Open Policy Agent (OPA) Policies

With Abbey, you can use Open Policy Agent (OPA) to define your policies. There are 3 different areas where policies are evaluated:
  1. 1.
    When access is requested - policy checks are run to determine if access should even be granted. These policies are placed into the Grant Kit's policies.grant_if block. Generally, if the check fails, the Grant Workflow won't even run.
  2. 2.
    When access has been granted and is being used - Abbey will continuously monitor access by checking against policies in the policies.revoke_if block. If these policy checks pass (e.g., revocation should happen), then Abbey will revoke access using the normal Access Management as Code flow (generate HCL code in your Terraform access file -> submit a PR -> run CI -> merge -> materialize changes).
  3. 3.
    For each step of a Grant Workflow - Workflows have steps. Steps may be skipped as defined by the skip_if block. This block evaluates OPA policies.
For more information on OPA policy evaluation, visit the abbey-opa-constraint-framework page.