Policy Context

The is, decisiontree, and query APIs take a Policy Context argument from the calling application.

This parameter identifies the policy path and decision(s) to evaluate. The rule within the bundle is identified by the path, and the decisions array denotes one or more decisions to be made by the authorizer.

Setting the Policy Context

POST .../api/authz/v2/is

{
  "policyContext": {
    "decisions": [
      "allowed"
    ],
    "path": "sample.GET.api.orders"
  }, ...
}

The policy context above will evaluate the allowed decision for the policy module sample.GET.api.orders.

For the following Rego package:

package sample.GET.api.orders

allowed {
  true
}

Calling is with the above payload will return the following response:

{
  "decisions": [
    {
      "decision": "allowed",
      "is": true
    }
  ]
}

Policy context for `decisiontree`

The common usage for policyContext in the decisiontree API is to identify the the policy root and the decisions to evaluate.

POST .../api/v2/authz/decisiontree

{
  "policyContext": {
    "decisions": [
      "visible",
      "enabled"
    ],
    "path": "sample"
  }, ...
}

This call will evaluate all paths under the "sample" root, and return the values of the "visible" and "enabled" decisions using the identityContext and resourceContext that may also be passed in.

Policy context in `input`

The policyContext passed in will be available to the policy as input.policy. You can write a generic policy that can reason about which specific policy it is being evaluated over.

Upgrading from v1

To upgrade from the v1 Policy Context, see this topic.

Setting the Policy Context​

Policy context for decisiontree​

Policy context in input​

Upgrading from v1​

Setting the Policy Context

Policy context for `decisiontree`

Policy context in `input`

Upgrading from v1