What is OPA (Open Policy Agent)?

Open Policy Agent (OPA) is a general-purpose policy engine that has an emphasis on policy enforcement for cloud infrastructure.

What Language does OPA use for authorization?

OPA uses its own language for writing policies, Rego. Rego is a declarative language designed for inspecting and transforming structured data, like JSON and YAML, which are used for expressing access to cloud infrastructure.

Rego was inspired by Datalog, but extended Datalog to support structured document models such as JSON and YAML.

How do you create an OPA policy?

Authorization in OPA starts with loading your authorization data in a structured format like JSON. You then write policy rules in Rego to transform the data as needed in order to derive the authorization context of the data, such as determining a user’s role or figuring out which organization a file belongs to. When the data is in the right structure, you inspect it to determine whether to allow or deny a request.

How do you design RBAC in OPA?

To design RBAC in OPA, you will first associate your users to their roles in a data structure such as a dictionary, for example:

Then, you’ll associate the roles with permissions in another dictionary:

With these data structures in place, you can implement logic to determine whether a user. has permission to perform a given action based on their role:

What does OPA do well?

OPA is a general-purpose policy engine. It’s designed to accept data from a variety of systems in their native format. Its rules language, Rego, provides primitives that allow you to transform and inspect its data as needed during evaluation to make authorization decisions. In this way, OPA emphasizes interoperability with third-party systems, where the data isn’t under your direct control. It is also well suited to machine-to-machine operations.

What are Open Policy Agent alternatives?

Oso is a good alternative to OPA for use cases like application authorization. Oso’s policy language, Polar is built around the higher-order entities that you model in applications, such as actors, roles, and relationships. This makes it a natural fit for the application authorization domain.

Read our overview of the distinctions between Open Policy Agent and Oso.

Looking for an authorization service?

Engineering teams are increasingly adopting services for core infrastructure components, and this applies to authorization too. There are a number of authorization-as-a-service options available. OPA is a popular general-purpose policy engine that implements authorization logic as low-level operations on structured data.

Oso Cloud is a managed authorization service that is tailored to Application Authorization. You use Oso Cloud to provide fine-grained access to resources in your app, to define deep permission hierarchies, and to share access control logic between multiple services in your backend. You do all this by using the same sorts of higher-order entities that you’re already modeling in your application: users, roles relationships, attributes.

Oso also comes with built-in primitives for patterns like RBAC and ReBAC, and it is extensible for other use cases like attribute-based access control (ABAC). It is built using a best practices data model that makes authorization requests fast and ensures that you don’t need to make schema changes to make authorization changes. It provides APIs for enforcement and data filtering. Oso Cloud is also deployed globally for high availability and low-latency.

Oso Cloud is free to get started – try it out. If you’d like to learn more about Oso Cloud or ask questions about authorization more broadly, set up a 1x1 with an Oso engineer.

Level up your authorization knowledge

Learn the basics

A list of FAQs related to application authorization.

Read Authorization Academy

A series of technical guides for building application authorization.

Explore more about Oso

Enterprise-grade authorization without redoing your application architecture.