Skip to main content

Use the Simple RBAC Evaluator

Now that you have created your policy instance, you can test it out with the Evaluator. The Evaluator supports several requests, corresponding to Aserto's authorization APIs - is, decisiontree, and query. The default "Check" request, however, is specifically designed for policy-rebac. Using the Evaluator allows you to quickly verify whether a user has a relationship (or permission) on an object.

The Evaluator has two parts. The REQUEST part on the left is where you specify information about the action being performed, while the OUTPUT on the right displays the body of the request as well as the response.

The table below explains the selection fields.

FieldDescription
SubjectThe user to evaluate. For Simple RBAC there are 5 Citadel users that you can select from.
Object TypeThe type of object to evaluate. For Simple RBAC this will be Resource.
ObjectThe object instance to evaluate.
RelationWhich relation or permission to evaluate.

Testing the policy

Now let's check a few different scenarios using the Evalator. First, a few important things to note about Rick and Morty:

  • Morty is an owner of the mega-seed object. This means he has the can_read, can_write, and can_delete permissions which correspond to reading, writing, or deleting the mega-seed.
  • Rick is a reader of the mega-seed object. This means he only has the can_read permission.

Scenario 1 - can Morty read the mega-seed?

  • For Subject, select "Morty Smith".
  • For Object Type, select "Resource".
  • For Object, select "mega-seed".
  • For Relation, select "can-read".
  • Click the Play button.
  • You should see "is": true under results indicating the action will be permitted.

Scenario 2 - can Rick read the mega-seed?

  • For Subject, select "Rick Sanchez".
  • For Object Type, select "Resource".
  • For Object, select "mega-seed".
  • For Relation, select "can-read".
  • Click the Play button.
  • You should see "is": true under results indicating the action will be permitted.

Scenario 3 - can Morty write the mega-seed?

  • For Subject, select "Morty Smith".
  • For Object Type, select "Resource".
  • For Object, select "mega-seed".
  • For Relation, select "can-write".
  • Click the Play button.
  • You should see "is": true under results indicating the action will be permitted.

Scenario 4 - can Rick write the mega-seed?

  • For Subject, select "Rick Sanchez".
  • For Object Type, select "Resource".
  • For Object, select "mega-seed".
  • For Relation, select "can-write".
  • Click the Play button.
  • You should see "is": false under results indicating the action will be denied.

Scenario 5 - can Morty delete the mega-seed?

  • For Subject, select "Morty Smith".
  • For Object Type, select "Resource".
  • For Object, select "mega-seed".
  • For Relation, select "can-delete".
  • Click the Play button.
  • You should see "is": true under results indicating the action will be permitted.

Scenario 6 - can Rick delete the mega-seed?

  • For Subject, select "Rick Sanchez".
  • For Object Type, select "Resource".
  • For Object, select "mega-seed".
  • For Relation, select "can-delete".
  • Click the Play button.
  • You should see "is": false under results indicating the action will be denied.

Next steps

Now that you have seen how the policy works, you'll use the Quickstart in the console to download and run the sample back-end API, which uses the simple-rbac policy for access control.

Click on the "Quickstart" tab on the left.