Skip to main content

OPA Best Practices

Opinionated guidance for production OPA with EnforceAuth.

1. Default deny everywhere

Every package should default allow := false (or explicit deny outcome). Fail closed.

2. Keep policies small and composable

Split by domain (authz.api, authz.data) and use import — easier review and testing.

3. Test in CI

opa test on every PR. EnforceAuth promotion should not be the first time a rule is evaluated.

4. Watch bundle size

Large data.json slows activation. Prefer PIP calls or scoped data snapshots where possible.

5. Log decisions consistently

Use OPA decision logs compatible with EnforceAuth ingestion. Configure the decision log plugin per PDP integration. See Decision logs.

6. Prefer patterns over one-offs

Reuse Rego patterns (RBAC, ABAC, deny overrides) instead of inventing new structures per service.

Official OPA guides