Rego Policies

The Cyral platform has a powerful policy engine that allows you to create advanced policies using the flexible OPA policy language Rego.

The Rego code in a policy is evaluated for every query of interest to the policy and has access to most fields in the activity log. It can thus use arbitrary conditions on fields in the activity log to allow, block, or restrict an activity.

Creating a Rego policy engine requires you to first create a Rego policy template, and then one or more instances from this template. This two level structure allows the Rego code to be parameterized and reused in different contexts. The number or types of policy parameters can be defined by the policy template author and are specified in an associated JSON schema. Each instance created from the template must provide the values for these parameters and the values must satisfy the parameter schema of the template. For example, a policy may allow access to a sensitive table only to some specific users. In this case, the table name and the users' list could be parameters. The template could then be instantiated for different repos with different sets of parameter values for different repos.

NOTE: Details regarding the the Rego Language are outside the scope of this document. We suggest reviewing the Rego Language documentation for syntax and examples. Rego works on a basic principle of testing whether something is true. In addition, you can use the Rego Playground to test your policy template before using it.