[tsandall]

There are a few ways of doing this.

1. You can include JSON data as input when you execute a policy query. In your example, you could include the management hierarchy or a user in a JWT that's provided as input to the policy query.

2. You can load JSON data into OPA out-of-band. OPA will cache this data in-memory and you can refer to it in your policies. There are two ways to do this. (a) use OPA's REST API to push data into the engine (e.g., PUT /v1/data/management/hierarchy <JSON body>) or (b) use OPA's Bundle feature to pull down bundles of policy and data from a remote endpoint.

3. If providing the data as input or out-of-band will not work, we have an experimental HTTP built-in function that you can call inside your policies to query the external data source on-the-fly when the policy is evaluated. This feature is still experimental but over time we intend to improve support for it (e.g., currently you can't mock out these built-in calls, but it's on the ROADMAP.)

Regarding limits, OPA keeps policies and data in-memory, so you're limited by RAM on a single host.