A high-performance, programmable access-control and governance layer for protecting APIs and sensitive data using Policy-Based Access Control (PBAC).
This is the Community Edition of the Manetu PolicyEngine — a fully functional policy engine that you can embed in your applications or run as a standalone service. It provides everything you need to author, test, and enforce access control policies.
For organizations requiring enterprise-grade audit storage, centralized policy administration, a Kubernetes Operator for sidecar automation, and advanced observability features, a Premium Edition is available through Manetu. See the documentation for a full feature comparison.
The Manetu PolicyEngine (MPE) enables organizations to enforce fine-grained, context-aware access control policies using Open Policy Agent (OPA) and the Rego policy language.
┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐
│ Application │────▶│ Policy Engine │────▶│ OPA/Rego │
│ (PEP) │ │ (PDP) │ │ Evaluation │
└─────────────────┘ └─────────────────┘ └─────────────────┘
- OPA Integration - Built on Open Policy Agent for industry-standard policy evaluation
- PolicyDomain Model - Self-contained bundles organizing policies, roles, scopes, and mappers
- Multi-Phase Evaluation - Layered decision process (operation, identity, resource, scope policies)
- Developer Tooling - CLI for building, linting, testing, and serving policies
- Flexible Deployment - Embeddable Go library or standalone gRPC/HTTP service
Using Homebrew (macOS/Linux):
brew tap manetu/tap
brew install mpeUsing Go:
go install github.com/manetu/policyengine/cmd/mpe@latest# my-domain.yml
apiVersion: iamlite.manetu.io/v1alpha4
kind: PolicyDomain
metadata:
name: my-first-domain
spec:
policies:
- mrn: &allow-all "mrn:iam:policy:allow-all"
name: allow-all
rego: |
package authz
default allow = false
allow { input.principal != {} }
roles:
- mrn: "mrn:iam:role:admin"
name: admin
policy: *allow-all# Lint your PolicyDomain
mpe lint -f my-domain.yml
# Run policy tests
echo {} | mpe test decision -b my-domain.yml- API Gateway Authorization - Protect microservices with centralized policy decisions
- Data Access Governance - Control who can access sensitive data and under what conditions
- Service Mesh Integration - Works with Envoy and other service mesh sidecars
- Compliance Enforcement - Implement GDPR, HIPAA, and SOX access controls
For comprehensive documentation, tutorials, and API reference, visit:
https://manetu.github.io/policyengine
- Introduction - What MPE is and what it offers
- How It Works - Architecture overview (PDP, PEP, PORC)
- Getting Started - Installation and setup
- Quick Start - Create your first PolicyDomain
- Concepts - PBAC, PolicyDomains, and core concepts
- Integration - Embed the Go library or use the HTTP API
- CLI Reference - Command-line tool documentation
Contributions are welcome! Please feel free to submit issues and pull requests.
See LICENSE for details.