OPA Best Practices
Opinionated guidance for production OPA with EnforceAuth.
1. Default deny everywhere
Every package should default allow := false (or explicit deny outcome). Fail closed.
2. Keep policies small and composable
Split by domain (authz.api, authz.data) and use import — easier review and testing.
3. Test in CI
opa test on every PR. EnforceAuth promotion should not be the first time a rule is evaluated.
4. Watch bundle size
Large data.json slows activation. Prefer PIP calls or scoped data snapshots where possible.
5. Log decisions consistently
Use OPA decision logs compatible with EnforceAuth ingestion. Configure the decision log plugin per PDP integration. See Decision logs.
6. Prefer patterns over one-offs
Reuse Rego patterns (RBAC, ABAC, deny overrides) instead of inventing new structures per service.