Skip to content
jitsudo

jitsudo policy

Manage eligibility and approval OPA policies. Requires admin role.

Synopsis

Section titled “Synopsis”
jitsudo policy <subcommand> [flags]

Subcommands

Section titled “Subcommands”
SubcommandDescription
listList all stored policies
getGet a policy by ID
applyCreate or update a policy from a Rego file
deleteDelete a policy by ID
evalDry-run policy evaluation against the current policy set

list

Section titled “list”

List all policies stored in the control plane.

jitsudo policy list

Output:

ID          NAME              TYPE          ENABLED  UPDATED
pol_01...   sre-eligibility   eligibility   true     2026-03-01T10:00:00Z
pol_02...   prod-approval     approval      true     2026-03-01T10:05:00Z
pol_03...   break-glass       eligibility   false    2026-03-15T08:00:00Z

get

Section titled “get”

Print the full details and Rego source of a policy.

jitsudo policy get <policy-id>

Output:

ID:          pol_01J8KZ4F2EMNQZ3V7XKQYBD4W
Name:        sre-eligibility
Type:        eligibility
Enabled:     true
Description: SRE team eligibility for production AWS access
Updated:     2026-03-01T10:00:00Z


--- Rego ---
package jitsudo.eligibility


default allow = false


allow {
    input.user.groups[_] == "sre"
    input.request.provider == "aws"
}

apply

Section titled “apply”

Create or update a policy from a Rego file (upsert by name).

jitsudo policy apply -f <file.rego> [flags]

Flags:

FlagDefaultDescription
-f, --file <path>Path to the Rego policy file (required)
--name <name>Filename without .regoPolicy name (used as the upsert key)
--type <type>eligibilityPolicy type: eligibility or approval
--description <text>Human-readable description
--disablefalseCreate the policy in disabled state

Examples:

Terminal window
# Apply an eligibility policy
jitsudo policy apply -f sre-eligibility.rego


# Apply an approval policy with a name and description
jitsudo policy apply \
  -f prod-approval.rego \
  --name prod-approval \
  --type approval \
  --description "Require SRE lead approval for production access"


# Apply but leave disabled for testing
jitsudo policy apply -f new-policy.rego --disable

Output:

Policy sre-eligibility (eligibility) applied — id: pol_01J8KZ4F2EMNQZ3V7XKQYBD4W

delete

Section titled “delete”

Delete a policy by ID. This is irreversible — the Rego source is permanently removed.

jitsudo policy delete <policy-id>

Output:

Policy pol_01J8KZ4F2EMNQZ3V7XKQYBD4W deleted.

eval

Section titled “eval”

Dry-run policy evaluation without making any state changes. Useful for testing policies before applying them or debugging why a request was rejected.

jitsudo policy eval --input <json> [--type <type>]

Flags:

FlagDefaultDescription
--input <json>JSON-encoded OPA input document (required)
--type <type>eligibilityPolicy type to evaluate: eligibility or approval

Input structure:

{
  "user": {
    "email": "[email protected]",
    "groups": ["sre", "oncall"]
  },
  "request": {
    "provider": "aws",
    "role": "prod-infra-admin",
    "resource_scope": "123456789012",
    "duration_seconds": 3600
  }
}

Examples:

Terminal window
# Test eligibility for an AWS request
jitsudo policy eval \
  --input '{"user":{"email":"[email protected]","groups":["sre"]},"request":{"provider":"aws","role":"prod-infra-admin","resource_scope":"123456789012","duration_seconds":3600}}'


# Test approval policy
jitsudo policy eval \
  --type approval \
  --input '{"user":{"email":"[email protected]","groups":["sre-lead"]},"request":{"provider":"aws","role":"prod-infra-admin","resource_scope":"123456789012","duration_seconds":3600}}'

Output:

allowed: true


# or


allowed: false
reason:  user is not in the sre group

Global Flags

Section titled “Global Flags”

All jitsudo policy subcommands accept these global flags:

FlagDefaultDescription
--server <url>Stored credentialsControl plane URL
--token <token>Stored credentialsBearer token override
-o, --output <format>tableOutput format: table, json, yaml
-q, --quietfalseSuppress non-essential output
--debugfalseEnable debug logging

Policy Types

Section titled “Policy Types”
TypePurposeEvaluated when
eligibilityIs this user allowed to request this role/scope?At request submission
approvalWho must approve? Can it be auto-approved?At request review

See the Writing Policies guide for Rego examples and the full input/output schema.