Your First Policy

In this guide, you'll create a simple authorization policy and test it in the Policy Playground. By the end, you'll understand the basic workflow of defining and validating policies in Denied.

Prerequisites

Before you begin, make sure you have:

• A Denied Platform account (sign up here)
• Access to at least one project

What We're Building

We'll create a policy that implements a simple ownership rule: users can only access resources they own. This is one of the most common authorization patterns and a great starting point.

Step 1: Navigate to Policies

1. Open the Denied dashboard
2. Make sure you have the correct project selected in the top navigation
3. Click Governance in the sidebar
4. Select Policies

You'll see your policy library. If this is a new project, it will be empty.

Step 2: Create a New Policy

Click the Create Policy button to open the policy creation form.

Fill in the Policy Details

Write the Policy Content

In the policy editor, enter the following Rego code:

# Allow access when the subject owns the resource
input.resource.properties.owner == input.subject.properties.user_id

This policy checks if the resource's owner property matches the requesting subject's user_id property. Denied Platform handles the rest — wrapping your conditions in the proper OPA structure and evaluating them against incoming requests.

Save the Policy

Click Create to save your policy. It will appear in your policy library with an Allow badge indicating its effect.

Step 3: Test in the Playground

Now let's verify the policy works as expected using the Policy Playground.

1. Go to Governance → Playground
2. You'll see a form where you can construct authorization requests

Test Case 1: Owner Accessing Their Resource (Should Allow)

Fill in the test request:

Subject Properties:

• user_id: user-123

Resource Properties:

• owner: user-123

Action Name: read

Click Evaluate. You should see:

Result: ALLOWED
Matched Rules: allow-own-resources

The request was allowed because the subject's user_id (user-123) matches the resource's owner (user-123).

Test Case 2: Non-Owner Accessing Resource (Should Deny)

Now test a case that should be denied:

Subject Properties:

• user_id: user-456

Resource Properties:

• owner: user-123

Action Name: read

Click Evaluate. You should see:

Result: DENIED

The request was denied because user-456 doesn't own a resource belonging to user-123.

Step 4: Understanding the Result

When you evaluate a request, the Playground shows:

How Policy Evaluation Works

1. Your authorization request is sent to the decision node
2. The decision node loads all enabled policies from your project
3. Each policy's conditions are evaluated against the request input
4. If any allow policy's conditions all evaluate to true, the request is allowed
5. If no allow policies match, the request is denied (secure by default)

Enhancing with More Policies

Let's make authorization more realistic by adding additional policies:

Policy 2: Admin Access

# Admins can access any resource
input.subject.properties.role == "admin"

Policy 3: Public Read Access

# Anyone can read public resources
input.action.name == "read"
input.resource.properties.visibility == "public"

With these three policies, access is allowed if:

• The subject owns the resource, OR
• The subject is an admin, OR
• The action is read AND the resource is public

Try More Test Cases

Test your policies with these scenarios:

Toggling Policies

You can enable or disable policies without deleting them:

1. Go to Governance → Policies
2. Find your policy in the list
3. Use the toggle switch to enable/disable

Disabled policies are not included in the OPA bundle and won't affect authorization decisions.

Next Steps

Congratulations! You've created and tested your first policy. Here's where to go next:

• Rego Basics — Learn more about the Rego policy language
• Common Patterns — Explore RBAC, ABAC, and other authorization patterns
• Policies Guide — Deep dive into policy management features
• Decision Nodes — Set up your policy decision point for production