Skip to content
NFH Fabric Support home
NFH Fabric Support home

Configuring network policies

Once the network environment exists, the network facilitator can define rules that apply across that network. In Fabric, these rules are configured at the network level through a manifest published by the Network Facilitator Organization (NFO) for a specific networkId.

This allows all participants on that network to discover the same policy configuration and apply it consistently.

What network policy configuration does

Network policy configuration gives the NFO a standard way to publish:

  • which policy artifacts apply to the network

  • where those policy artifacts are hosted

  • how participants should evaluate them

In practice, this means the network can enforce shared business and validation rules without each participant implementing a separate, custom integration.

The role of the manifest

The manifest is the network-level configuration document associated with a specific registry and networkId. It is typically published as a signed YAML file and linked from the metadata of the NFO's network registry.

Participants use the manifest to discover:

  • the policy source type

  • the artifact URL

  • the evaluation query path

  • the signing key information required for verification

  • the governance validity window for that release

Registry metadata required for policy discovery

The NFO registry should expose metadata that points to the manifest and its signature material.

The key fields are:

  • manifestUrl

  • manifestSignatureUrl

  • signingPublicKeyLookupUrl

This allows participants and ONIX instances to fetch the manifest and verify that it was published by the expected network authority.

Policy configuration in the manifest

The manifest defines policy configuration inside the policies section.

At a high level:

  • type identifies the policy language

  • source identifies how the policy is distributed

  • either a bundle section or a file section describes the final published artifact

Example using an OPA bundle

policies: type: "rego" source: "bundle" bundle: id: "network-policy-bundle" url: "https://example.org/policies/bundle.tar.gz" policyQueryPath: "data.retail.policy.result" signingPublicKeyId: "key-reg/prod-policy-key"

Example using a single Rego file

policies: type: "rego" source: "file" file: id: "network-policy-file" url: "https://example.org/policies/network.rego" policyQueryPath: "data.retail.policy.result" signed: true signatureUrl: "https://example.org/policies/network.rego.sig" signingPublicKeyId: "key-reg/prod-policy-key"

Supported policy distribution models

At present, network policies can be distributed in two ways:

  • as an OPA bundle

  • as a single Rego file

Exactly one of these should be used for a given policy reference in the manifest.

The policyQueryPath identifies the decision rule that participants should evaluate from that policy artifact.

Use the following sequence when configuring policies for a network:

  1. Decide which rules should be enforced at the network level.

  2. Prepare the final published policy artifact for those rules.

  3. Publish the artifact at a stable URL.

  4. Add the policies section to the manifest for the target networkId.

  5. Sign and publish the manifest.

  6. Update the NFO registry metadata so participants can discover the latest manifest.

Detailed guides

Use the following pages for the detailed operational steps: