Skip to main content

Policy testing and simulation

SecureAuth Connect includes a built-in policy evaluation mechanism that lets you run a policy against sample input and see the result before the policy affects real traffic. Use it to catch unintended allows or denies while the policy is still being authored, and to verify policy changes before rolling them out through your CI/CD pipeline.

Test mode in the visual policy editor

The visual policy editor has a Test mode that accepts a sample input intended to mimic a real request. Edit the input to match the request the policy is expected to receive, then run the policy to see whether the result matches your expectation.

Test mode is useful for:

  • Verifying that a new policy allows the requests you expect.
  • Confirming that a policy correctly denies requests that should fail.
  • Debugging which validator inside a policy produced the final decision.
  • Validating changes before assigning the policy to an execution point.

For a walkthrough, see Create policy (visual editor).

Testing Rego policies

The embedded Rego editor includes code samples and accepts sample input so you can evaluate the policy without executing it against production traffic. Use Rego tests when you want to express policy behavior as code and run those tests from your CI pipeline alongside the rest of your application tests.

Policy APIs

Policy evaluation is also available through the SecureAuth management API, so you can drive tests from a pipeline or a custom tool rather than the UI. See the policies API reference for the available endpoints.

Testing in a change-control workflow

A common pattern:

  1. A policy change is proposed as a pull request in the Git repository that stores your SecureAuth configuration.
  2. The CI pipeline runs policy tests against sample inputs, using the visual editor's test mode, Rego tests, or the policies API.
  3. Reviewers see the test results in the pull request.
  4. The merge triggers the declarative configuration import, which applies the change to the target tenant.

Testing before publish turns policy changes into a normal code review rather than a production experiment.

For the import and rollout side, see Declarative configuration import for SecureAuth.

See also