nicholasjackson/opa-rego-language
Rego is the declarative policy language used by Open Policy Agent (OPA). This tile covers writing and testing Rego policies for Kubernetes admission control, Terraform and infrastructure-as-code plan validation, Docker container authorization, HTTP API authorization, RBAC and role-based access control, data filtering, metadata annotations with opa inspect, and OPA policy testing with opa test.
99
Quality
Pending
Does it follow best practices?
Impact
99%
1.19xAverage score across 31 eval scenarios
Pending
The risk profile of this skill
task.mdevals/scenario-5/
Access Control: Separation of Duty
Write a Rego policy that detects separation-of-duty (SOD) violations — users who hold two roles that must never be held simultaneously.
Data
data.user_roles maps users to their current role assignments:
{
"alice": ["create-payment", "approver"],
"bob": ["create-payment", "auditor"],
"charlie": ["approve-payment", "auditor"]
}The conflicting role pairs are:
[
["create-payment", "approve-payment"],
["create-vendor", "pay-vendor"]
]Expected behaviour
alicehas a SOD violation (holdscreate-paymentandapprover— wait,approverisn't in the list, butapprove-paymentis — so alice is fine)- A user holding both
create-paymentandapprove-paymentis a violation - The policy must produce a set of violating users
docs
evals
scenario-1
scenario-2
scenario-3
scenario-4
scenario-5
scenario-6
scenario-7
scenario-8
scenario-9
scenario-10
scenario-11
scenario-12
scenario-13
scenario-14
scenario-15
scenario-16
scenario-17
scenario-18
scenario-19
scenario-20
scenario-21
scenario-22
scenario-23
scenario-24
scenario-25
scenario-26
scenario-27
scenario-28
scenario-29
scenario-30
scenario-31