Skip to main content

Decision Logs, Continuous Authorization & Compliance Evidence

Overview

A Professional-track course for GRC and platform teams. It covers what a decision log is and why it is the backbone of continuous authorization, how to keep sensitive fields out of those logs with Enterprise OPA decision_logs.mask (and the open-source system.log.mask equivalent), and how the resulting logs become compliance evidence for frameworks like HIPAA, DORA, the EU AI Act, SOX, and SOC 2 at a high level. A runnable OPA lab produces a structured decision and proves that masking removes the right fields.

Who this is for

EnforceAuth customers on the GRC or platform side who own audit, evidence, and control attestation. You should already understand the Authorization Gap and the PEP/PDP/PIP model from foundations-authorization-gap, and you should be comfortable authoring Rego. The lab has you write policy rules, so complete the Rego material in opa-eopa-fundamentals (default deny, incremental allow-if rules, the in operator, and opa test) first if you have not.

Outcomes

By the end of this course you will be able to:

  • Describe the decision-log model: what a single log event contains and why continuous authorization depends on logging every decision, not just denials.
  • Configure field-level masking so PII and PHI never enter a decision log, using Enterprise OPA decision_logs.mask and the OPA system.log.mask rule.
  • Explain, at a high level and with attribution, how decision logs plus Writ replay map to evidence requirements in HIPAA, DORA, the EU AI Act, SOX, and SOC 2.
  • Read a policy that emits a structured decision and predict both its allow/deny outcome and which logged fields get masked.

Lessons

  1. The decision-log model and continuous authorization
  2. Masking sensitive fields with Enterprise OPA
  3. From decision logs to compliance evidence

Hands-on lab

This course includes a graded lab in lab/. It has a policy that returns a structured decision (outcome plus reason plus obligations), a system.log.mask policy that strips sensitive fields from a decision-log event, and an opa-config.yaml that wires that masking into the decision-log pipeline. The policy ships as a starter with the two authorizing reason rules stubbed behind a # TODO(learner) block: you implement them until the suite passes. Clone the public labs repo and run:

git clone https://github.com/EnforceAuth/university-labs.git
cd university-labs
opa test courses/decision-logs-and-compliance-evidence -v

The starter reports FAIL: 2/9. Implement the TODO in lab/policy.rego until it reports PASS: 9/9. Keep iterating until opa test is green.

Certification

Counts toward the Professional track. Certification is a machine-graded practical: you author a policy that the assessment engine runs against a HIDDEN opa test suite you do not see. This lab is practice for that exam.