Testing Policies
Now that you've created your first PolicyDomain, let's verify it works correctly using mpe test decision.
Your First Test
Create a test input file with a PORC expression that matches your PolicyDomain:
cat > test-input.json << 'EOF'
{
"principal": {
"sub": "user123",
"mroles": ["mrn:iam:role:admin"]
},
"operation": "api:resource:read",
"resource": {
"id": "mrn:app:resource:123",
"group": "mrn:iam:resource-group:default"
},
"context": {}
}
EOF
Run the test:
mpe test decision -b my-domain.yml -i test-input.json
Understanding the Result
The output is an AccessRecord—a JSON document capturing the evaluation. The key field is decision:
# Extract just the decision
mpe test decision -b my-domain.yml -i test-input.json | jq .decision
# Output: "GRANT" or "DENY"
For human-readable output during debugging, add --pretty-log:
mpe test decision -b my-domain.yml -i test-input.json --pretty-log
Verifying Your PolicyDomain
Test a few scenarios to verify your policies work as expected:
- Authenticated user with correct role → should be GRANT
- Missing principal → should be DENY
- Wrong role for the operation → should be DENY
If a test produces unexpected results, use --trace to see the evaluation steps:
mpe --trace test decision -b my-domain.yml -i test-input.json
Next Steps
- Testing Policies Guide — Comprehensive testing guide covering mappers, Envoy pipeline, common patterns, and best practices
- CLI Reference: mpe test — Complete command reference
- Reading Access Records — How to interpret test output in detail