Open Policy Agent (OPA) Policies
With Abbey, you can use Open Policy Agent (OPA) to define your policies. There are 3 different areas where policies are evaluated:
- 1.When access is requested - policy checks are run to determine if access should even be granted. These policies are placed into the Grant Kit's
policies.grant_ifblock. Generally, if the check fails, the Grant Workflow won't even run.
- 2.When access has been granted and is being used - Abbey will continuously monitor access by checking against policies in the
policies.revoke_ifblock. If these policy checks pass (e.g., revocation should happen), then Abbey will revoke access using the normal Access Management as Code flow (generate HCL code in your Terraform access file -> submit a PR -> run CI -> merge -> materialize changes).
- 3.For each step of a Grant Workflow - Workflows have steps. Steps may be skipped as defined by the
skip_ifblock. This block evaluates OPA policies.