Sign in Subscribe
Concepts

Domain-Based Resource Separation with Open Policy Agent (OPA)

Andrios Robert

1 min read

The request hits your desk: enforce strict isolation between resources in a multi-tenant system. No excuses. No leaks. The clock is ticking.

Open Policy Agent (OPA) with domain-based resource separation is the fastest, most reliable way to solve this without tearing apart your stack. Instead of scattering access checks through code, OPA centralizes policies, making them clear, testable, and easy to enforce at scale.

Domain-based resource separation means each tenant, customer, or business unit is treated as its own domain with hard boundaries. Policies must inspect the domain of the request and match it against the domain of the resource. If they differ, access is denied—no matter who’s making the call.

With OPA, these rules are defined in Rego, OPA’s policy language. You load metadata about domains, resources, and relationships into OPA’s data store. Then you craft a policy that enforces separation at the most granular level your architecture supports. The policy runs close to your services—either sidecar, library, or centralized API—so requests are filtered before they touch sensitive data.

Example Rego snippet for domain separation:

package authz

default allow = false

allow {
 input.user.domain == input.resource.domain
}

This reads every time: if the requester’s domain matches the resource’s domain, allow it. Everything else is blocked. Add conditions for roles, environment, or compliance tags without weakening the core domain barrier.

OPA supports decision logging, so every permit or deny action can be stored for audits, incident review, or compliance reporting. Coupled with tools like Terraform, Kubernetes admission controls, or API gateways, OPA enforces domain-based separation across infrastructure and app layers.

The beauty is policy as code. You can unit test it. You can version control it. You can deploy changes in minutes. You remove ambiguity, guesswork, and dangerous “it should be fine” assumptions.

If your system holds data for multiple tenants, domain-based resource separation with OPA is not optional—it’s the backbone of trust and security. Done right, it scales without slowing development.

See domain-based separation with OPA in action on hoop.dev and get it running live in your environment within minutes.