opa-permissions-wrapper-setup
CommunityEnable OPA-driven Backstage permission checks
System Documentation
What problem does it solve?
This skill helps teams integrate Open Policy Agent (OPA) with the Backstage Permission Framework so permission checks are evaluated by external Rego policies rather than hard-coded logic, enabling centralized, dynamic, and fine-grained access control across Backstage plugins.
Core Features & Use Cases
- Module wiring: Install and register @parsifal-m/plugin-permission-backend-module-opa-wrapper in the Backstage backend to delegate permission evaluation to OPA.
- Configuration: Configure permission.opa.baseUrl and policyEntryPoint in app-config.yaml to point to an OPA server and a Rego decision rule.
- Policy authoring & filtering: Author Rego policies that return ALLOW, DENY, or CONDITIONAL results to implement RBAC/ABAC rules and resource-level filtering for catalog, scaffolder, and other plugins.
- Testing & debugging: Validate policies with opa eval, enable debug logging for live inputs, and write unit or integration tests for policy behaviour and OPA client calls.
Quick Start
Add @parsifal-m/plugin-permission-backend-module-opa-wrapper to your backend, set permission.opa.baseUrl to your OPA URL and permission.opa.policy.policyEntryPoint to your Rego rule in app-config.yaml, and place your .rego file under a policies/ directory.
Dependency Matrix
Required Modules
None requiredComponents
Standard package💻 Claude Code Installation
Recommended: Let Claude install automatically. Simply copy and paste the text below to Claude Code.
Please help me install this Skill: Name: opa-permissions-wrapper-setup Download link: https://github.com/Parsifal-M/backstage-opa-plugins/archive/main.zip#opa-permissions-wrapper-setup Please download this .zip file, extract it, and install it in the .claude/skills/ directory.
Agent Skills Search Helper
Install a tiny helper to your Agent, search and equip skill from 471,000+ vetted skills library on demand.