Stage 3 · Build
Advanced Auth & Tenant Security
Policy Engines
Evaluate permissions with Casbin, OPA, resource attributes, deny rules, and policy test fixtures.
Why Policy Engines
RBAC handles simple role-based access. But some permissions depend on resource attributes, time of day, IP address, or combinations of conditions. Policy engines evaluate complex rules without embedding them in application code.
Casbin
Open Policy Agent
package auth
default allow = false
# Admins can do anything
allow {
input.role == "admin"
}
# Users can read their own data
allow {
input.action == "GET"
input.resource_type == "users"
input.resource_id == input.user_id
}
# Members can read organization data
allow {
input.action == "GET"
input.memberships[_].org_id == input.org_id
}
# Deny access to suspended users
deny {
input.user_status == "suspended"
}OPA uses Rego, a policy language. Policies are stored as files and evaluated at runtime. This enables fine-grained, attribute-based access control.
Resource Attributes
Deny Rules
Deny rules take precedence over allow rules. If a user matches a deny rule, they are denied regardless of any allow rules. This prevents privilege escalation through role combinations.
# Deny access outside business hours for non-admins
deny {
input.role != "admin"
not business_hours(input.time)
}
# Deny access from unknown IP ranges
deny {
not allowed_ip(input.ip_address)
}
# Deny destructive operations on production
deny {
input.environment == "production"
input.action in ["DELETE", "DROP", "TRUNCATE"]
input.role != "superadmin"
}Deny rules are evaluated before allow rules. They provide a safety net for security-critical restrictions that should override any positive permission.
Policy Testing
Casbin is simpler and embeds directly in Go applications. OPA is more powerful and works across languages via HTTP. Use Casbin for Go-only projects. Use OPA for polyglot environments.
Mark this lesson complete to store local progress and unlock a cleaner resume path the next time you visit.