2 mins read

Authoring Access Policies Using REGO or Visual Editor

Cloudentity enables developers to implement authorization policies using Open Policy Agent's REGO language or using Cloudentity built-in visual editor.

Authorization Policy Visual Editor

Cloudentity’s intuitive built-in visual editor makes policy formulation both flexible and user-friendly, but, at the same time, allows for advanced policy definition.

Policy Visual Editor

The visual editor provides a more straightforward avenue for individuals who may not be proficient in scripting, thus democratizing the policy definition process across different skill levels within an organization. You create a logical structure composed of validators (provided out of the box by Cloudentity) where each validator returns true or false based on the checks it performs. As a result, Cloudentity can evaluate whether to pass on or block the request.

graph LR REQ(Request) VAL1(Validator 1) VAL2(Validator 2) VAL3(Validator 3) EVAL{Policy decision} TAR(Target) BLOCK((Block)) REQ-->VAL1 REQ-->VAL2 REQ-->VAL3 VAL1--true/false-->EVAL VAL2--true/false-->EVAL VAL3--true/false-->EVAL EVAL--fail-->BLOCK EVAL--pass-->TAR

Validators can perform the following actions:

  • Check attributes from the request context (including authentication context, ID and access tokens, secrets, and scopes)

  • Check request header parameters

  • Check dynamic scopes

  • Embed existing policies into the current policy

  • Add if/else logic to the policy

  • Provide MFA checks with OTP recovery

  • Match values based on wildcards, i.e. admin-* matching admin-123

Authorization Policies in OPA’s REGO Language

The Open Policy Agent (OPA) is an open source, general-purpose policy engine that enables unified, context-aware policy enforcement across the entire stack.

OPA gives you a high-level declarative language called Rego to author and enforce policies across your stack. When you query OPA for a policy decision, OPA evaluates the rules and data (which you provide) to produce an answer. The policy decision is sent back as the result of the query.

Cloudentity contains an embedded Rego editor which also includes code samples to help you get started. When creating policies in Cloudentity, keep in mind to take the policy type into account.

REGO policy editor

Policy Types

Policy type Description
User User policies validate requests involving user interaction. They can be assigned on a workspace level (Token issue policy), application level (User policy) and service scope level (Consent grant policy).
Developer Developer policies validate client registration and developer subscriptions to a given scope. They can be assigned on a workspace level (Client registration policy) and service scope level (Client assignment policy).
Machine to machine These policies validate a token request coming from a client using the Client credentials OAuth 2.0 flow. They can be assigned on a workspace level (Machine token policy) and service scope level (Machine to Machine policy).
Dynamic Client Registration DCR policies are used to validate Dynamic Client Registration requests.
API Request An API policy validates requests coming to APIs protected by a gateway bound to Cloudentity.
Updated: Sep 28, 2023