Policy Writer
Available on every plan. AI-assisted generation requires the Enterprise plan.
What this is
Policy Writer is the UI layer for authoring, editing, and version-controlling OPA policies. You don't have to know Rego to use it — the wizard walks you through scope, conditions, and decision; the AI assist converts a natural-language description into working Rego; and the raw editor with CodeMirror syntax highlighting is there for the cases that need hand-tuning.
All three modes produce the same artifact: a versioned Rego policy stored in policy_documents and compiled into the OPA bundle at /api/v1/policy/bundle.
The three modes
1. Guided wizard
A 4-step flow at Policies → Library → New policy → Wizard:
- Scope — who the policy applies to (all agents, a tag, a role, a specific agent)
- Conditions — which tool / server / action triggers the policy (dropdowns populated from your live tool catalog)
- Decision — allow / deny / escalate, optionally with a reason template
- Preview — shows the generated Rego, a plain-English summary, and a dry-run against the last 100 matching events
Wizard policies round-trip losslessly: you can re-open a wizard-authored policy in the wizard and edit it without losing structure.
2. AI-assisted generation
Drop a description like "Block any write to /etc or /var outside work hours, escalate everything else on the production_admin agent" into the AI assist panel. The generator (backend/behavry/policy/ai_generator.py) returns:
- Draft Rego
- A rationale block (what decisions it made and why)
- A list of the events from the last 7 days the draft would have fired on
You review, edit, and commit. The generator is grounded on your tenant's tool catalog and policy style guide, so it won't suggest rules against tools you don't have.
3. Raw Rego editor
A CodeMirror editor with Rego syntax highlighting, OPA-native opa fmt, and inline error messages from the OPA compile step. Intended for policy authors who know what they want.
Version history
Every save creates a new version. Policies → Library → (policy) → History shows:
- A diff between any two versions
- Who authored each version and when
- A "rollback to this version" action (creates a new version; never destructive)
Version routes: backend/behavry/policy/version_routes.py, version_service.py.
Change requests
On Enterprise, policy edits can be gated by an approval workflow:
- Author saves a draft → a change request is created, not a live policy version
- Reviewers (users with
policy_authororadminrole) see the draft under Policies → Changes - On approval, the draft is promoted to a new live version
- Rejection comments are stored in the audit log
Routes: backend/behavry/policy/candidate_routes.py.
API
| Method | Path | Purpose |
|---|---|---|
GET | /api/v1/policies | List policies |
POST | /api/v1/policies | Create a new policy (version 1) |
GET | /api/v1/policies/{id} | Get latest version |
GET | /api/v1/policies/{id}/versions | List versions |
POST | /api/v1/policies/{id}/versions | Save a new version |
POST | /api/v1/policies/ai/draft | Generate Rego from a natural-language description |
POST | /api/v1/policies/{id}/rollback | Create a new version identical to an earlier one |
GET | /api/v1/policies/change-requests/pending | Pending approvals (reviewer view) |
Related
- Policy Engine — how OPA evaluates policies at runtime
- Red Team → Policy Automation — automatically generated policy candidates from red-team findings
- Inbound Rules — content-level rules that run alongside Rego