Configuring network policies
Once the network environment exists, the network facilitator can define rules that apply across that network. In Fabric, these rules are configured at the network level through a manifest published by the Network Facilitator Organization (NFO) for a specific networkId.
This allows all participants on that network to discover the same policy configuration and apply it consistently.
What network policy configuration does
Network policy configuration gives the NFO a standard way to publish:
which policy artifacts apply to the network
where those policy artifacts are hosted
how participants should evaluate them
In practice, this means the network can enforce shared business and validation rules without each participant implementing a separate, custom integration.
The role of the manifest
The manifest is the network-level configuration document associated with a specific registry and networkId. It is typically published as a signed YAML file and linked from the metadata of the NFO's network registry.
Participants use the manifest to discover:
the policy source type
the artifact URL
the evaluation query path
the signing key information required for verification
the governance validity window for that release
Registry metadata required for policy discovery
The NFO registry should expose metadata that points to the manifest and its signature material.
The key fields are:
manifestUrlmanifestSignatureUrlsigningPublicKeyLookupUrl
This allows participants and ONIX instances to fetch the manifest and verify that it was published by the expected network authority.
Policy configuration in the manifest
The manifest defines policy configuration inside the policies section.
At a high level:
typeidentifies the policy languagesourceidentifies how the policy is distributedeither a
bundlesection or afilesection describes the final published artifact
Example using an OPA bundle
policies: type: "rego" source: "bundle" bundle: id: "network-policy-bundle" url: "https://example.org/policies/bundle.tar.gz" policyQueryPath: "data.retail.policy.result" signingPublicKeyId: "key-reg/prod-policy-key"
Example using a single Rego file
policies: type: "rego" source: "file" file: id: "network-policy-file" url: "https://example.org/policies/network.rego" policyQueryPath: "data.retail.policy.result" signed: true signatureUrl: "https://example.org/policies/network.rego.sig" signingPublicKeyId: "key-reg/prod-policy-key"
Supported policy distribution models
At present, network policies can be distributed in two ways:
as an OPA bundle
as a single Rego file
Exactly one of these should be used for a given policy reference in the manifest.
The policyQueryPath identifies the decision rule that participants should evaluate from that policy artifact.
Recommended configuration flow
Use the following sequence when configuring policies for a network:
Decide which rules should be enforced at the network level.
Prepare the final published policy artifact for those rules.
Publish the artifact at a stable URL.
Add the
policiessection to the manifest for the targetnetworkId.Sign and publish the manifest.
Update the NFO registry metadata so participants can discover the latest manifest.
Detailed guides
Use the following pages for the detailed operational steps: