entity appears in hierarchy with correct parent
- Effective config shows expected source/destination (own or inherited)
- Deploy dialog lists the entity without configuration warnings
- Policies and decision logs scope to the intended system name