Skip to main content

Skillber v1.0 is here!

Learn more

Policy Management

Checking access...

Policy management is the discipline of defining, storing, evaluating, and governing the rules that control access to resources. In modern IAM architectures, policies are the central mechanism for translating business requirements into enforceable access controls, and they must be managed with the same rigour as application code.

Well-managed policies provide consistent enforcement across heterogeneous systems, clear audit trails for compliance, and the agility to respond to changing business and security requirements.

The Policy Architecture

The XACML standard defines the canonical policy architecture, which has been widely adopted beyond XACML itself:

ComponentFunctionResponsible For
PAP (Policy Administration Point)Creating, editing, and managing policiesPolicy administrators, CI/CD pipeline
PDP (Policy Decision Point)Evaluating access requests against policies and returning decisionsPolicy engine (OPA, AuthZForce, Axiomatics)
PEP (Policy Enforcement Point)Intercepting access requests and enforcing PDP decisionsApplication middleware, API gateway, agent
PIP (Policy Information Point)Providing attribute values required for policy evaluationIdentity directory, HR system, CMDB
PAPStoring policies in a repositoryPolicy database, Git repository

Policy Decision Flow — Full Context

┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐
│ User │────→│ PEP │────→│ PDP │────→│ PIP │
│(Subject)│ │(Enforce)│ │(Decide) │ │ (Attr) │
└─────────┘ └─────────┘ └─────────┘ └─────────┘
│ │ │
│ ┌────┴────┐ ┌────┴────┐
│ │ PAP │ │ HR DB │
│ │(Policies)│ │ AD/LDAP│
│ └─────────┘ └─────────┘
┌──────────┐
│ Access │
│ Grant/ │
│ Deny │
└──────────┘

Policy Decision Responses

DecisionMeaningExample
PermitAccess is allowed”User can view document”
DenyAccess is explicitly denied”User is blocked from admin console”
NotApplicableNo policy matches this request”No policy covers this action on this resource”
IndeterminatePolicy evaluation failed”Attribute source unavailable, rule evaluation error”

Policy combining algorithms determine the final decision when multiple rules apply:

AlgorithmBehaviourUse Case
Deny-overridesIf any rule evaluates to Deny, the final decision is DenySecurity-first — default deny with exceptions
Permit-overridesIf any rule evaluates to Permit, the final decision is PermitOpen-by-default — used when maximising access
First-applicableThe first rule that matches determines the decisionOrdered policy evaluation, precedence-based
Only-one-applicableExactly one rule must apply; otherwise IndeterminateStrict policy environments, no ambiguity

Policy Lifecycle

Policies should be managed through a defined lifecycle, analogous to software development:

Design → Develop → Test → Deploy → Monitor → Retire
↑ │
└────────────────────────────────────────┘
Review

Phase 1: Design

  • Identify the business requirement driving the policy change
  • Define the policy objective in plain language
  • Identify required attributes and their data sources
  • Assess impact: which users, resources, and actions will be affected?
  • Document the policy intent and expected behaviour

Phase 2: Develop

  • Write the policy in the chosen policy language (XACML, Rego, Cedar)
  • Structure policies for clarity and maintainability
  • Define test cases covering Permit, Deny, and edge cases
  • Store the policy in version control (Git)

Phase 3: Test

Test TypeWhat It ValidatesTooling
Unit testsIndividual rule evaluation for specific inputsopa test, custom test harnesses
Integration testsPolicy interaction with attribute sources and PEPPostman, integration test suite
Regression testsExisting policies unchanged by new policyCI/CD pipeline with automated test suite
Performance testsPolicy evaluation latency under loadLoad testing (k6, Gatling)
Impact analysisWhich users/resources are affected by policy changePolicy simulation (describe-affected, what-if analysis)

Phase 4: Deploy

  • Deploy to staging environment for validation
  • Run canary deployment (apply to 5% of traffic, monitor for issues)
  • Full rollout with rollback capability
  • Update policy version in the policy repository

Phase 5: Monitor

MetricWhat It TracksAlert Threshold
Decision countVolume of policy evaluationsSignificant change from baseline
Decision distributionRatio of Permit/Deny/NotApplicable>10% increase in Deny rate
Evaluation latencyTime to evaluate policyp99 > 100ms
Error rateIndeterminate decisions> 0.1% error rate
Cache hit ratioPDP cache effectiveness< 80% cache hit rate

Phase 6: Review and Retire

  • Periodic policy certification (annual or quarterly)
  • Review policy effectiveness — is it achieving the intended outcome?
  • Identify orphaned policies — no longer referenced by any application
  • Rationalise overlapping policies — merge or replace
  • Archive retired policies for audit reference

Policy Languages Comparison

LanguageStandardParadigmExpressivenessTooling EcosystemLearning Curve
XACMLOASISDeclarative XMLHighMature (enterprise)Steep
ALFAOASISAbbreviated XACMLHighModerateModerate
Rego (OPA)Open SourceDeclarative / LogicVery HighExcellent (k8s, cloud)Moderate
CedarAWSDeclarativeHighGood (AWS Verified Permissions)Low
OdinOpen SourceDeclarativeHighEmergingLow
CasbinOpen SourceConfigurationModerateGood (multi-language)Low

Rego (OPA) — The Cloud-Native Standard

Rego is the policy language for Open Policy Agent. It uses a rule-based, declarative approach:

package api.authz
# Default deny
default allow = false
# Admin override — full access for admin users
allow {
input.user.roles[_] == "admin"
}
# Self-service — users can read their own data
allow {
input.method == "GET"
input.path == sprintf("/users/%s", [input.user.id])
}
# Project-based access — users can read project resources for projects they belong to
allow {
input.method == "GET"
input.path == sprintf("/projects/%s", [input.project.id])
data.projects[input.project.id].members[_] == input.user.email
}

Cedar (AWS) — The AWS-Native Option

Cedar is a purpose-built policy language developed by AWS for use in AWS Verified Permissions and Amazon Verified Permissions:

// Permit policy: allow user to read their own documents
permit (
principal in [user::"alice"],
action in [Action::"read"],
resource in [Document::"report.docx"]
) when {
resource.owner == principal
};
// Forbid policy: deny access to classified documents
forbid (
principal,
action,
resource
) when {
resource.classification == "confidential" &&
principal.clearance_level < 5
};

Tip

For greenfield deployments in cloud-native environments, choose Rego/OPA — it has the richest ecosystem, broadest platform support (Kubernetes, microservices, APIs), and is vendor-independent. For AWS-native architectures, consider Cedar for integration with AWS Verified Permissions and Cognito.

Policy Repository and Versioning

Policies should be stored in a centralised, version-controlled repository:

FeatureLocal FilesGit RepositoryPolicy DB (Enterprise)
VersioningManualGit (full history)Built-in
Review workflowNonePR/MR workflowCustom workflow
Access controlFilesystem permissionsGit permissionsRole-based
Audit trailNoneGit logBuilt-in audit
RollbackManual restoreGit revertBuilt-in rollback
BranchingNoneFull branchingLimited
ScalabilityLimitedEnterprise-scaleEnterprise-scale

Recommended approach: Store policies in Git with the following structure:

policies/
├── production/
│ ├── api-authz/
│ │ ├── admin.rego
│ │ ├── self-service.rego
│ │ └── project-access.rego
│ ├── data-access/
│ │ ├── pii-protection.rego
│ │ └── row-level-security.rego
│ └── network/
│ └── network-policies.rego
├── staging/
│ └── (mirrors production structure)
├── test/
│ ├── api-authz_test.rego
│ └── data-access_test.rego
└── policy-metadata.yaml

Enterprise Policy Management Platforms

PlatformPolicy EngineKey FeaturesBest For
AxiomaticsProprietary XACMLAttribute-based, SOD, simulation, impact analysisLarge enterprises, regulated
SailPoint IIQProprietaryIGA + policy management, certificationIdentity governance
SaviyntProprietaryIGA + cloud security, policy managementCloud-first organisations
OPA + Styra DASOPA/RegoPolicy-as-code, declarative, k8s-nativeCloud-native, microservices
AWS Verified PermissionsCedarServerless, integrated with AWS servicesAWS-native applications
Google ZanzibarReBAC (proprietary)Relationship-based, massive scaleContent platforms, collaboration

Key Takeaways

  • The XACML architecture (PAP, PDP, PEP, PIP, PRP) is the canonical framework for policy-based access control — adopted beyond XACML itself by OPA, Cedar, and other modern systems
  • Policies return four possible decisions: Permit, Deny, NotApplicable, or Indeterminate — with combining algorithms (deny-overrides, permit-overrides, first-applicable) resolving conflicts
  • The policy lifecycle mirrors software development: design → develop → test → deploy → monitor → review → retire, with each phase requiring specific tooling and practices
  • Rego (OPA) is the leading policy language for cloud-native environments; Cedar (AWS) is the leading option for AWS-native architectures
  • Policies should be stored in Git with a structured repository, enabling versioning, review workflows, CI/CD testing, and rollback
  • Enterprise policy platforms range from XACML-based (Axiomatics) for regulated industries to OPA/Styra for cloud-native and Zanzibar for relationship-based models