Rego Essentials for Authorization
Rego is OPA's declarative language. These patterns cover most authorization policies in EnforceAuth customers' repos.
Default deny
package authz
default allow := false
allow if {
input.action == "read"
input.user.clearance >= input.resource.classification
}
Role checks
allow if {
some role in input.user.roles
role == "platform-admin"
}
Testing
opa test ./policies -v
Add tests alongside policies in CI before EnforceAuth promotion.
Full language reference
Rego builtins, comprehensions, and modules: OPA Policy Language
Next
- Rego patterns — RBAC, ABAC, deny overrides
- OPA best practices
- Testing policies
- PDP integration