Policy Context

The authz.is, authz.decisiontree, and authz.query APIs take a Policy Context argument from the calling application.

This parameter identifies the policy and decision(s) to evaluate.

The policy bundle is identified by the policy id, the policy within the bundle by the path and the decisions array denotes one ore more decisions to be made by the authorizer.

Setting the Policy Context

POST .../api/v2/authz/is

{
  "policyContext": {
    "decisions": [
      "allowed"
    ],
    "path": "sample.GET.api.orders"
  }, ...
}

The policy context above will evaluate the allowed decision for the policy module sample.GET.api.orders.

For the following Rego package:

package sample.GET.api.orders

allowed {
  true
}

Calling is with the above payload will return the following response:

{
  "decisions": [
    {
      "decision": "allowed",
      "is": true
    }
  ]
}

Policy context for `decisiontree`

The common usage for policyContext in the decisiontree API is to identify the policy ID and the policy root.

POST .../api/v2/authz/decisiontree

{
  "policyContext": {
    "decisions": [
      "visible",
      "enabled"
    ],
    "path": "sample"
  }, ...
}

This call will evaluate all paths under the "sample" root, and return the values of the "visible" and "enabled" decisions using the identityContext and resourceContext that may also be passed in.

Policy context for `query`

The Policy ID can be used to evaluate the query in the context of a particular policy.

Policy context in `input`

The policyContext passed in will be available to the policy as input.policy. You can write a generic policy that can reason about which specific policy it is being evaluated over.

Setting the Policy Context​

Policy context for decisiontree​

Policy context for query​

Policy context in input​

Setting the Policy Context

Policy context for `decisiontree`

Policy context for `query`

Policy context in `input`