Policy Library
This library collects reusable Rego patterns and domain-specific examples for PBAC extensions. Each entry follows the same structure: the problem it solves, a complete Rego implementation, the policy data it reads, a test you can run against a live instance, and common variations.
All examples target the oauth.evaluations_ext package (called during /token and /introspect) unless otherwise noted. For background on how extensions work, see the Rego for PBAC primer.
By pattern
Generic patterns that apply across domains.
| Pattern | What it does |
|---|---|
| Deny by Default | Start with everything denied. Grant access via explicit allowlists in policy data. |
| Attribute-Based Access | Gate decisions on software statement claims, subject attributes, or PIP-sourced data. |
| Time-Bound Access | Set short token TTLs for agent clients, restrict access to business hours, or expire grants automatically. |
| Delegation Chains | Validate token exchange chains — enforce depth limits and prevent scope expansion across hops. |
By sector
Domain-specific examples built on the patterns above.
| Sector | Examples |
|---|---|
| Healthcare | Consent-as-obligation, cross-jurisdiction data sharing, FHIR resource access |
| Government | Clearance-level enforcement, inter-agency delegation, audit obligations |
| Agents | Trust-tier enforcement, JIT single-use tokens, MCP tool-call gating |
Sector pages are coming soon. In the meantime, see Use Cases for domain scenarios.
How to read these examples
Each pattern page is structured the same way:
- Problem — what authorization requirement this addresses
- Rego — the complete extension, ready to upload via the Admin API
- Policy data — the JSON payload to seed into
data.oauthviaPATCH /admin/api/policy-data/oauth - Test — curl commands to verify allowed and denied cases against a running instance
- Variations — common modifications and how to combine with other patterns
Policy data keys live under data.oauth in your seed payload but are available in Rego as data.oauth_config.* — PBAC rewrites the key to prevent OPA recursion during bundle evaluation. Use data.oauth_config (not data.oauth) in all Rego references.