Hey, welcome to the Elixir community!
Thank you! 
Do you have an article about it? I would like to see what were your pain points and avoid them if I can.
Unfortunately we haven’t publishing anything yet. I will post a link back here if we do.
Also, how are you dealing with maintaining the policies today?
So far we haven’t needed to do too much maintenance. After the re-write, our rules became granular and decoupled from each other. We are still actively developing the product, and as we define new user actions, it has been easy to add new policies without having to make changes to the existing ones.
I can’t find any good practices in from OPA documentation or talks, especially on how to deny access to particular request right away.
I wish there was more documentation, too! But I can help you with that.
Here’s an example from the online doc:
# allow bob to perform read-only operations.
allow {
user == "bob"
method == "GET"
}
This could alternatively be written as:
# allow bob to perform read-only operations.
allow = true {
user == "bob"
method == "GET"
}
So if you wanted to explicitly deny an operation, you could do something like:
# disallow eve from performing read-only operations.
allow = false {
user == "eve"
method == "GET"
}
Are you using any particular package for integration with OPA?
Not at the moment. We wrote some Plugs to distill a web request into user and resource fields, and then another Plug to send the document to OPA for an “allow” rule check. It is fairly simple, but it has been working pretty well for what we need.