Why Do Policy Languages Feel So Hard?
Permit.io just published the results of a survey they conducted with over 200 developers on access control. There's lots of good data there, but one thing that struck me is that over 50% of developers said that they've never used any of the popular policy languages. I was wondering why that could be and came up with a few reasons why policy languages often feel foreign and frustrating:
It's Not Code as You Know It—Policy languages like Cedar or Rego are declarative. You're not writing a script to execute; you're defining rules that the engine interprets. That's a big mental shift if you're used to imperative programming.
Jargon Overload—Terms like "principal," "resource," and "condition" may make sense to security architects but leave developers guessing. Without real-world examples, they feel like word salad.
You Can't Just Run It—Want to know if your policy works? You might have to build a whole request context and simulate access decisions. That lack of immediate feedback makes learning feel slow and brittle.
Where's My IDE?—Most policy tools lack the rich developer environments we expect from modern programming — no autocomplete, minimal syntax checks, and few ways to step through logic.
Complexity Scales Fast—It's easy to write "Alice can read financial documents." But throw in multi-tenancy, delegated authority, and time-based rules, and suddenly your policy reads like a legal contract.
The Stakes Are High—Unlike a misaligned UI, broken policies result in security breaches or outages. That makes experimentation feel risky instead of fun.
These are real challenges, but many can be overcome with better tooling. Policy languages simplify app logic and make access control more reliable and maintainable—especially when treated like regular code with testing and version control. I'm betting that their benefits will help developers overcome their lack of familiarity with the programming style and come to rely on them more and more.
Photo Credit: Developer contemplating PBAC from DALL-E (public domain)
This is because a lot of the languages (OPA Rego, XACML, Oso Polar) are built as declarative languages not imperative programming languages. In addition Rego builds on top of Datalog which makes it even harder to understand. What we need is human-readable, hierarchical, and constrained policy languages. ALFA (and the future ALFA 2.0 in the works at IETF) gives you that. It's easy enough for anyone to at least read and most to write. Check out the samples on alfa.guide and let me know what you think.