Skip to content
Sentrie

Writing your first Policy

This guide will walk you through creating your first Sentrie policy step by step.

Basic Policy Structure

Section titled “Basic Policy Structure”

A Sentrie policy file consists of exactly one namespace and at least one policy:

  • Namespace: A container for related policies.
  • Policy: A named collection of rules.

A policy consists of:

  • Rules: Individual decision logic.
  • Facts: Input data for the policy.
  • Exports: Rules that are exported to make them available for external evaluation.

Create a Policy Pack

Section titled “Create a Policy Pack”
Terminal window
mkdir my-first-policy-pack
cd example-policy-pack
sentrie init example-policy-pack

Define a Namespace

Section titled “Define a Namespace”
first-policy.sentrie
 namespace com/example/user_management

Define a Policy

Section titled “Define a Policy”
first-policy.sentrie
namespace com/example/user_management


 policy user_access {
   -- policy content goes here
 }

Define a Shape

Section titled “Define a Shape”
first-policy.sentrie
namespace com/example/user_management


 shape User {
   role: string
   status: string
 }


policy user_access {
  -- policy content goes here
}

Add Facts

Section titled “Add Facts”
first-policy.sentrie
namespace com/example/user_management


shape User {
  role: string
  status: string
}


policy user_access {
  fact user: User as currentUser
  fact context?: Context as ctx default {"environment": "production"}
}

Add your first rule

Section titled “Add your first rule”
first-policy.sentrie
namespace com/example/user_management


shape User {
  role: string
  status: string
}


policy user_access {
  fact user: User as currentUser
  fact context?: Context as ctx default {"environment": "production"}


  rule allow_admin = {
    yield user.role == "admin"
  }
}

Add your second rule

Section titled “Add your second rule”
first-policy.sentrie
namespace com/example/user_management


shape User {
  role: string
  status: string
}


policy user_access {
  fact user: User as currentUser


  rule allow_admin = {
    yield user.role == "admin"
  }


  rule allow_user = {
    yield user.role == "user" and user.status == "active"
  }
}

Composing Rules

Section titled “Composing Rules”

Lets use the output of the allow_admin rule to update the allow_user rule.

first-policy.sentrie
namespace com/example/user_management


shape User {
  role: string
  status: string
}


policy user_access {
  fact user: User as currentUser


  rule allow_admin = {
    yield user.role == "admin"
  }


  rule allow_user = {
    yield user.role == "user" and user.status == "active"
    yield allow_admin or user.role == "user" and user.status == "active"
  }
}

Export Rules

Section titled “Export Rules”
first-policy.sentrie
namespace com/example/user_management


shape User {
  role: string
  status: string
}


policy user_access {
  fact user: User as currentUser


  rule allow_admin = {
    yield user.role == "admin"
  }


  rule allow_user = {
    yield allow_admin or user.role == "user" and user.status == "active"
  }


  export decision of allow_admin
  export decision of allow_user
}

Complete Example

Section titled “Complete Example”

Here’s a complete policy that checks user access:

first-policy.sentrie
namespace com/example/user_management


shape User {
  role: string
  status: string
}


policy user_access {


  fact user: User as currentUser


  rule allow_admin = {
    yield user.role == "admin"
  }


  rule allow_user = {
    yield allow_admin or user.role == "user" and user.status == "active"
  }


  export decision of allow_admin
  export decision of allow_user
}

Next Steps

Section titled “Next Steps”

Now that you’ve written your first policy, learn how to run your policy to see it in action.