Skip to main content

authz/is

The is API is the primary API for determining whether a user is authorized to perform an action on a resource. The inputs to the is API are the user context, the set of decisions that the calling application wants to evaluate, the policy module used to make the decision(s), and the (optional) resource context for making the decision(s).

URL#

POST .../api/v1/authz/is

Input payload#

{  "identityContext": {    "identity": "[aserto-user-guid]",    "type": "IDENTITY_TYPE_*"  },   "policyContext": {    "decisions": [      "string"    ],    "id": "[aserto-policy-guid]",    "path": "string"  },  "resourceContext": {    "additionalProp1": "string",    "additionalProp2": "string",    "additionalProp3": "string"  }}

The identityContext map is documented here.

The policyContext map is documented here.

The resourceContext map is documented here.

Example#

Given the following policy:

package sample
allowed {  input.user.id == input.resource.id}

And given the following payload passed to the is call:

{  "identityContext": {    "identity": "011a88bc-7df9-4d92-ba1f-2ff319e101e1",    "type": "IDENTITY_TYPE_SUB"  },   "policyContext": {    "decisions": [      "allowed"    ],    "id": "<policy-id>",    "path": "sample"  },  "resourceContext": {    "id": "011a88bc-7df9-4d92-ba1f-2ff319e101e1"  }}

The allowed decision will be evaluated to true, and the resulting payload will be returned:

{  "decisions": [    {      "decision": "allowed",      "is": true    }  ]}