Skip to main content

Rego Essentials for Authorization

Rego is OPA's declarative language. These patterns cover most authorization policies in EnforceAuth customers' repos.

Default deny

package authz

default allow := false

allow if {
input.action == "read"
input.user.clearance >= input.resource.classification
}

Role checks

allow if {
some role in input.user.roles
role == "platform-admin"
}

Testing

opa test ./policies -v

Add tests alongside policies in CI before EnforceAuth promotion.

Full language reference

Rego builtins, comprehensions, and modules: OPA Policy Language

Next