Policy as Code

Policy as code is the idea of writing code in a high-level language to manage and automate policies. By representing policies as code in text files, proven software development best practices can be adopted such as version control, automated testing, and automated deployment.

Many existing policy or ACL systems do not practice policy as code. Many policies are set by clicking in a GUI, which isn't easily repeatable nor versionable. They usually don't provide any system for testing policies other than testing an action that would violate the policy. This makes it difficult for automated testing. And the policy language itself varies by product.

Sentinel is built around the idea and provides all the benefits of policy as code.


policy as code provides a number of benefits:

  • Sandboxing. Policies provide the guardrails for other automated systems. As the number of automated systems grow, there is also a growing need to protect those automated systems from performing dangerous actions. Manual verification is too slow; policies need to be represented as code to keep up with other automated systems.

  • Codification. By representing policy logic as code, the information and logic about a policy is directly represented in code and can be augmented with comments rather than relying on oral tradition to learn about the reason for policies.

  • Version Control. Policies are encouraged to be stored as simple text files managed by a version control system. This lets you gain all the benefits of a modern VCS such as history, diffs, pull requests, and more.

  • Testing. Policies are just code. Their syntax and behavior can be easily validated with Sentinel. This also encourages automated testing such as through a CI. Paired with a VCS system, this allows a pull request workflow to verify that a policy keeps the system behavior as expected before merging.

  • Automation. With all policies as code in simple text files, various automation tools can be used. For example, it is trivial to create tools to automatically deploy the policies into a system.

Sentinel and Policy as Code

Sentinel fully embraces policy as code in a number of ways:

  • Language. All Sentinel policies are written using the Sentinel language. This language is made to inputted directly to text files. As an additional benefit, all Sentinel-enabled applications share the same policy language.

  • Development. Sentinel provides a CLI for development and testing. This local CLI can be used to verify policies before deploying them to a system.

  • Testing. Sentinel provides a test framework designed specifically for automation. This allows developers and CI systems to further verify policies.