diff --git a/.env.local.example b/.env.local.example
index b85bcbc9c8dfeb6ef0add5ccf773aaef1dae7231..063314ab0fa9429fe41d439aa9e655e82a6b8309 100644
--- a/.env.local.example
+++ b/.env.local.example
@@ -15,6 +15,7 @@ REACT_APP_OAUTH2_ENABLED=False
 REACT_APP_OAUTH2_CLIENT_ID=
 REACT_APP_OAUTH2_OPENID_CONNECT_URL=
 REACT_APP_OAUTH2_SCOPE=
+REACT_APP_OPA_BUNDLE_URL="http://localhost:8080/opa/bundles/policy.wasm"
 
 # Needed because some libs misbehave
 GENERATE_SOURCEMAP=false
diff --git a/src/utils/policy.ts b/src/utils/policy.ts
index 8b43e9fc38b4ba4dc7a7f08d2812ef449ee9311b..207dab582d2d66b411304d162c35e5ba87278790 100644
--- a/src/utils/policy.ts
+++ b/src/utils/policy.ts
@@ -1,10 +1,37 @@
+import { loadPolicy } from "@open-policy-agent/opa-wasm";
+
+
 export async function createPolicyCheck(user?: Partial<Oidc.Profile>) {
     if (!user) {
         return () => true;
     }
+
+    const opaBundletUrl = process.env.REACT_APP_OPA_BUNDLE_URL;
+
+    if (typeof opaBundletUrl === 'undefined') {
+        throw new Error('REACT_APP_OPA_BUNDLE_URL is not defined');
+    }
+
+    const policyResult = await fetch(opaBundletUrl);
+    const policyWasm = await policyResult.arrayBuffer();
     try {
+        const policy = await loadPolicy(policyWasm);
+
         function allowed(resource: string): boolean {
-            return true;
+            const input: any = {
+                resource: resource,
+                method: "GET",
+                ...user,
+            };
+
+            const resultSet = policy.evaluate(input);
+
+            if (resultSet == null || resultSet.length === 0) {
+                console.error("evaluation error", resultSet);
+                return false;
+            }
+
+            return resultSet[0].result;
         }
         return allowed;
     } catch {