OPA Management and Control Plane: Styra DAS

Shape

Manage Open Policy Agent at Scale

Ensure OPA policy is managed, maintained, distributed and monitored across the cloud-native stack

Styra Declarative Authorization Service was purpose-built by the founders of Open Policy Agent as the unified control plane for operationalizing OPA in production.

OPA Control Plane
Open Policy Agent Management

Why Styra DAS for OPA Management?

Production-ready OPA requires policy management, updates, distribution, monitoring, and more

Styra DAS was purpose built by the founders of OPA to serve as a unified control plane throughout the policy lifecycle:

  • Manage policy-as-code as part of an established GitOps process
  • Validate the impact of policy changes before committing or deploying
  • Distribute policy across clusters, clouds and teams
  • Monitor authorization decisions in real time, and historically, to ensure policy works as expected
  • Trust the industry's only security solution built by the founders of Open Policy Agent
OPA Policy Distribution

Manage Policy as Code

Treat policy-as-code as a first class citizen in CI/CD

When policy is defined as code, it should be managed as code. GitOps defines the new way of continuous delivery for cloud-native environments. With Git as the source of truth for describing deployments, all change requests must be handled as code and maintained in the Git repository.

Styra DAS allows teams to author policy via the Styra UI, CLI or APIs, and then store the subsequent policies in Git. Styra also includes the ability to fetch policy bundles from Git and distribute them to the appropriate Open Policy Agent instances.

Open Policy Agent GitOps

Validate Before Deployment

Ensure policy will have the intended effect before committing or deploying

Any change to authorization policy can result in broken access or broken apps.  While GitOps peer reviews help eliminate errors, teams are only human, and cannot be expected to be perfect.  Styra DAS was built specifically to manage critical OPA policy at scale, and that means proving a way to validate changes before committing them.

Since Styra DAS keeps a record of all previous policy decisions, teams can use the past to predict the future, and evaluate new policy changes automatically. This replay ability ensures that policy changes end up with expected results. Unit testing, compliance checking and policy output validation all mitigate the risk of human error, and prevent downtime or accidental risk.

OPAValidate

Distribute Policy Across the Stack

Eliminate time spent building custom policy distribution and storage

Arriving at a single policy often takes cross-functional coordination, communication and agreement. But maintaining consistent policy across teams, clusters, clouds and more shouldn’t be a superhuman task.  

Styra DAS was designed from day one to manage and simplify policy distribution across OPA instances, wherever they are in the stack. Whether for application-level authorization like ACLS, RBAC, ABAC or IAM, for authorizing appropriate access to data, or for defining and evaluating infrastructure policy at the cloud/host or Terraform level—Styra DAS provides a streamlined solution for consistent deployments.

OPADistribute

Monitor Authorization Decisions

Prove that policy is present, effective and performant both in real time, and historically

When policy-as-code is critical for security, compliance or privacy purposes, monitoring becomes critical. Outages or anomalous behavior should feed SIEMs and SecOps processes to speed rapid response and thwart attacks. Styra DAS provides real-time data to not only verify authorization performance, but also to provide early insights that can indicate business risk.

Communicating policy-as-code effectiveness across teams—especially teams of non-coders—can be a real challenge. That’s why Styra DAS also provides detailed decision logs that show the input and output of OPA policy decisions. Every decision can be displayed visually, and historical decisions can be replayed through current authorization policy to demonstrate where policy changes and updates have taken effect. Styra DAS lets teams prove the value of policy-as-code, even when auditors, security, or compliance teams aren't coders.

 

OPAMonitor
Open Policy Agent Authorization

Get More from OPA

Trust the only security solution built by the founders Open Policy Agent

Styra DAS was designed and built to allow developers, devops and platform teams to focus on making their apps work better, and more securely, by focusing on OPA policy itself and not the operational nuances of deployment.

Eliminate the distraction of policy storage design and maintenance, testing, distribution and monitoring, and free developers to solve crucially differentiated problems
(and make better apps).

OPA in Production
OPA Management
Operationalize Open Policy Agent

At Styra, we believe that Open Source holds the keys to the future. That's why we founded the Open Policy Agent (OPA) project, donated it to the CNCF and continue to contribute to it (along with a great community of other folks).  

 

With the power of OPA for local enforcement, and Styra as a management plane, we’ve helped many DevOps and Platform teams implement control over their apps and infrastructure. In those deployments, we’ve picked up quite a few best practices, and we’re happy to share those insights with you.  

 

Whether you’re looking for help with a particularly complex evaluation, or you want to distribute proven policy across clouds, the OPA founding team is here to help get you unstuck, with whatever tools or knowledge you need to move forward.

Talk to the Team