Skip to main content

Modules & Files

A module is one policy file.
  • Must start with a package
  • Optional imports
  • Then one or more rules
package app.auth

import data.roles
import data.helpers as H

default allow = false

Rules

Value Rules (with if/else bodies)

allow if {
  input.user == "admin"
} else if {
  input.action == "read"
}
  • Branching with else
  • Each block is a query of literals

Default Rules

default allow = false
  • Sets a fallback value if no other rule branch applies

Function Rules

allow(u, a) := true if {
  u == "admin"
} else if {
  a == "read"
}
  • Rules can take arguments, like functions

Set & Object Rules

# Set membership
my_ids[id] if {
  id := input.items[_].id
  id > 1000
}

# Object construction
user_roles[uid] := role if {
  role := data.roles[uid]
}

Comprehension Rules

allowed_names := [n | u := input.users[_]; u.allowed; n := u.name]
project_ids   := {p | p := input.projects[_].id}
role_by_user  := { u.id: u.role | u := input.users[_] }

Expressions & Queries

Literals

  • Expressions, not exprs
  • some existential, every universal
some i
not blocked[i]

every u in input.users { u.active }

Assignments & Comparisons

x := input.value
x in [1,2,3]
count(input.items) >= 5

Arithmetic & Boolean

total := price * quantity + tax
ok if input.age >= 18 and not input.banned

References & Calls

v1 := input.user.name
v2 := data.groups["admins"].members
r  := helper.add(2,3)

With Modifiers

allow with data.now as "2025-06-01T00:00:00Z"

Collections & Scalars

Arrays, Objects, Sets

a := [1,2,3]
o := {"x":1, "y":2}
s := {1,2,3}

Scalars & Variables

n := 42
s := "hello"
t := true
z := null

Quantifiers

  • some / every
some i in input.items
input.items[i].active

every u in input.users {
  u.age >= 18
}

Negation

  • not
deny if {
  not input.authenticated
}

Membership

  • in
"admin" in input.user.roles

Builtins (Supported Categories)

Aggregates

n := count(input.items)
sum_ok := sum([1,2,3]) == 6
min_val := min([4,9,1])

Arrays

array.slice([1,2,3,4], 1, 3)  # [2,3]

Sets

u := union({{1,2},{2,3}})

Objects

ks := object.keys({"a":1,"b":2})

Strings

ok := contains("hello world", "world")

Numbers

cl := ceil(3.2)  # 4

Time

ts := time.parse_rfc3339_ns("2024-01-01T00:00:00Z")

Conversions & Encoding

j := json.marshal({"x":1})

Regex

regex.match(`^\\d+$`, "12345")

Semver

semver.is_valid("1.2.3")

Not Yet Supported

  • Crypto / Tokens / JWT: Not supported by design (e.g., crypto.*, jwtverify*, jwtencode*)
  • HTTP: http.send — not implemented
  • GraphQL: graphql.* — not implemented
  • Glob matching: regex.globs_match — not implemented
  • JSON Patch: json.patch — not implemented
  • Networking: net.* — not implemented
  • AWS Providers: providers.aws.* — not implemented
  • Rego Meta: rego.metadata.*, rego.parse_module — not implemented
  • Template rendering: strings.render_template — not implemented