Quick Start

This guide will walk you through creating your first PolicyDomain and testing policy decisions.

Overview

In this quick start, you will:

Create a simple PolicyDomain with policies
Lint your PolicyDomain to validate syntax
Test policy decisions using the CLI

What is a PolicyDomain?

A PolicyDomain is a YAML file that bundles together all the policy-related artifacts for a specific domain or service:

Policies: The Rego code that makes access control decisions
Policy Libraries: Reusable code shared across policies
Roles, Groups, Scopes: Identity and permission mappings
Resource Groups and Resources: Resource-to-policy mappings
Operations and Mappers: Request routing and transformation

Your First PolicyDomain

Create a file called my-domain.yml:

apiVersion: iamlite.manetu.io/v1alpha4
kind: PolicyDomain
metadata:
  name: my-first-domain
spec:
  policies:
    - mrn: &operation-default "mrn:iam:policy:operation-default"
      name: operation-default
      description: "Defers to identity and resource phases"
      rego: |
        package authz
        default allow = 0  # Tri-level: negative=DENY, 0=GRANT, positive=GRANT Override

    - mrn: &allow-all "mrn:iam:policy:allow-all"
      name: allow-all
      description: "Allows all authenticated requests"
      rego: |
        package authz
        default allow = false

        allow {
            input.principal != {}
        }

    - mrn: &deny-all "mrn:iam:policy:deny-all"
      name: deny-all
      description: "Denies all requests"
      rego: |
        package authz
        default allow = false

  roles:
    - mrn: "mrn:iam:role:admin"
      name: admin
      description: "Administrator role with full access"
      policy: *allow-all

    - mrn: "mrn:iam:role:guest"
      name: guest
      description: "Guest role with no access"
      policy: *deny-all

  resource-groups:
    - mrn: "mrn:iam:resource-group:default"
      name: default
      description: "Default resource group"
      default: true
      policy: *allow-all

  operations:
    - name: api
      selector:
        - ".*"
      policy: *operation-default

Validating Your PolicyDomain

Use the lint command to validate your PolicyDomain:

mpe lint -f my-domain.yml

If everything is valid, you'll see:

Linting YAML files...

✓ my-domain.yml: Valid YAML
✓ my-domain.yml: Valid Rego in policy 'operation-default'
✓ my-domain.yml: Valid Rego in policy 'allow-all'
✓ my-domain.yml: Valid Rego in policy 'deny-all'
---
All checks passed: 1 file(s) validated successfully

Testing Policy Decisions

See Testing Policies for detailed testing instructions.

Next Steps

Creating Your First PolicyDomain - Detailed walkthrough
Testing Policies - Test your policies
Concepts - Understand the full model

Overview​

What is a PolicyDomain?​

Your First PolicyDomain​

Validating Your PolicyDomain​

Testing Policy Decisions​

Next Steps​