Understanding the relationship between the specification and Oracle’s implementation
ZPL (Zero-trust Policy Language) is a specification for expressing zero-trust communication policies in a human-readable, attribute-based format. Oracle’s ZPR PEL (Policy Enforcement Language) is a more limited, implementation-level language designed for Oracle Virtual Cloud Networks. While ZPR PEL maps cleanly into ZPL, the reverse is not always true—ZPL supports a broader set of policy semantics and auditing features.
ZPL is a high-level, declarative language for defining zero-trust communication policies across distributed systems. Policies refer to attributes of endpoints, users, and services, and remain independent of network topology or enforcement mechanisms.
A ZPL compiler produces machine-readable policy bundles tailored to a given ZPRnet implementation. The open reference compiler is under active development.
ZPR PEL is Oracle’s implementation-level policy language for enforcing ZPR inside Oracle Virtual Cloud Networks. It focuses on connection-level allow rules evaluated by endpoints using trusted attributes.
ZPR PEL is a functional subset of ZPL. Every PEL policy can be represented in ZPL, sometimes with a slightly different surface syntax.
The reverse is not always true—ZPL supports policy semantics (such as denials and circumstantial constraints) that PEL does not currently implement.
ZPL emphasises readability and auditing for humans, whereas ZPR PEL uses a structured grammar optimised for enforcement inside Oracle VCNs.
Yes. Because both languages rely on attribute-based decisions, each ZPR PEL allow statement has a corresponding representation in ZPL’s permission model.
ZPR PEL
in env:prod VCN allow role:engineer endpoints to connect to role:db endpoints with protocol='tcp/5432', connection-state='stateful'
ZPL
Allow role:engineer users on oracle.vcn.env:prod endpoints to access role:db, oracle.protocol:'tcp/5432', and oracle.connection-state:stateful services on oracle.vcn.env:prod endpoints.
| Feature | ZPL Specification | ZPR PEL | Notes |
|---|---|---|---|
| Allow (permissions) | Yes | Yes | — |
| Never (denials) | Yes | Not currently supported | PEL currently lacks explicit deny statements |
| Permissioning of users and services | Yes | Not currently supported | PEL focuses on endpoint permissions |
| Circumstantial constraints (time, bandwidth) | Yes | Not currently supported | Planned for future compiler work |
| Define a new class | Yes | Not currently supported | PEL uses predefined selectors |
ZPR PEL uses a more rigid grammar than ZPL. Key divergences include:
| Aspect | ZPL | ZPR PEL |
|---|---|---|
| Statement prefix | None | in <security-attribute> VCN |
| Verb | to access | to connect to |
| Attribute separator | Colon (:) | Equals (=) |
| Quoting | Single and double quotes, backslash escaping | Single quotes with doubled escaping |
| Endpoint specification | Free-form phrases (managed laptops, sales endpoints) | Structured selectors (role:db endpoints, IP/CIDR) |
| Supported attributes | Arbitrary user-defined attributes | Limited protocol and connection attributes |
Oracle IAM controls which identities can invoke APIs or access particular resources.
ZPR PEL adds network-level enforcement, evaluating whether a packet flow between endpoints should be allowed based on attributes. IAM decides who can act; ZPR PEL decides what communication is permitted.
ZPL itself is identity-provider agnostic, so enterprises can integrate other IAM systems while retaining ZPL semantics.
