Skip to main content

Evaluate with Herald (Authorization MCP Server)

Overview

Herald is the evaluate product in the AI Security Fabric: an authorization MCP server that exposes authorization decisions to AI agents and MCP clients as tools. Instead of hard-coding "may I do this" into an agent, the agent calls a Herald tool over the Model Context Protocol and gets an allow or deny back. Herald's value is federation: one authorization query can join context from several systems of record, so the decision reflects who the subject really is and what is happening around them right now. To make that concrete, this course works through one example query that joins an IdP, HRIS, data warehouse, ITSM, and SIEM; treat that set as an illustration, not a fixed product spec. For the lab we also model a tool that holds a read-only scope, so it answers questions but never mutates.

This course explains what Herald is, how a federated authorization query is assembled, and how a read-only scope (which we model for the lab) shapes which actions such a tool can even ask about. A runnable OPA lab models the exact decision a Herald tool would expose, so you can see the join of federated context resolve to allow or deny.

Who this is for

Professional-track learners: platform and security engineers who will wire agents to Herald, and OSS OPA users who want to understand how an MCP-fronted authorization query maps onto Rego. You should already know the PEP/PDP/PIP model and the four products from Foundations: The Authorization Gap, and be able to author and test Rego, which is covered in OPA & Enterprise OPA Fundamentals. The lab has you write the policy's allow rules, so treat that Rego course as a hard prerequisite.

Outcomes

By the end of this course you will be able to:

  • Explain what Herald is (the authorization MCP server) and what it is not (it is not the PDP; OPA or Enterprise OPA still evaluates the policy).
  • Describe how a federated authorization query joins context from several systems of record (in this course's example: an IdP, HRIS, warehouse, ITSM, and SIEM) into one decision, and map each source to a field the policy reads.
  • Explain the read-only scope this course models and predict which actions such a Herald tool can and cannot decide.
  • Read and extend a default-deny OPA policy that models a Herald authorization query, and predict its allow and deny decisions.

Lessons

  1. Herald, the authorization MCP server
  2. Federated authorization queries
  3. Read-only scope and the deny paths

Hands-on lab

This course includes a graded lab in lab/ that models the decision a Herald authorization tool exposes for one federated query. The lab/policy.rego ships as a starter with the two allow rules left as a # TODO(learner) stub; you implement them until the tests pass. Run it with:

git clone https://github.com/EnforceAuth/university-labs.git
cd university-labs
opa test courses/evaluate-with-herald -v

The starter reports FAIL: 3/8; your goal is PASS: 8/8.

The lab is a real OPA policy. Herald fronts a decision like this as an MCP tool and federates the context that fills input; the decision itself is evaluated by OPA or Enterprise OPA, which is exactly what opa test exercises here. The course does not run Herald itself; it describes the MCP tool exercise accurately and grades the underlying policy.

Certification

Counts toward the Professional track. Certification is a machine-graded practical: you author a policy that the assessment engine runs against a HIDDEN opa test suite you do not see. This lab is practice for that exam.