
When to use
Use policies when you need to enforce:- Execution rules, like business hours, environment restrictions, or approval workflows.
- Access control, limiting which users, agents, or tools can act on resources.
- Safety constraints, preventing destructive changes, unauthorized workflows, or sensitive tool calls.
- Organization-wide standards, such as label requirements, naming rules, or mandatory parameters.
- Consistent governance, applied across multiple agents, teams, or environments without duplicating configuration.
How policies fit into Kubiya
Scope & attachment
Policies are defined centrally and can be attached to:- Environments — strongest, inherited by every team/agent running in that environment
- Teams — applies to all member agents
- Agents — most specific level
Evaluation model
- Policies are checked before the task starts and at relevant steps during execution.
- Any
denyorlackof allow halts the action and returns a clear violation message. - Allowed steps run normally.
Versioning & lifecycle
- Each update creates a new version (v1, v2, …).
- Policies can be enabled/disabled at any time.
- The policy card shows:
- Associations (where it is attached)
- Last updated
- Status (“Enabled”, “Disabled”)
Prerequisites
Before creating a policy:- You must have permission to manage policies in the active control plane.
- Determine where the policy should apply (Environment, Team, Agent).
- Prepare any business logic or conditions you want to enforce.
Creating a Policy
Navigate to Policies > Create Policy.1. Details
- Policy Name
Use clear, consistent naming such as
business-hours-policyorprod-restrictions. - Description A short explanation of what it enforces.
- Enable Policy Turn on if you want it enforced immediately.
- Tags
Add labels such as
security,governance,operations.
2. Policy Content
You can start from:- Templates (Business Hours, Approved Users, etc.)
- Blank (write your own Rego)
v1.
Attach & Test Policies
Attach a policy
- Environment: Environments → Edit → Policies
- Team: Teams → Configure → Advanced → OPA Policies
- Agent: Agents → (open agent) → Policies
Verify
Run a simple task that should be:- Allowed (confirm normal behavior), and
- Denied (confirm your
violations[msg]message appears)
Runtime Behavior
- All applicable policies are evaluated for every task or workflow step.
- A deny halts only the relevant action, not the entire system.
- Detailed violation messages appear in the task log.
- Policies stack: stricter rules win.
Managing Policies
- Enable / Disable policies from the policy card.
- Update to publish a new version.
- Detach from specific agents/teams/environments without deleting.
- Delete unused policies.
Useful Starter Policies
- Business Hours — restrict execution to weekdays 09:00–17:00.
- Approved Users — only members of a specific group/team may execute.
- Required Labels — block runs missing
owner,service,purpose. - Rate Limits — restrict frequency of tool/API calls.
- Sensitive Actions Require MFA — require explicit confirmation or security signals.
Best Practices
- Start permissive in dev/test; tighten policies in production.
- Always define a useful
violations[msg]explaining how to resolve the issue. - Use consistent tagging (e.g.,
security,cost,compliance). - Prefer attaching policies at Environment level for broad governance.
- Update carefully: disable → edit → re-enable → test with read-only tasks.
Troubleshooting
- Unexpected block: Check violation message, then review all attached policies.
- Policy not enforced: Verify it is Enabled and attached, and Enforcer Healthy is active.
- Tool call denied: Look for deny rules tied to tool name, args, or missing metadata.
- Workflow blocked in prod but not staging: A prod-level environment policy is likely enforcing stronger restrictions.
CLI Usage
Below is the structured CLI reference following the same format as the Agents docs. Kubiya CLI commands for policies use:1. List Policies
Lists all OPA policies in the workspace.Commands
Flags
2. Get Policy Details
Retrieve complete information about a specific policy including content, versions, and associations.Commands
Flags
3. Create a New Policy
Create an OPA policy using a file or inline content.Commands
Flags
4. Update a Policy
Publish a new version of an existing policy.Commands
Flags
5. Delete a Policy
Command
Flags
6. Validate a Policy Without Creating It
Useful for CI checks or development.Commands
Flags
7. Evaluate a Policy Against Input Data
Run a policy against specific input to test Rego behavior and queries.Usage
Examples
Evaluate policy file + input file + query:Flags
8. Test Tool Permissions
Simulate whether a tool call is allowed.Commands
Flags
9. Test Workflow Permissions
Commands
Flags
Next Steps
- Add policies to all relevant environments to enforce consistent governance.
- Combine policies with Teams to enforce multi-agent guardrails.
- Use
test-toolandtest-workflowto validate safety before enabling strict enforcement.