Rego Keyword Examples: not

The not keyword is the primary means of expressing negation in Rego. Similar to other keywords in Rego, it can also make your policies more 'English-like' and thus easier to read.

allow if {
    not input.user.external
}

Examples

Checking for undefined

One of the most important use cases for not is checking for undefined values. In this example a policy uses not to deny any request without an email set. Even if a value is not used in the policy, it might be important information for the decision log.

Try updating the example input.json, changing e_mail to email. When e_mail is set, then email is undefined and not checks for that in the first rule.

policy.rego
package play

deny contains "missing email" if not input.email

deny contains "under 18" if input.age < 18

input.json
{
  "e_mail": "oops@example.com",
  "age": "20"
}

data.json
{}

Open in OPA Playground

Negation with not

The not keyword is also useful for all kinds of negations. Use negations when you want to required the opposite of a statement.

policy.rego
package play

deny contains "must be staff" if {
	not "staff" in input.roles
}

deny contains "must be example.com account" if {
	not endswith(input.email, "@example.com")
}

deny contains "cannot be accesed over VPN" if {
	not input.is_vpn
}

input.json
{
  "roles": [
    "intern"
  ],
  "email": "alice@foo.example.com",
  "via_vpn": true
}

data.json
{}

Open in OPA Playground

Examples​

Checking for undefined

Negation with not

Examples