Policy as Code · Apache 2.0

iam-policy-as-code

Rego/OPA policy library for IAM scenarios — Conditional Access patterns, SoD policies, RBAC blueprints, OAuth scope governance.

View on GitHub →Rego (Open Policy Agent)

About

Open-source library of Rego policies covering the most common IAM authorization scenarios — Conditional Access policy patterns equivalents portable across Okta and Entra, SoD policy rules for SOX-regulated scope, RBAC blueprints for B2B SaaS Organizations + roles, OAuth scope governance rules for resource-server validation, and JIT-elevation approval workflows.

Designed to drop into OPA Gatekeeper for Kubernetes admission control, OPA sidecar deployments for microservices, or standalone OPA for batch policy evaluation. Each policy includes test cases, documentation explaining the IAM scenario it implements, and references to the controlling regulatory framework (SOX ITGC, NIST 800-53 AC family, ISO 27001 A.5 access control).

Features

Conditional Access policy patterns (high-risk sign-in, sensitive-action escalation, geo-anomaly)
SoD policy rules with toxic-combination detection
RBAC blueprints for B2B SaaS Organizations + roles + permissions
OAuth scope governance rules for resource server validation
JIT elevation approval workflows
Test cases for every policy with input/output examples
Documentation linking each policy to controlling regulatory framework
CI integration examples (GitHub Actions, GitLab CI, OPA bundle distribution)

Install

# Clone for bundled use
git clone https://github.com/askmeidentity/iam-policy-as-code.git

# Or pull individual policy bundles via OPA bundle API
# https://github.com/askmeidentity/iam-policy-as-code#bundle-distribution

Usage

package iam.conditional_access

import rego.v1

# Block sign-in if risk score above threshold + no MFA
deny contains msg if {
  input.risk_score > 75
  not input.session.mfa_complete
  msg := "High-risk sign-in requires MFA"
}

Related resources