When an Authorizer evaluates a policy, it may optionally receive a Resource Context from the calling application.
resourceContext is a key-value map that is passed into the authorizer and materialized
input.resource in the policy. This allows a policy to evaluate a decision in the context of both a user
as well as a more specific resource (or set of resource attributes).
One common use case for the resource context is to drive lookup tables that match up resources to their owners. As a simple example, let's say you have a sales order that is owned by a user in the system, and you only want that user to be able to view the sales order.
Passing in the following
You can use this in a policy as follows:
default allowed = false
input.user.id == input.resource.ownerId
If the logged-in user's ID is the same as the ownerId passed in for the sales order, the
decision will evaluate to