Today's tech blogger: Ritu Sinha, Head of Data Mesh Engineering, Distinguished Engineer

In an era of data mesh and decentralized data governance, the ability to define, manage, and enforce policies programmatically – ‘policies as code’ – is a game-changer.

Why policies as code (PoC)?

  • Automation: policies can be enforced automatically, reducing manual errors and bottlenecks.
  • Governance, versioning and auditability: policies become well-governed, version-controlled, traceable, and testable.
  • Transparency and consistency: policies are applied transparently based on data properties and are enforced uniformly across platforms and domains.
  • Scalability: policies are easily extended to new data products, domains, or regulatory requirements.
Ritu Sinha
This approach brings rigor, automation, and auditability to access controls and governance, enabling organizations to scale compliance and security across complex data landscapes.
Ritu Sinha, Head of Data Mesh Engineering, Distinguished Engineer

So it’s timely to take a look at how the W3C ODRL (Open Digital Rights Language) standard is being used in data mesh to define machine-readable policies, and how an Open Policy Agent (OPA) executes these policies in real-time. This combination offers a powerful, interoperable, and extensible solution for modern data governance.

ODRL: the standard for policy definition

ODRL (Open Digital Rights Language) is a W3C standard for expressing policies in a machine-readable format. It's domain-agnostic and scalable, making it ideal for defining access controls, usage restrictions, and governance policies.

ODRL policies are declarative, human-readable, and can be stored, versioned, and shared across systems.

OPA and Rego: a policy execution engine

Open Policy Agent (OPA) is an open-source, general-purpose policy engine that decouples policy decision-making from application logic. Three core components of OPA are:

Rego
OPA’s declarative policy language that is used to write rules that define policy decisions. It allows you to express logic about what is allowed or denied, based on conditions derived from input and data.

Data
The static or semi-static JSON document that is loaded into OPA, often representing organizational policies, roles, permissions, or other reference information. It provides context or configuration that Rego can refer to during evaluation. In Janus, we use the policy-as-code definitions in ODRL as Data.

Input
The JSON document that is provided to OPA at runtime, representing dynamic information – for example request details, user identity, or resource being accessed. These inputs are fed into the Rego at runtime and used in decision-making.

In the UBS enterprise data mesh, the Regos are defined generically based on patterns of operators so that policy definitions can happen dynamically at runtime.

Bridging ODRL and OPA/Rego

  • Definition: policies are authored in ODRL for interoperability and governance.
  • Translation: ODRL constraints are mapped to Rego rules (can be automated via tooling).
  • Execution: OPA evaluates Rego policies against real-time inputs (e.g., user attributes, data product metadata).

This separation of concerns enables:

  • Policy authorship by governance teams (ODRL)
  • Policy enforcement by engineering teams (OPA/Rego)
  • Auditability and traceability across the policy lifecycle

OPA can ingest ODRL-defined policies, evaluate them against runtime data, and return decisions to applications, APIs, or data platforms.

Use cases in UBS enterprise data mesh

In the data mesh implementation, we’re leveraging this ‘policy as code’ pattern for all kinds of decision making. Our use cases include:

  • Policy-Based Access Control (PBAC): role-based access controls based on policies
  • Location Aware Access Control (LAAC): access allowed to a user based on their location
  • Data governance and data management framework compliance (DMF Score): enforce metadata completeness, SLOs, and compliance requirements
  • Data mesh governance: policy driven decisions on lifecycle state transitions etc.

PoC, using ODRL for definition and OPA/Rego for execution, is a best practice for scalable, auditable, and automated data governance. It empowers organizations to move fast without breaking compliance, and to adapt quickly to new requirements.

Are you interested in joining our team?
Visit our job board and you may find something perfect for you. We’re committed to disability inclusion and making sure our application process is accessible for everyone. Therefore, if you need reasonable accommodation/adjustments throughout our recruitment process, you can always contact us.