Policy Enforcement
AZTP uses OPA (Open Policy Agent) to provide fine-grained access control for AI agents.
Understanding OPA Policies
In AZTP, policies are written in Rego (OPA's policy language) and define:
- What actions agents can perform
- Under what conditions
- With what data
- For which targets
Policy Structure
A basic AZTP policy has these key elements:
# Package declaration - always use aztp.policy
package aztp.policy
# Default deny for safety
default allow = false
# Allow rules define when actions are permitted
allow {
# Rule conditions go here
input.action in ["read", "write"]
}Policy Evaluation Flow
When an agent calls can(), AZTP:
- Verifies the agent's identity
- Prepares the policy input
- Evaluates the policy
- Returns the decision
Best Practices
-
Default Deny
- Always start with
default allow = false - Explicitly define what's allowed
- Never default to allow
- Always start with
-
Policy Organization
- Group related rules together
- Use helper rules for common checks
- Comment complex logic
-
Input Validation
- Always validate SPIFFE IDs
- Check action strings
- Validate payload data
Common Patterns
Role-Based Access
# Define roles and permissions
roles := {
"reader": ["read"],
"writer": ["read", "write"],
"admin": ["read", "write", "delete"]
}
# Allow based on role
allow {
# Get agent's role from SPIFFE ID path
role := split(input.sender.spiffeId.path, "/")[1]
# Check if action is allowed for role
roles[role][_] == input.action
}Environment-Based Policies
# Allow more actions in development
allow {
# Check if in development environment
endswith(input.sender.spiffeId.trustDomain, "dev.company.org")
# Allow all actions in development
input.action in ["read", "write", "delete"]
}
# Strict rules for production
allow {
endswith(input.sender.spiffeId.trustDomain, "prod.company.org")
# Limited actions in production
input.action in ["read"]
}