---

sidebar_position: 1

Examples

This section contains complete, production-ready examples demonstrating the power and flexibility of the Manetu PolicyEngine. Each example includes:

• A complete PolicyDomain definition with all necessary policies, roles, groups, and resource groups
• Test cases that you can run with mpe test decision to verify behavior
• Detailed explanations of the design decisions and patterns used

<SectionHeader icon="storage" level={2}>Featured Examples

Unix Filesystem Permissions

Implements classic Unix-style permission bits (read/write for owner/group/other) using MPE's annotation system. Demonstrates how to:

• Use resource annotations to store permission bits
• Compare principal identity against resource ownership
• Check group membership for group-level permissions
• Fall back to "other" permissions for unrelated principals

MCP Server Access Control

Protects Model Context Protocol (MCP) servers with fine-grained access control for both metadata operations (tool:list, prompt:list) and data-path operations (tool:call, resource:read). Demonstrates:

• Operation-based routing for different API endpoints
• Tool-level permissions using annotations
• Server registration and discovery controls

Multi-Tenant SaaS

Implements tenant isolation for a SaaS application where users belong to organizations and can only access resources within their tenant. Features:

• Strict tenant boundary enforcement
• Cross-tenant admin access for support teams
• Organization-based group membership
• Tenant-scoped resource groups

Healthcare Data Access (HIPAA)

Models HIPAA-compliant access control for electronic health records (EHR) with role-based access, patient consent, and break-glass emergency procedures. Includes:

• Role hierarchy (physician, nurse, admin, patient)
• Patient consent checking via resource annotations
• Break-glass emergency access with audit flags
• Minimum necessary access principle

API Quotas and Rate Limiting

Demonstrates using MPE for API quota enforcement and tiered access levels. Shows how to:

• Define subscription tiers with different limits
• Use annotations to track quota metadata
• Implement feature flags per subscription level
• Distinguish between billing tiers at policy evaluation time

<SectionHeader icon="terminal" level={2}>Running the Examples

Each example includes a complete PolicyDomain YAML file and test input. Download links are available on each example page.

1. Validate the PolicyDomain

mpe lint -f policydomain.yml

2. Test Policy Decisions

# Test a specific scenario
mpe test decision -b policydomain.yml -i input.json

# Check just the decision
mpe test decision -b policydomain.yml -i input.json | jq .decision

3. Explore the Full Access Record

# See all policy references and phase evaluations
mpe test decision -b policydomain.yml -i input.json | jq .

<SectionHeader icon="build" level={2}>Building Your Own

These examples are designed to be starting points. Feel free to:

1. Copy and modify any example to fit your use case
2. Combine patterns from multiple examples
3. Extract reusable logic into Policy Libraries

<SectionHeader icon="school" level={2}>Best Practices Demonstrated

These examples showcase several recommended patterns:

• Default deny for tri-level policies: Using default allow = -1 with positive grants instead of explicit denies
• Utils library pattern: Extracting common helpers like has_principal into a shared utils library
• Set iteration: Using some x in {...} for concise, maintainable Rego
• Operation prefixes: Using prefixes like mcp: to enable meaningful identity phase checks
• Multiple libraries: Combining general utilities with domain-specific helpers

For more details on these patterns, see Writing Concise Rego and The Utils Library Pattern.

For more information on building PolicyDomains, see:

• Creating Your First PolicyDomain
• PolicyDomain Schema Reference
• Best Practices