Skip to main content

Authorization Policy

An authorization policy (or simply, a policy) is expressed in a declarative language called rego.

A policy can include one or more rego files, and one or more JSON data files.

A rego file has a package directive which sets the namespace for the rego file, and defines one or more decisions.

package sample.GET.api.orders
allowed {  true}
note

In the rego file above, the package name follows the Aserto convention:

policy-root.HTTP method.HTTP route

Decision#

A decision is an output from the evaluation of a policy. The policy above exports a decision called allowed, and sets its value to true.

The policy below exports the same decision (allowed), has a default value of false for this decision, and a rule that sets allowed to true only if the logged-in users's department attribute is equal to "Sales":

package sample.GET.api.orders
default allowed = false
allowed {  input.user.attributes.department == "Sales"}

User context#

In the policy above, we were able to use the department attribute to help compute the allowed decision. This is an example of User context that is used in a policy. If you hook up your identity providers and/or directories to Aserto, it will automatically synchronize properties from these sources and make them available to your policies.

In addition, you can create and manage extensions for users in the Aserto directory, on a global or per-application basis.