Policy Management
Policy Management allows administrators to create, version, test, and manage role-based access control (RBAC) policies using Open Policy Agent (OPA) and the Rego policy language. These policies govern what users can access and do within the system based on their roles, the resource type, and the action being performed.
Overview
Section titled “Overview”The policy management interface is organized into two tabs:
- Policies — Create and manage RBAC policies
- Evaluations — View the history of policy evaluation decisions
Managing Policies
Section titled “Managing Policies”Viewing Policies
Section titled “Viewing Policies”The Policies tab displays a table of all configured policies with the following columns:
| Column | Description |
|---|---|
| Name | The unique identifier for the policy |
| Version | The current version number |
| Status | Active or Inactive |
| Last Modified | When the policy was last updated |
| Actions | Edit, Test, History, and Delete buttons |
Creating a Policy
Section titled “Creating a Policy”- Click the Create Policy button in the top-right corner.
- In the dialog that appears, fill in:
- Policy Name — A unique identifier (e.g.,
document_access_policy) - Policy Content — The policy logic written in Rego syntax
- Policy Name — A unique identifier (e.g.,
- Click Create Policy to save.
Example Policy Structure
Section titled “Example Policy Structure”A typical policy follows this pattern:
package innqualis.rbac
import rego.v1
default allow := false
allow if { input.user.role == "admin"}
allow if { input.user.role == "qa_manager" input.action in ["read", "approve"]}
allow if { input.user.role == "user" input.action == "read" not input.resource.is_confidential}Editing a Policy
Section titled “Editing a Policy”- Click the Edit button (pencil icon) on the policy row.
- Update the Version number and Policy Content as needed.
- Click Update Policy to save changes.
Deleting a Policy
Section titled “Deleting a Policy”- Click the Delete button (trash icon) on the policy row.
- Confirm the deletion in the confirmation dialog.
Testing Policies
Section titled “Testing Policies”The test framework allows you to validate policies against specific scenarios before they affect production access control.
Running Tests
Section titled “Running Tests”- Click the Test button (test tube icon) on a policy row.
- The test dialog opens with pre-populated sample test cases.
- Each test case defines:
- Test Case Name — A descriptive label
- User ID — The user to simulate
- Resource Type — Document, Deviation, CAPA, or Training
- Resource ID — The specific resource (optional)
- Action — Read, Write, Approve, Reject, or Delete
- Expected Result — Allow or Deny
- Click Add Test Case to create additional scenarios.
- Click Run Tests to execute all test cases against the policy.
Understanding Test Results
Section titled “Understanding Test Results”After running tests, results appear showing:
- Test Case number
- Pass/Fail status badge
- Expected vs. Actual decision (Allow or Deny)
A test passes when the actual policy decision matches the expected result.
Viewing Policy Evaluations
Section titled “Viewing Policy Evaluations”The Evaluations tab shows a chronological log of real policy evaluation decisions made by the system. Each entry includes:
| Column | Description |
|---|---|
| Policy | Which policy was evaluated |
| User | The user whose access was checked |
| Resource | The resource type and ID |
| Action | The action that was requested |
| Decision | Allow (green) or Deny (red) |
| Timestamp | When the evaluation occurred |
This log is useful for:
- Debugging access issues reported by users
- Auditing who accessed what and when
- Verifying that policy changes produce the expected behavior
Version History
Section titled “Version History”Click the History button (clock icon) on any policy to view its version history. This shows previous versions of the policy content, helping you track changes over time and understand when and why access rules were modified.
Best Practices
Section titled “Best Practices”- Version policies incrementally when making changes so you can track the evolution of access rules.
- Test before deploying — Always run the test suite after modifying a policy to catch unintended access changes.
- Use descriptive names — Policy names should clearly indicate what they control (e.g.,
document_approval_policy,training_access_policy). - Start restrictive — Default to denying access (
default allow := false) and explicitly grant permissions for specific roles and actions. - Review evaluations regularly — Check the evaluations log periodically to identify unexpected deny decisions that might indicate policy issues.