Skip to main content

authz/is

The is API is the primary API for determining whether a user is authorized to perform an action on a resource. The inputs to the is API are the user context, the set of decisions that the calling application wants to evaluate, the policy module used to make the decision(s), and the (optional) resource context for making the decision(s).

URL

POST .../api/v2/authz/is

Input payload

{
  "identityContext": {
    "identity": "[aserto-user-guid]",
    "type": "IDENTITY_TYPE_*"
  },
  "policyContext": {
    "decisions": ["string"],
    "path": "string"
  },
  "policyInstance": {
    "name": "[policy-name]",
    "instanceLabel": "[instance-label]"
  },
  "resourceContext": {
    "additionalProp1": "string",
    "additionalProp2": "string",
    "additionalProp3": "string"
  }
}

The identityContext map is documented here.

The policyContext map is documented here.

The policyInstance map is documented here.

The resourceContext map is documented here.

Example

Given the following policy:

package sample

allowed {
  input.user.id == input.resource.id
}

And given the following payload passed to the is call:

{
  "identityContext": {
    "identity": "011a88bc-7df9-4d92-ba1f-2ff319e101e1",
    "type": "IDENTITY_TYPE_SUB"
  },
  "policyContext": {
    "decisions": ["allowed"],
    "path": "sample"
  },
  "policyInstance": {
    "name": "[policy-name]",
    "instanceLabel": "[instance-label]"
  },
  "resourceContext": {
    "id": "011a88bc-7df9-4d92-ba1f-2ff319e101e1"
  }
}

The allowed decision will be evaluated to true, and the resulting payload will be returned:

{
  "decisions": [
    {
      "decision": "allowed",
      "is": true
    }
  ]
}

Upgrading from v1

To upgrade from the v1 Policy Context, see this topic.

join-slackCommunity Slack
google-meetSpeak to an engineer