Big ACL Sign up
Docs Pricing Contact
Log in

Integration

Open Policy Agent & Rego

Open Policy Agent (OPA) is the de facto standard for policy-as-code, using the Rego policy language for Kubernetes, APIs, microservices, and infrastructure.

What is Open Policy Agent?

Open Policy Agent (OPA) is a CNCF-graduated project that provides a general-purpose policy engine. It decouples policy decision-making from your application logic.

  • Cloud native – Designed for Kubernetes and microservices
  • Language agnostic – Works with any programming language
  • Declarative – Policies written in Rego language
  • High performance – Compiled policies for fast evaluation
  • Extensible – Custom built-in functions and data sources

What is Rego?

Rego is OPA's policy language, inspired by Datalog. It's designed to query complex nested data structures and express policy decisions. 

package authz

import rego.v1

default allow := false

# Allow users to read their own profile
allow if {
    input.action == "read"
    input.resource.type == "profile"
    input.resource.owner == input.user.id
}

# Allow admins to perform any action
allow if {
    input.user.role == "admin"
}

# Allow managers to approve expenses under limit
allow if {
    input.action == "approve"
    input.resource.type == "expense"
    input.user.role == "manager"
    input.resource.amount < input.user.approval_limit
}

OPA Use Cases

Kubernetes Admission Control

Validate and mutate Kubernetes resources with Gatekeeper

API Authorization

Enforce access policies on REST and GraphQL APIs

Microservices Authorization

Decentralized policy enforcement with Envoy integration

Infrastructure as Code

Validate Terraform plans with Conftest

Data Filtering

Generate partial queries for database-level enforcement

OPA as a Policy Decision Point

OPA acts as a Policy Decision Point (PDP) in your authorization architecture:

PAP

Big ACL creates Rego policies

PDP

OPA evaluates policies

PEP

Apps enforce decisions

OPA vs Amazon Verified Permissions

Both OPA and Amazon Verified Permissions are Policy Decision Points, but serve different use cases:

Aspect OPA AVP
Deployment Self-hosted AWS managed
Language Rego Cedar
Best for K8s, infrastructure App authorization
Ecosystem CNCF, Envoy, K8s AWS services

Big ACL + Open Policy Agent

Big ACL serves as the Policy Administration Point for OPA, providing:

  • Natural language to Rego – Write policies in plain English, export to Rego
  • Policy testing – Validate Rego policies with generated test cases
  • Bundle generation – Create OPA bundles for deployment
  • Multi-PDP support – Same policy model for OPA and AVP
  • Version control – Track policy changes with full audit history

Big ACL input (natural language):

"Users can only access resources in their assigned region"

Generated Rego:

package authz

import rego.v1

default allow := false

allow if {
    input.user.region == input.resource.region
}

Generate Rego policies for OPA with Big ACL

Get started free

Related Topics

Amazon Verified Permissions

AWS managed PDP using Cedar

Cedar Language

Alternative policy language from AWS

Policy Decision Point

How PDPs work in authorization

Policy Administration Point

Manage policies for OPA and other PDPs