Skip to main content

Getting Started with the EnforceAuth Control Plane

Overview

The Professional-track entry point for Writ, the EnforceAuth control plane. It orients a new operator: what Writ governs (and what it deliberately does not), the entity hierarchy of tenant to org to system to app, how policy ships as signed bundles from Git, and how one policy travels the Define, Enforce, Audit loop from a commit to a live decision to a replayable log. A runnable OPA lab grounds it in a real first governed policy that enforces isolation at every level of the hierarchy: tenant, org, system, and app.

Who this is for

Operators, platform engineers, and security engineers who are standing up Writ for the first time. You should already know the basics from the Associate foundations course: authentication versus authorization, the PEP/PDP/PIP roles, and that the PDP on the request path is OPA or Enterprise OPA, not Writ. You will also author a small Rego policy in the lab, so this course lists OPA & EOPA Fundamentals as a prerequisite. If you need to build or refresh the Rego skill (default deny, incremental allow rules, the in operator, writing tests with with input as), work through OPA & EOPA Fundamentals first.

Outcomes

By the end of this course you will be able to:

  • State what Writ governs and why it is a control plane, not a PDP on the request path.
  • Place a policy in the entity hierarchy of tenant, org, system, and app, and explain why that scoping matters.
  • Describe how a policy becomes a signed bundle promoted from Git through dev, staging, and prod.
  • Trace one policy through Define, Enforce, and Audit, and author a default-deny OPA policy that enforces tenant, org, system, and app isolation.

Lessons

  1. What Writ governs and the entity hierarchy
  2. Signed bundles from Git and dev-to-prod promotion
  3. Define, Enforce, Audit: one policy end to end
  4. Operating Writ from the terminal with eactl

Hands-on lab

This course includes a graded lab in lab/ that models a first governed policy: a default-deny Rego policy scoped to the full tenant, org, system, and app entity hierarchy, of the kind Writ would sign into a bundle and promote. lab/policy.rego ships as a starter with the four allow rules left as a TODO(learner) stub, so the suite begins red. Open it, implement the rules until the tests pass. Clone the public labs repo and run:

git clone https://github.com/EnforceAuth/university-labs.git
cd university-labs
opa test courses/getting-started-writ-control-plane -v

Starts at FAIL: 4/8; the goal is PASS: 8/8.

Certification

Counts toward the Professional track. Certification is a machine-graded practical: you author a policy that the assessment engine runs against a HIDDEN opa test suite you do not see. This lab is practice for that exam.