Policy Engine
The Policy Decision Point (PDP) evaluates every authorization request in NeMo Platform. It checks role bindings and scopes against the operation’s requirements and returns allow or deny. This page covers the PDP internals, configuration, and operational details.
For the conceptual overview, see Authorization Concepts. For configuration, see Auth Configuration.
How the PDP Works
For each request, the authorization middleware:
- Extracts the principal (from JWT or headers), workspace (from URL), method, and path.
- Sends this context to the PDP.
- The PDP evaluates the Rego policy:
- Looks up the principal’s role bindings in the workspace
- Checks if the role includes the permissions required by the operation
- Checks if the token has the required scopes
- Returns allow or deny.
Embedded PDP (Default)
The embedded PDP uses a WASM-compiled Rego policy engine built into the auth service. No external OPA sidecar is required.
How It Works
- Policy data (role bindings, workspace visibility, endpoint permissions) is served by the auth service
- Data is refreshed on a configurable interval (default: 30 seconds)
Configuration
PDP URL Format
When to Use
Use embedded PDP for:
- New deployments
- Deployments that don’t already have an OPA fleet
- Simpler operations (no external OPA sidecar to manage)
This is the default in both Helm and quickstart deployments.
External OPA
An external Open Policy Agent sidecar (or server) fetches policy bundles from the auth service and evaluates requests independently.
How It Works
- OPA polls the auth service at
/internal/iam/opa-bundle.tar.gzfor the latest bundle - The bundle contains Rego policy files + data (role bindings, visibility, endpoint permissions)
- OPA caches the bundle locally; uses E-Tag for conditional requests
- Services call OPA for authorization decisions instead of the embedded PDP
Configuration
PDP URL Format
When to Use
Use external OPA when you:
- Already run OPA for other services and want a single policy engine
- Need gateway-level auth via Envoy
ext_authzwith gRPC - Want to add custom policy rules alongside NeMo Platform authorization
- Prefer to manage OPA’s lifecycle separately
Bundle Caching and Propagation Delay
The worst-case propagation delay for authorization changes is approximately 2× the cache time:
- Auth service caches the bundle server-side for
bundle_cache_seconds - OPA caches the bundle client-side for the same duration
- If OPA fetches just before server cache expires, it holds the old version
Policy Entrypoints
The PDP exposes three entrypoints:
allow — Request Authorization
The primary entrypoint. Evaluates whether the request should be allowed based on:
- Principal identity and role bindings
- Required permissions for the operation (endpoint + method)
- Token scopes
- Workspace visibility (public workspaces grant Viewer to all)
has_permissions — Programmatic Permission Checks
Services use this for fine-grained authorization beyond the middleware.
has_role — Role Checks
Check if a principal has a specific role in a workspace. Used less frequently than has_permissions.
Policy Data
The PDP operates on two types of data:
Static Data
Defined in static-authz.yaml in the auth service:
- Role definitions: Which permissions each role includes (Viewer, Editor, Admin, PlatformAdmin)
- Endpoint mappings: Which permissions and scopes each endpoint + method requires
Dynamic Data (runtime)
Loaded from the entity store:
- Role bindings: Which principals have which roles in which workspaces
Related
- Auth Configuration — PDP provider settings and environment variables.
- Authorization Concepts — RBAC model and role propagation.
- API Scopes — Scope checking in the PDP.
- Security Model — Architecture and trust boundaries.