Implementing the authorization rules with Open Policy Agent

You can customize the rules that allow or deny a request to the Stormshield KMaaS, using Open Policy Agent (OPA). The policy evaluates the request inputs. If the request is forbidden, the access is denied and the "403 Forbidden" error is returned.

EXAMPLE
You can define a policy allowing access to the Stormshield KMaaS only to users from the stormshield.eu domain.

You can add an OPA policy to the following API routes. If you specify rules for other routes, they will be ignored.

• wrap, unwrap, privilegedwrap, privilegedunwrap, rewrap, certs, digest, wrapprivatekey, privatekeydecrypt, privilegedprivatekeydecrypt,privatekeysign, encrypt, decrypt, and rewrap.

The policy enforcement is configured for each tenant and feature (i.e., KACLS, Crypto API, KAS). For more information, refer to sections:

• Configuring the KACLS

  Customizing the authorization rules

• Configuring Crypto API

  Customizing the authorization rules

• Configuring the Key Access Management
  Customizing the authorization rules

The diagram below indicates at which stage of the requests the OPA policy is applied for the "wrap" and "unwrap" requests.