authz/is
The is
API is the primary API for determining whether a user is authorized to perform an action
on a resource. The inputs to the is
API are the user context, the set of decisions that the calling
application wants to evaluate, the policy module used to make the decision(s), and the (optional) resource
context for making the decision(s).
URL
POST .../api/v2/authz/is
Input payload
{
"identityContext": {
"identity": "[topaz-user-guid]",
"type": "IDENTITY_TYPE_*"
},
"policyContext": {
"decisions": ["string"],
"path": "string"
},
"resourceContext": {
"additionalProp1": "string",
"additionalProp2": "string",
"additionalProp3": "string"
}
}
The identityContext
map is documented here.
The policyContext
map is documented here.
The resourceContext
map is documented here.
Example
Given the following policy:
package sample
allowed {
input.user.id == input.resource.owner_id
}
And given the following payload passed to the is
call:
{
"identityContext": {
"identity": "011a88bc-7df9-4d92-ba1f-2ff319e101e1",
"type": "IDENTITY_TYPE_SUB"
},
"policyContext": {
"decisions": ["allowed"],
"path": "sample"
},
"resourceContext": {
"owner_id": "011a88bc-7df9-4d92-ba1f-2ff319e101e1"
}
}
The allowed
decision will be evaluated to true
, and the resulting payload will be returned:
{
"decisions": [
{
"decision": "allowed",
"is": true
}
]
}