Liking cljdoc? Tell your friends :D

Manetu PolicyEngine

A high-performance, programmable access-control and governance layer for protecting APIs and sensitive data using Policy-Based Access Control (PBAC).

Community Edition

This is the Community Edition of the Manetu PolicyEngine — a fully functional policy engine that you can embed in your applications or run as a standalone service. It provides everything you need to author, test, and enforce access control policies.

For organizations requiring enterprise-grade audit storage, centralized policy administration, a Kubernetes Operator for sidecar automation, and advanced observability features, a Premium Edition is available through Manetu. See the documentation for a full feature comparison.

Overview

The Manetu PolicyEngine (MPE) enables organizations to enforce fine-grained, context-aware access control policies using Open Policy Agent (OPA) and the Rego policy language.

┌─────────────────┐     ┌─────────────────┐     ┌─────────────────┐
│   Application   │────▶│  Policy Engine  │────▶│   OPA/Rego      │
│   (PEP)         │     │  (PDP)          │     │   Evaluation    │
└─────────────────┘     └─────────────────┘     └─────────────────┘

Key Features

OPA Integration - Built on Open Policy Agent for industry-standard policy evaluation
PolicyDomain Model - Self-contained bundles organizing policies, roles, scopes, and mappers
Multi-Phase Evaluation - Layered decision process (operation, identity, resource, scope policies)
Developer Tooling - CLI for building, linting, testing, and serving policies
Flexible Deployment - Embeddable Go library or standalone gRPC/HTTP service

Quick Start

Install the CLI

Using Homebrew (macOS/Linux):

brew tap manetu/tap
brew install mpe

Using Go:

go install github.com/manetu/policyengine/cmd/mpe@latest

Create a PolicyDomain

# my-domain.yml
apiVersion: iamlite.manetu.io/v1alpha4
kind: PolicyDomain
metadata:
  name: my-first-domain
spec:
  policies:
    - mrn: &allow-all "mrn:iam:policy:allow-all"
      name: allow-all
      rego: |
        package authz
        default allow = false
        allow { input.principal != {} }

  roles:
    - mrn: "mrn:iam:role:admin"
      name: admin
      policy: *allow-all

Validate and Test

# Lint your PolicyDomain
mpe lint -f my-domain.yml

# Run policy tests
echo {} | mpe test decision -b my-domain.yml

Use Cases

API Gateway Authorization - Protect microservices with centralized policy decisions
Data Access Governance - Control who can access sensitive data and under what conditions
Service Mesh Integration - Works with Envoy and other service mesh sidecars
Compliance Enforcement - Implement GDPR, HIPAA, and SOX access controls

Documentation

For comprehensive documentation, tutorials, and API reference, visit:

https://manetu.github.io/policyengine

Introduction - What MPE is and what it offers
How It Works - Architecture overview (PDP, PEP, PORC)
Getting Started - Installation and setup
Quick Start - Create your first PolicyDomain
Concepts - PBAC, PolicyDomains, and core concepts
Integration - Embed the Go library or use the HTTP API
CLI Reference - Command-line tool documentation

Contributing

Contributions are welcome! Please feel free to submit issues and pull requests.

License

See LICENSE for details.

Can you improve this documentation? These fine people already did:
Greg Haskins & Gregory HaskinsEdit on GitHub

cljdoc builds & hosts documentation for Clojure/Script libraries

Keyboard shortcuts

`Ctrl`+`k`	Jump to recent docs
`←`	Move to previous article
`→`	Move to next article
`Ctrl`+`/`	Jump to the search field

Raise an issue Browse cljdoc source Chat on Slack

× close