Skip to main content

Role-Based Access Control (RBAC) in OPA with User-Editable Roles

Sometimes, baked-in roles just don't cut it. Advanced role-based access control features of your application may demand that users are able to create their own roles.

For user-editable roles, other components are needed for CRUD operations on roles, and need to be synchronized with OPA's storage. Relevant integration points for OPA are

  1. Bundles - a policy packaging and distribution feature built into OPA
  2. Data pushed to OPA using the REST API
  3. HTTP APIs that are queried from Rego policies at evaluation-time via the http.send built in function

Enterprise OPA can synchronize its data from multiple other data sources (S3, Git, Kafka, MongoDB, LDAP, and others), and send requests to further data sources at query time (MongoDB, Neo4J, DynamoDB, and others).

The services needed to integrate OPA with user-editable roles are extended to:

  • a role management service that allows the user to create, delete, update, and list roles
  • a user interface of some sort to control that service

References