Task: Role-Based Access Control Policy

Create a role-based access control (RBAC) policy in Rego that controls access to documents based on user roles.

Requirements

Policy file

Create rbac.rego with package policy.rbac and import rego.v1.

The policy evaluates the following input structure:

{
  "user": "alice",
  "action": "write",
  "resource": "document:123"
}

External role data is available at data.user_roles (maps usernames to a list of role names) and data.role_permissions (maps role names to a list of permitted actions). Example:

{
  "user_roles": {
    "alice": ["editor"],
    "bob": ["viewer"],
    "carol": ["admin"]
  },
  "role_permissions": {
    "admin":  ["read", "write", "delete"],
    "editor": ["read", "write"],
    "viewer": ["read"]
  }
}

The policy must:

• Default to deny (i.e., default allow := false)
• Define a helper rule user_has_role[role] that yields each role assigned to input.user via data.user_roles
• Define a helper rule user_has_permission[action] that yields each action permitted to any of the user's roles via data.role_permissions
• Define an allow rule that permits access when input.action is in user_has_permission

Test file

Create rbac_test.rego with package policy.rbac_test and import rego.v1.

Use the with keyword to inject both input and data in every test. Include tests for:

• An admin user performing a delete action (should be allowed)
• An editor user performing a write action (should be allowed)
• A viewer user performing a read action (should be allowed)
• A viewer user attempting a write action (should be denied)
• A user with no assigned roles attempting any action (should be denied)

Run the tests

Run opa test . -v and confirm all tests pass.