Open Policy Agent

[cryptos]

I tried to implement some simpler cases with the policy language, Rego (https://www.openpolicyagent.org/docs/latest/policy-language/), of OPA and found it overly cumbersome. A simple check like "if user is in group A and in group C, but must not be in group C" is hard to express in this language. It would be a trivial task in any somewhat decent programming language (e.g. JavaScript).

I understand why restricting the possibilities with an external DSL might be a good idea, but I consider Rego to be to restricted. I mean, in the the a policy is just a function saying basically "yes" or "no" (I know, it's not that simple with OPA, but it boils down to access yes/no, anyway).

[charlieegan3]

I am not sure how your groups are structured, but something like this might work for this [0] use case:

    package play

    import rego.v1

    default allow := false

    allow if {
        user := input.id

        user in data.groups.A
        user in data.groups.B
        not user in data.groups.C
    }

[0] https://play.openpolicyagent.org/p/adMo9TE9bS