Decision Logs, Continuous Authorization & Compliance Evidence
Overview
A Professional-track course for GRC and platform teams. It covers what a decision log is and why it is the backbone of continuous authorization, how to keep sensitive fields out of those logs with Enterprise OPA decision_logs.mask (and the open-source system.log.mask equivalent), and how the resulting logs become compliance evidence for frameworks like HIPAA, DORA, the EU AI Act, SOX, and SOC 2 at a high level. A runnable OPA lab produces a structured decision and proves that masking removes the right fields.
Who this is for
EnforceAuth customers on the GRC or platform side who own audit, evidence, and control attestation. You should already understand the Authorization Gap and the PEP/PDP/PIP model from foundations-authorization-gap, and you should be comfortable authoring Rego. The lab has you write policy rules, so complete the Rego material in opa-eopa-fundamentals (default deny, incremental allow-if rules, the in operator, and opa test) first if you have not.
Outcomes
By the end of this course you will be able to:
- Describe the decision-log model: what a single log event contains and why continuous authorization depends on logging every decision, not just denials.
- Configure field-level masking so PII and PHI never enter a decision log, using Enterprise OPA
decision_logs.maskand the OPAsystem.log.maskrule. - Explain, at a high level and with attribution, how decision logs plus Writ replay map to evidence requirements in HIPAA, DORA, the EU AI Act, SOX, and SOC 2.
- Read a policy that emits a structured decision and predict both its allow/deny outcome and which logged fields get masked.
Lessons
- The decision-log model and continuous authorization
- Masking sensitive fields with Enterprise OPA
- From decision logs to compliance evidence
Hands-on lab
This course includes a graded lab in lab/. It has a policy that returns a structured decision (outcome plus reason plus obligations), a system.log.mask policy that strips sensitive fields from a decision-log event, and an opa-config.yaml that wires that masking into the decision-log pipeline. The policy ships as a starter with the two authorizing reason rules stubbed behind a # TODO(learner) block: you implement them until the suite passes. Clone the public labs repo and run:
git clone https://github.com/EnforceAuth/university-labs.git
cd university-labs
opa test courses/decision-logs-and-compliance-evidence -v
The starter reports FAIL: 2/9. Implement the TODO in lab/policy.rego until it reports PASS: 9/9. Keep iterating until opa test is green.
Certification
Counts toward the Professional track. Certification is a machine-graded practical: you author a policy that the assessment engine runs against a HIDDEN opa test suite you do not see. This lab is practice for that exam.