Skip to main content

Overview of the Sandbox Environment

The sandbox environment allows you to test the Styra DAS system and policy functionality without configuring or installing software and includes a tour of the Styra DAS UI.

Sandboxes are created as fully-fledged Styra DAS systems configured for Kubernetes and Envoy with pre-configured policies and data. Synthetically generated policy queries generate decisions upon system creation.


A maximum of two sandboxes are supported per tenant.

Using the Sandbox

When you create a new Styra DAS account, you will automatically see the Getting Started dialog with sandbox environment options. Follow the steps below to set up your sandbox environment. For an existing account, you can access the Getting Started dialog through the Help menu (the ? icon) in the Styra DAS UI and follow the same steps below.

  1. Login to Styra DAS.

  2. When you create a new Styra DAS account, you will automatically see the Getting Started dialog box, which includes Scan a GitHub Repository. If you do not see the Getting Started dialog box, click Help (the ? icon) and then select Getting Started.

  3. Select I want to deploy or manage OPAs.

  4. Click Let's Get Started.

  5. Click Work with a sandbox.

  6. Click Continue.

  7. Select the box(es) for the sandboxes to create, Kubernetes (default selection) or Envoy.

  8. Click Continue.

  9. Select Take a tour box to see a guided tour or select Go directly to my sandbox to access your sandbox.

  10. Click Continue to see how Styra DAS works with OPA and your software infrastructure.

  11. Go to your Kubernetes or Envoy sandbox to test the functionality of Styra DAS.

  12. After you finish learning the basics of Styra DAS functionality, click one of the following to proceed:

    • Continue with tour button to learn the following Styra DAS activities:

      • Replay action allows you to review how a decision was reached and what policies and data contributed to this specific decision. Navigate to SYSTEMS >> Your System >> Decisions tab to view the list of decisions generated from your system only. The replay action is located next to each decision and is ideal for learning and troubleshooting.

      • Use the Swimlanes button to change the policy state between Ignore, Monitor, or Enforce. This will change which decision results the OPAs return to the software system, that is requesting help with authorization. Changing the policy state can be done by selecting the state on the card or dragging and dropping the card between columns.

      • While you are making changes to your policies, changes are saved as a Draft. Use the Preview button to understand and change the policy behavior. The Validate button runs unit tests (if any exist) and analyses the impact on future decisions by using previous decisions. Once you are satisfied with your changes, click on the Publish button to publish the rules. A new policy bundle will automatically be made available for OPAs to pick up and start monitoring and/or enforcing policy queries.

      • Changes to policies or data trigger the creation of a new policy bundle. When made available, OPAs will pick up the most recent version of the relevant policy bundle. Manual roll-out and roll-back functionality are found here too. For more information, see the Policy Builder and Bundle Registry pages.

      • View new decisions that OPA has made with the new policy bundle. Stored in a decision logs that can help to analyze and understand why decisions were made the way they were, even if the decisions were made months ago. Decisions can be exported to external systems for longer duration storage.

Managing the Sandbox

Sandbox environments can be managed through the following actions:

  • To remove a demo sandbox system, click the kebab icon () next to the your System (in the left navigation panel) > Delete system.

  • To restart the sandbox tour or recreate a sandbox environment, click on the ? button and select Getting Started.

  • Quit the demo sandbox tour by clicking the X button on the top-right of your screen.

Sandbox Mock OPA Functionality

In addition to testing OPA activity, the sandbox processes policy queries from a synthetic source of pre-recorded system-specific queries using a mock OPA agent. The mock OPA runs for seven days and processes Styra decisions at the system level. The mock OPA reports itself to Styra DAS through a status update, using a special label called MOPA to identify decisions that were generated by a mock OPA.

The mock OPA is managed through SYSTEMS > Sandbox-Kubernetes or Sandbox-Envoy > Deployments.

The mock OPA expires when all decisions are completed. To restart the mock OPA, use one of the following options:

  • In Deployments, click Restart on the mock OPA line.

  • Enable the mock OPA toggle in SYSTEMS > Your System > Settings.


The Styra DAS Free edition supports four mock OPAs. The Styra DAS Enterprise edition supports ten mock OPAs.

Identifying a Mock OPA

A mock OPA can be identified in the Styra DAS UI through the following options:

  • In a System’s deployment setting, the mock OPA is assigned a MOPA tag.

  • In the System’s settings page, the Enable mock OPAs switch is either ON or OFF.

  • In the left-hand systems list, systems with a mock OPA will include a green info icon to the right of the system name.