slug: / sidebar_position: 1

import useBaseUrl from '@docusaurus/useBaseUrl';

Introduction

<img src={useBaseUrl('/img/mpe-logo.svg')} alt="Manetu PolicyEngine Logo" style={{float: 'right', height: '125px', marginLeft: '20px', marginBottom: '10px'}} />

The Manetu PolicyEngine (MPE) is a programming language agnostic access-control and governance layer that organizations use to protect software assets such as Application Programming Interfaces (APIs) and sensitive data using a Policy-Based Access Control (PBAC) model.

As a core component of the Manetu governance platform, MPE provides the policy evaluation engine that enables fine-grained, context-aware access control across data, APIs, and services. It features a high-performance, flexible architecture with comprehensive tooling for policy development and testing.

Community and Premium Editions

The Manetu PolicyEngine is available in two editions:

• — (this project) A fully functional policy engine that you can embed in your applications or run as a standalone service. It provides everything you need to author, test, and enforce policies.

• — Commercial enhancements available through a licensing arrangement with Manetu. Premium builds on the Community foundation to add enterprise-grade capabilities for organizations with advanced governance, observability, and operational requirements.

Feature Comparison

:::info The Premium Edition requires integration via the HTTP interface to enable enterprise features such as centralized audit and policy coordination. The embeddable Go library is available only in the Community Edition. :::

Interested in Premium features? Contact Manetu to learn more.

Who This Documentation Is For

• Developers who need to integrate the Manetu PolicyEngine into their applications
• Policy Authors who need to develop policies for applications protected by the Manetu PolicyEngine
• DevOps Engineers who need to deploy and manage policy decision points

Key Features

<SectionHeader icon="security" level={3}>Least Privilege by Design

The PolicyEngine is architected to make the Principle of Least Privilege practical at scale:

• Default DENY: Access is denied unless explicitly granted—new principals start with zero permissions
• Observable Decisions: Every authorization decision generates an AccessRecord with full context
• Policy Replay: Test policy changes against real traffic before deploying
• Evidence-Based Refinement: Start with strict policies and iteratively expand access based on observed needs, not guesswork

This observable architecture transforms access control from a guessing game into an evidence-based practice. Rather than granting broad permissions "just in case," you can safely start restrictive and expand access precisely where it's demonstrated necessary. See Audit & Access Records for details on the iterative refinement workflow.

<SectionHeader icon="integration" level={3}>Open Policy Agent Integration

The Manetu PolicyEngine is built on Open Policy Agent (OPA), an open-source engine for executing policy statements. You can use the rich ecosystem for designing and debugging policy expressions in the Rego language to precisely control access to your resources.

<SectionHeader icon="layers" level={3}>PolicyDomain Model

Policies are organized into PolicyDomains - self-contained bundles that define:

• Policies: Rego code that makes access control decisions
• Policy Libraries: Reusable Rego code shared across policies
• Roles: Named policy assignments for identity-based access
• Groups: Collections of roles for organizational structure
• Resource Groups: Policy assignments for resource-based access
• Resources: Selector-based routing of resources to groups (v1alpha4+)
• Scopes: OAuth-style permission boundaries
• Operations: Route requests to appropriate policies
• Mappers: Transform external inputs (like Envoy requests) into PORC expressions

<SectionHeader icon="terminal" level={3}>Developer-Friendly Tooling

The mpe CLI provides comprehensive tooling for the policy development lifecycle:

• mpe build: Compile PolicyDomain definitions from external Rego files
• mpe lint: Validate YAML syntax and lint embedded Rego code
• mpe test: Test policy decisions with various inputs
• mpe serve: Run a local policy decision point for development

Advanced debugging capabilities include --trace mode for line-by-line policy evaluation tracing. The Premium Edition adds decision replay with visual code coverage, benchmarking, and historical analysis.

<SectionHeader icon="architecture" level={3}>Cloud-Native Architecture

MPE is built for modern, web-scale microservice architectures:

• Language Agnostic: Protect resources consistently across services written in any language—Go, Python, Java, TypeScript, Rust, and more—using a unified HTTP API
• Horizontally Scalable: Stateless PDPs scale out effortlessly to meet any performance or availability requirements
• Flexible Deployment: Run the PDP embedded in your application, as a 1:1 sidecar, or as a shared standalone service
• Decoupled Updates: Update policies independently without recompiling or redeploying your applications
• Multi-Architecture: Native support for both amd64 and arm64 infrastructure

Next Steps

• How It Works - Understand the architecture before diving in
• Getting Started - Set up your development environment
• Quick Start - Create your first PolicyDomain
• Concepts - Understand core concepts in depth
• Integration - Integrate the PolicyEngine into your application
• Reference - Complete CLI and schema reference