Govern with Writ (the Authorization Control Plane)
Overview
Writ is EnforceAuth's control plane for authorization policy. It is where policy is versioned, signed, promoted, and audited, without ever sitting on the request path. This Professional course teaches Writ accurately: where policy comes from, how signed bundles are auto-built from Git, how one-click dev-to-staging-to-prod promotion works, how decision logs and replay give you an audit trail you can re-run, and how the entity hierarchy (tenant to org to system to app) scopes it all. A runnable OPA lab grounds the course in the exact kind of policy artifact Writ governs.
Who this is for
Platform, security, and DevOps engineers who own authorization policy for an organization, on the EnforceAuth track or coming from open-source OPA. You should already know the PEP/PDP/PIP model and the Define, Enforce, Audit loop from the Associate foundations course (Foundations: the Authorization Gap), and you should have worked through the Rego material in OPA & EOPA Fundamentals. The lab has you author Rego, not just read it, so both prerequisites are assumed.
Outcomes
By the end of this course you will be able to:
- Describe what Writ is and, precisely, what it is not: the control plane that governs OPA, Enterprise OPA, and Cedar-compatible PDPs, not a PDP on the request path.
- Explain how a policy in Git becomes a signed bundle and how the entity hierarchy (tenant, org, system, app) scopes which bundle goes where.
- Walk one-click dev-to-staging-to-prod promotion, explain why the same signed artifact moves forward unchanged, and state how rollback works by prior
commit_sha. - Explain decision logs and replay, and why replay is what lets you test a candidate policy against real past traffic before you promote it.
- Explain that Writ governs Cedar-compatible PDPs (such as AWS Verified Permissions) as well as OPA and Enterprise OPA, that Cedar is a separate policy language and not Rego, and that Writ's signing and promotion are dialect-agnostic.
- Read a default-deny OPA policy of the kind Writ promotes and predict its allow and deny decisions.
Lessons
- What Writ is: policy sources, signed bundles, and the entity hierarchy
- Promotion: one-click dev to staging to prod
- Decision logs and replay
- Governing Cedar-compatible PDPs
Hands-on lab
This course includes a hands-on lab in lab/ that models the decision a PDP returns for one request, using the exact kind of policy artifact Writ signs and promotes. The policy ships as a starter: you author the allow rules so the test suite goes from red to green. Run it with:
git clone https://github.com/EnforceAuth/university-labs.git
cd university-labs
opa test courses/govern-with-writ -v
Starter state: FAIL: 3/6. Target once you complete the TODO(learner) in lab/policy.rego: PASS: 6/6.
Certification
Counts toward the Professional track. Certification is a machine-graded practical: you author a policy that the assessment engine runs against a hidden opa test suite you do not see. This lab is practice for that exam, not the exam itself. A short quiz accompanies the practical.