Back to Docs

Recipe: ABAC policy writer (OPA / Cedar style)

Generate attribute-based access control policies from natural-language descriptions. Outputs Rego for OPA or Cedar for AWS Verified Permissions.

Input

Describe your access rule in plain English. Include the resource type, action, and the attributes that must match.

Example: Allow engineers in the security org to read audit logs created after 2024-01-01 if their clearance level is TS/SCI.

Output

The recipe emits a complete policy file with the correct syntax, imports, and deny-by-default fallback.

Rego (OPA)

package meridian.auth

default allow = false

allow {
  input.user.org == "security"
  input.user.clearance == "TS/SCI"
  input.resource.type == "audit_log"
  input.resource.created >= 2024-01-01
  input.action == "read"
}

Cedar

permit(
  principal in Role::"engineer",
  action == Action::"read",
  resource is AuditLog
)
when {
  principal.org == "security" &&
  principal.clearance == "TS/SCI" &&
  resource.created >= 2024-01-01
};

Attributes supported

  • User role, org, clearance, region
  • Resource type, owner, classification
  • Action (read, write, delete, admin)
  • Temporal constraints (created, expires)
  • IP range / CIDR blocks
  • MFA status, device trust

This recipe is available in the Meridian Pro tier. Upgrade →