Skip to main content

Policy Context

The authz.is, authz.decisiontree, and authz.query APIs take a Policy Context argument from the calling application.

This parameter identifies the policy and decision(s) to evaluate.

The policy bundle is identified by the policy id, the policy within the bundle by the path and the decisions array denotes one ore more decisions to be made by the authorizer.

Setting the Policy Context#

POST .../api/v1/authz/is

{  "policyContext": {    "decisions": [      "allowed"    ],    "id": "[policy-id]",    "path": "sample.GET.api.orders"  }, ...}

The policy context above will evaluate the allowed decision for the policy module sample.GET.api.orders.

For the following Rego package:

package sample.GET.api.orders
allowed {  true}

Calling is with the above payload will return the following response:

{  "decisions": [    {      "decision": "allowed",      "is": true    }  ]}

Policy context for decisiontree#

The common usage for policyContext in the decisiontree API is to identify the policy ID and the policy root.

POST .../api/v1/authz/decisiontree

{  "policyContext": {    "decisions": [      "visible",      "enabled"    ],    "id": "[policy-id]",    "path": "sample"  }, ...}

This call will evaluate all paths under the "sample" root, and return the values of the "visible" and "enabled" decisions using the identityContext and resourceContext that may also be passed in.

Policy context for query#

The Policy ID can be used to evaluate the query in the context of a particular policy.

Policy context in input#

The policyContext passed in will be available to the policy as input.policy. You can write a generic policy that can reason about which specific policy it is being evaluated over.