Skip to main content


This page defines the terms that appear throughout Styra documentation.

Admission Control​

Admission Control is the process by which developers apply code in front of API servers to determine whether a request should be granted. Admission Control can be done in many ways, commonly through validating permissions.

API gateway

An API gateway is a tool to increase the security, scalability, and efficiency of APIs and backend microservices by providing them with a single entry point.

Attribute-Based Access Control (ABAC) policy

ABAC is the policy-based access control for Identity Management (IAM). Access rights are granted to users through policies that combine attributes.


A Bundle is a compressed file archive containing policy and data files.

Bundle Registry

Bundle Registry uses Styra DAS to distribute policy and data to OPA using OPA’s Bundle API. Bundle Registry is deployed at the System level.

Certificate Authority (CA)​

A Certificate Authority (CA), sometimes called a certification authority, is a company or organization that validates entities’ identities (such as websites, email addresses, companies, or individual persons). The CA binds the identities of entities to cryptographic keys through the issuance of electronic documents known as digital certificates.


Cloud-Native describes tools used to create applications to run in a cloud environment. Cloud-Native systems allow organizations to conduct their business more quickly, flexibly, and reliably.

Cloud-Native Computing Foundation (CNCF)​

The Cloud-Native Computing Foundation (CNCF) hosts critical components of the global technology infrastructure. CNCF brings together the world’s top developers, end-users, and vendors and runs the most significant open-source developer conferences. CNCF is part of the nonprofit Linux Foundation.


In cloud-native technologies, a container is storage for an application containing the files needed to function correctly. Containers allow applications to run on any device, so long as that device meets the application’s specifications.

Continuous Integration and Continuous Delivery (CI/CD)​

Continuous Integration (CI) and Continuous Delivery (CD) embody a culture, set of operating principles, and practices that enable application development teams to deliver code changes more frequently and reliably.

Data source​

A data source is an API for reading and writing JSON objects that can be imported and used to make policy decisions. A data source can be added to systems, stacks, or the library so that data and the policies that utilize it can be shared however is appropriate. The data is versioned and stored compactly with a delta-encoding to handle large and frequently changing JSON.


OPA makes decisions to allow or deny operations or provide suggestions based on the corresponding System’s Policies.

Declarative Authorization Service (DAS)​

Styra Declarative Authorization Service (DAS) is built on the open-source project Open Policy Agent (OPA). It provides a single pane of glass for authorization and policy across the cloud-native ecosystem of software systems.

Delta Bundles

Delta Bundles provide a more efficient way to make data changes by only updating the delta changes to the Snapshot Bundle. By leveraging Delta Bundles, Styra DAS propagates data changes to OPAs and SLPs more efficiently.

Domain Name System (DNS)​

The Domain Name System (DNS) is a hierarchical and decentralized naming system for computers, services, or other resources connected to the Internet or a private network. It associates various information with domain names assigned to each participating entity.

Egress filtering​

Egress filtering scans egress traffic for abnormalities or malicious activity and discards infected data packets.

Egress traffic​

Egress traffic is data or traffic sent to an external entity that passes through an edge router of the host network before reaching its destination node.


Emissary-ingress is an open-source ingress controller and API Gateway for Kubernetes. Emissary-ingress uses Envoy Proxy and supports many use cases, including load balancing, authentication, and observability.


The Styra DAS Entitlements System type is a cloud-native Entitlements service that easily integrates into existing applications and can be replicated globally, managed, and governed through a single pane of glass.


Envoy is an open-source edge and service proxy designed for cloud-native applications.

External Bundle​

External Bundles are used to configure Styra DAS to allow OPA to access bundles or services from external registries without the bundles being accessible by Styra DAS. External Bundles protect sensitive data.

Identity and Access Management (IAM)​

Identity and Access Management (IAM) refers to the policies and tools used by IT departments to ensure that people and entities have access to the organization’s technical resources.

Infrastructure-as-Code (IaC)

Infrastructure-as-Code (IaC) is a practice in cloud development to manage infrastructure and automate using descriptive code in conjunction with the needs of the DevOps team. IaC helps environments deploy the same way every time, allowing for continuous deployment.

Ingress traffic​

Ingress traffic is network traffic whose source is a public network or an external network and is sent to a node on a private network.

JSON Web Token (JWT)​

A JSON Web Token (JWT) is an internet standard for creating JSON-based access tokens that assert several claims. The tokens are signed using a private secret or a public or private key.


Kubernetes is an open-source, cloud-native tool used to automate deployment and management of containers, help to manage updates and patches, and replace containers producing failed instances.

Kubernetes sidecar​

Sidecar containers run two tightly coupled containers together.


A Styra DAS library is a collection of functions, pre-compiled routines, or reusable components of code.

Lightweight Directory Access Protocol (LDAP)​

The Lightweight Directory Access Protocol is an open, vendor-neutral, industry-standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol network.

Linux Pluggable Authentication Modules (PAM)​

The Linux Pluggable Authentication Module (PAM) package contains Pluggable Authentication Modules that enable the local system administrator to choose how applications authenticate users.


A microservice is a small-scale process of an application, which typically has a single job to help the complete application run smoothly.


Minikube is a tool that makes it easy to run Kubernetes locally.

Mock OPA

In addition to testing OPA activity, the sandbox processes policy queries from a synthetic source of pre-recorded system-specific queries using a Mock OPA agent. The Mock OPA runs for seven days and processes Styra decisions at the System level.

Mutual Transport Layer Security (mTLS)​

Mutual Transport Layer Security (mTLS) helps ensure that traffic is secure and trusted in both directions between a client and server. mTLS provides an additional layer of security for users who log in to an organization’s network or applications.


A namespace is used in platforms such as Kubernetes to group services for organization and management of access to said resources.

Object model​

An object model is a logical interface, System, or software modeled through object-oriented techniques. An object model enables the creation of an architectural software or system model before development or programming.

OPA Gatekeeper​

OPA Gatekeeper enables users to customize Kubernetes admission control via configuration, not code, and to bring awareness of the cluster’s state, not just the single object under evaluation at admission time.

Open Policy Agent (OPA)​

Open Policy Agent, or OPA (pronounced “oh-pa”) for short, is an open-source policy engine developed by Styra and hosted by the Cloud Native Computing Foundation. OPA uses declarative language to enforce policies as code across an entire stack.


A Styra Package is a collection of related policies consisting of Rego rules and helper functions. Each Package has its unique name and organizes its Policies.


Pods are the smallest objects in Kubernetes, representing an instance of a running process. Pods hold containers, which, when run simultaneously, share the processing power allocated to that single pod.


As it refers to cloud services, Policies set the guidelines under which companies operate, typically for security reasons. Policies define who has access to specified data internally or externally.

Policy Bundle

Multiple code-based Policies distributed together are called a Policy Bundle.

Policy Enforcement​

Policy Enforcement refers to the creation, categorization, management, monitoring, and automated execution of a set of requirements for the use of a network.

Read–Eval–Print Loop (REPL)​

A Read–Eval–Print loop (REPL) is an interactive top-level or language shell. It is a simple, interactive computer programming environment that takes single user inputs, evaluates (executes) them, and returns the result to the user.


OPA policies are expressed in a high-level declarative language called Rego. Rego (pronounced “ray-go”) is purpose-built for expressing policies over complex hierarchical data structures.


A Styra Request determines if a subject can operate and may optionally return a set of entitlements.


A Styra Resource is a unique object that can be accessed. Resources are optionally specified as an object in the virtual document data.object.resources. Resources may optionally have attributes, which may be used in ABAC policy Rules.


When a Request is made, a Response is returned indicating whether the Request was successful or has failed.


A Styra Role defines permissions for resources.

Role binding​

Role binding attaches a role to a set of subjects. Role bindings can be expressed by subject IDs, attributes, or both.

Role-Based Access Control (RBAC)​

Role-Based Access Control (RBAC) is an approach to authorizing users based on roles assigned to users.


A Styra Rule is a specific individual constraint. It consists of detailed instructions that you write as a Rego statement for custom rules or specific parameters that you configure for existing Rego statements used in built-in rules. For example, you may define a rule that can deploy only images from an explicitly authorized registry.


The sandbox environment allows you to test the Styra DAS System and Policy functionality without configuring or installing software and includes a tour of the Styra DAS UI.

Secure Shell (SSH)​

Secure Shell (SSH) is a cryptographic protocol for securely operating network services over an unsecured network.

Service mesh

A service mesh refers to how software code allows for automation of network connectivity at the platform level. It helps microservices across a network communicate effectively and automatically, significantly reducing the need for manual configuration and increasing potential scale.

Shared access Signature (SAS)​

A shared access signature (SAS) is a URI that grants restricted access rights to Azure Storage resources. You can provide a shared access signature to clients who should not be trusted with your storage account key but to whom you delegate access to specific storage account resources.


A Styra Stack is a collection of Policies describing which Systems those policies apply. It organizes multiple Systems into a logical group based on common characteristics. Stacks allow you to use the same Policies for several Systems without defining those Policies one System at a time.

Snapshot Bundle​

A Snapshot Bundle represents the entirety of OPA’s policy and data cache. When a new Snapshot Bundle is downloaded, OPA erases and overwrites all the policy and data in its cache before activating the new bundle.

Styra Local Control Plane (SLP)​

Styra Local Control Plane (SLP) downloads policies from Styra DAS and relays them to the OPAs. It provides an additional copy of the Policies for higher availability.


Styra Subjects are optional and represent users, groups of users, or service accounts. All Subjects must have a unique ID and may optionally have attributes.


A Styra System is Styra’s core unit for policy authoring, validation, distribution, decision monitoring, analysis, and reporting. In Styra, a System represents a real-world software system for policy management. The real-world software System may be a physical or virtual computer node, a cluster of nodes that form a logical management boundary, or an application running on multiple nodes in a cloud instance. Styra supports predefined System types such as Envoy and Kubernetes and a Custom System type to define other targets manually. For example, a real-world Kubernetes cluster may be represented by a Kubernetes System, and an Envoy System may represent a real-world microservice.


Terraform is an open-source program that manages and automates infrastructure, platforms, and services. Terraform uses declarative language.


A Styra violation occurs if an operation violates a policy enforced on a specific System, in which case, the operation is denied.


A Styra Workspace is a container for the collection of managed Systems. A Workspace provides access to individual System resources and a context for resources that span multiple Systems. Styra DAS tenants are limited to a single, tenant-level Workspace.