For conceptual information about policies and how they’re used in the platform, see Policies Core Concepts.
Overview
The Policies Service enables you to:- List policies with pagination support
- Get policy details including rules, conditions, and enforcement settings
- Create custom policies for access control and governance
- Update policy configurations for existing policies
- Delete policies when no longer needed
- Evaluate policies for specific entities and actions
- Check authorization before performing actions
Quick Start
Copy
Ask AI
from kubiya import ControlPlaneClient
# Initialize client
client = ControlPlaneClient(api_key="your-api-key")
# List all policies
policies = client.policies.list()
for policy in policies:
print(f"Policy: {policy['name']} - Type: {policy.get('type', 'N/A')}")
# Check if an agent is authorized
authorization = client.policies.check_authorization(
entity_id="agent-uuid",
resource="production-database",
action="read"
)
print(f"Authorized: {authorization['allowed']}")
List Policies
List all policies with pagination support.The Policies Service uses page-based pagination (page 1, 2, 3…) instead of skip/limit pagination used by other services.
Basic Listing
Copy
Ask AI
# List first page of policies (default: 100 per page)
policies = client.policies.list()
for policy in policies:
print(f"""
Name: {policy['name']}
Type: {policy.get('type', 'N/A')}
Enabled: {policy.get('enabled', True)}
Priority: {policy.get('priority', 0)}
""")
Paginated Listing
Copy
Ask AI
# List policies with page-based pagination
page = 1
limit = 20
while True:
policies = client.policies.list(page=page, limit=limit)
if not policies:
break
for policy in policies:
print(f"Policy: {policy['name']}")
page += 1
List All Policies
Copy
Ask AI
def list_all_policies():
"""Get all policies across all pages"""
all_policies = []
page = 1
limit = 100
while True:
policies = client.policies.list(page=page, limit=limit)
if not policies:
break
all_policies.extend(policies)
page += 1
return all_policies
# Usage
all_policies = list_all_policies()
print(f"Total policies: {len(all_policies)}")
Filter Policies by Type
Copy
Ask AI
def filter_policies_by_type(policy_type: str):
"""Filter policies by type"""
all_policies = client.policies.list(page=1, limit=1000)
return [p for p in all_policies if p.get('type') == policy_type]
# Usage
rbac_policies = filter_policies_by_type("rbac")
print(f"RBAC policies: {len(rbac_policies)}")
approval_policies = filter_policies_by_type("approval")
print(f"Approval policies: {len(approval_policies)}")
Get Policy Details
Retrieve detailed information about a specific policy.By Policy ID
Copy
Ask AI
# Get policy by UUID
policy = client.policies.get("policy-uuid-here")
print(f"Policy: {policy['name']}")
print(f"Description: {policy.get('description', 'N/A')}")
print(f"Type: {policy.get('type', 'N/A')}")
print(f"Rules: {policy.get('rules', [])}")
print(f"Conditions: {policy.get('conditions', {})}")
print(f"Enforcement: {policy.get('enforcement', 'enforce')}")
Extract Policy Information
Copy
Ask AI
def get_policy_info(policy_id: str):
"""Get comprehensive policy information"""
try:
policy = client.policies.get(policy_id)
info = {
"id": policy.get('uuid'),
"name": policy['name'],
"description": policy.get('description'),
"type": policy.get('type'),
"enabled": policy.get('enabled', True),
"priority": policy.get('priority', 0),
"rules": policy.get('rules', []),
"conditions": policy.get('conditions', {}),
"enforcement": policy.get('enforcement', 'enforce'),
"scope": policy.get('scope', 'global')
}
return info
except Exception as e:
print(f"Failed to get policy info: {e}")
return None
# Usage
info = get_policy_info("policy-uuid")
if info:
print(f"Policy: {info['name']}")
print(f"Enforcement: {info['enforcement']}")
print(f"Rules: {len(info['rules'])}")
Find Policy by Name
Copy
Ask AI
def find_policy_by_name(name: str):
"""Find a policy by name"""
page = 1
while True:
policies = client.policies.list(page=page, limit=100)
if not policies:
break
for policy in policies:
if policy['name'].lower() == name.lower():
return policy
page += 1
return None
# Usage
prod_policy = find_policy_by_name("production-access-control")
if prod_policy:
print(f"Found policy: {prod_policy['uuid']}")
policy_details = client.policies.get(prod_policy['uuid'])
print(f"Rules: {policy_details.get('rules', [])}")
Create Policy
Create a new security or access control policy.Basic RBAC Policy
Copy
Ask AI
# Create a basic RBAC policy
policy_data = {
"name": "developer-read-only",
"description": "Developers can read resources but not modify them",
"type": "rbac",
"rules": [
{
"effect": "allow",
"actions": ["read", "list", "get"],
"resources": ["*"],
"principals": ["role:developer"]
},
{
"effect": "deny",
"actions": ["write", "update", "delete"],
"resources": ["*"],
"principals": ["role:developer"]
}
],
"enabled": True,
"priority": 100
}
created_policy = client.policies.create(policy_data)
print(f"Created policy: {created_policy['uuid']}")
print(f"Name: {created_policy['name']}")
Resource-Specific Policy
Copy
Ask AI
# Create a policy for specific resources
policy_data = {
"name": "production-database-access",
"description": "Control access to production databases",
"type": "rbac",
"rules": [
{
"effect": "allow",
"actions": ["read", "query"],
"resources": ["database:production:*"],
"principals": ["role:database-admin", "role:senior-developer"]
},
{
"effect": "deny",
"actions": ["delete", "truncate", "drop"],
"resources": ["database:production:*"],
"principals": ["*"]
}
],
"conditions": {
"time_range": {
"start": "09:00",
"end": "17:00"
},
"ip_allowlist": ["10.0.0.0/8"]
},
"enabled": True,
"priority": 200
}
created_policy = client.policies.create(policy_data)
print(f"Created resource-specific policy: {created_policy['uuid']}")
Approval Workflow Policy
Copy
Ask AI
# Create an approval policy
policy_data = {
"name": "production-deployment-approval",
"description": "Require approval for production deployments",
"type": "approval",
"rules": [
{
"effect": "require_approval",
"actions": ["deploy", "release"],
"resources": ["environment:production"],
"principals": ["*"],
"approval_config": {
"required_approvers": 2,
"approver_roles": ["deployment-manager", "engineering-lead"],
"timeout_hours": 24
}
}
],
"enabled": True,
"priority": 300
}
created_policy = client.policies.create(policy_data)
print(f"Created approval policy: {created_policy['uuid']}")
Time-Based Policy
Copy
Ask AI
# Create a time-based access policy
policy_data = {
"name": "after-hours-restrictions",
"description": "Restrict certain actions outside business hours",
"type": "rbac",
"rules": [
{
"effect": "deny",
"actions": ["deploy", "modify", "delete"],
"resources": ["environment:production"],
"principals": ["*"],
"conditions": {
"time_window": {
"outside": {
"days": ["monday", "tuesday", "wednesday", "thursday", "friday"],
"hours": {"start": "06:00", "end": "22:00"}
}
}
}
}
],
"enabled": True,
"priority": 150
}
created_policy = client.policies.create(policy_data)
print(f"Created time-based policy: {created_policy['uuid']}")
Update Policy
Update an existing policy configuration.Basic Update
Copy
Ask AI
# Update policy settings
policy_id = "policy-uuid-here"
update_data = {
"description": "Updated policy description",
"enabled": True,
"priority": 200
}
updated_policy = client.policies.update(policy_id, update_data)
print(f"Updated policy: {updated_policy['name']}")
Add Rules to Policy
Copy
Ask AI
def add_rules_to_policy(policy_id: str, new_rules: list):
"""Add rules to an existing policy"""
# Get current policy
policy = client.policies.get(policy_id)
# Get current rules
current_rules = policy.get('rules', [])
# Add new rules
updated_rules = current_rules + new_rules
# Update policy
update_data = {"rules": updated_rules}
updated_policy = client.policies.update(policy_id, update_data)
return updated_policy
# Usage
new_rules = [
{
"effect": "allow",
"actions": ["backup"],
"resources": ["database:*"],
"principals": ["role:backup-operator"]
}
]
updated = add_rules_to_policy("policy-uuid", new_rules)
print(f"Updated policy with {len(updated['rules'])} rules")
Enable/Disable Policy
Copy
Ask AI
def toggle_policy(policy_id: str, enabled: bool):
"""Enable or disable a policy"""
update_data = {"enabled": enabled}
updated_policy = client.policies.update(policy_id, update_data)
status = "enabled" if enabled else "disabled"
print(f"Policy {policy_id} is now {status}")
return updated_policy
# Usage
toggle_policy("policy-uuid", False) # Disable
toggle_policy("policy-uuid", True) # Enable
Update Policy Priority
Copy
Ask AI
def update_policy_priority(policy_id: str, priority: int):
"""Update policy priority (higher priority evaluated first)"""
update_data = {"priority": priority}
updated_policy = client.policies.update(policy_id, update_data)
print(f"Updated policy priority to {priority}")
return updated_policy
# Usage
update_policy_priority("policy-uuid", 500)
Delete Policy
Delete a policy.Deleting a policy affects authorization checks for all entities. Ensure the policy is no longer needed before deletion.
Copy
Ask AI
# Delete policy
policy_id = "policy-uuid-to-delete"
result = client.policies.delete(policy_id)
print(f"Deletion result: {result}")
Delete with Safety Check
Copy
Ask AI
from kubiya.resources.exceptions import PolicyError
def delete_policy_safe(policy_id: str):
"""Delete policy with confirmation"""
try:
# Get policy details first
policy = client.policies.get(policy_id)
print(f"About to delete policy: {policy['name']}")
print(f"Type: {policy.get('type')}")
print(f"Enabled: {policy.get('enabled')}")
# Perform deletion
result = client.policies.delete(policy_id)
return {
"success": True,
"message": f"Deleted policy: {policy['name']}",
"result": result
}
except PolicyError as e:
return {
"success": False,
"message": str(e)
}
# Usage
result = delete_policy_safe("policy-uuid")
if result['success']:
print(f"✅ {result['message']}")
else:
print(f"❌ Deletion failed: {result['message']}")
Evaluate Policy
Evaluate a policy for a specific entity and action.Basic Evaluation
Copy
Ask AI
# Evaluate if an entity can perform an action
evaluation = client.policies.evaluate(
entity_id="agent-uuid",
action="deploy"
)
if evaluation.get('allowed'):
print("✅ Action is allowed")
else:
print(f"❌ Action is denied: {evaluation.get('reason')}")
Evaluate with Resource Context
Copy
Ask AI
# Evaluate with resource information
evaluation = client.policies.evaluate(
entity_id="user-uuid",
action="delete",
resource={
"type": "database",
"environment": "production",
"name": "customer-data"
}
)
if evaluation.get('allowed'):
print("✅ Action is allowed")
print(f"Applicable policies: {evaluation.get('applied_policies', [])}")
else:
print(f"❌ Action is denied")
print(f"Reason: {evaluation.get('reason')}")
print(f"Denied by: {evaluation.get('denied_by')}")
Evaluate Multiple Actions
Copy
Ask AI
def evaluate_multiple_actions(entity_id: str, actions: list, resource=None):
"""Evaluate multiple actions for an entity"""
results = {}
for action in actions:
try:
evaluation = client.policies.evaluate(
entity_id=entity_id,
action=action,
resource=resource
)
results[action] = {
"allowed": evaluation.get('allowed', False),
"reason": evaluation.get('reason'),
"applied_policies": evaluation.get('applied_policies', [])
}
except PolicyError as e:
results[action] = {
"allowed": False,
"reason": str(e),
"error": True
}
return results
# Usage
actions = ["read", "write", "delete", "deploy"]
results = evaluate_multiple_actions("agent-uuid", actions)
print("Action Evaluation Results:")
for action, result in results.items():
status = "✅ ALLOWED" if result['allowed'] else "❌ DENIED"
print(f" {action}: {status}")
if not result['allowed']:
print(f" Reason: {result.get('reason')}")
Check Authorization
Check if an entity is authorized for a specific action on a resource.Basic Authorization Check
Copy
Ask AI
# Check if entity is authorized
authorization = client.policies.check_authorization(
entity_id="agent-uuid",
resource="database:production:customers",
action="read"
)
if authorization.get('allowed'):
print("✅ Authorized")
else:
print(f"❌ Not authorized: {authorization.get('reason')}")
Pre-Action Authorization
Copy
Ask AI
def require_authorization(entity_id: str, resource: str, action: str):
"""Decorator-style authorization check"""
authorization = client.policies.check_authorization(
entity_id=entity_id,
resource=resource,
action=action
)
if not authorization.get('allowed'):
raise PermissionError(f"Not authorized: {authorization.get('reason')}")
return authorization
# Usage
try:
require_authorization("agent-uuid", "production-database", "delete")
print("Proceeding with delete operation...")
# ... perform delete ...
except PermissionError as e:
print(f"Authorization denied: {e}")
Bulk Authorization Check
Copy
Ask AI
def check_authorization_bulk(entity_id: str, checks: list):
"""Check authorization for multiple resource/action pairs"""
results = {}
for check in checks:
resource = check['resource']
action = check['action']
try:
authorization = client.policies.check_authorization(
entity_id=entity_id,
resource=resource,
action=action
)
results[f"{resource}:{action}"] = {
"allowed": authorization.get('allowed', False),
"reason": authorization.get('reason'),
"policies": authorization.get('applied_policies', [])
}
except PolicyError as e:
results[f"{resource}:{action}"] = {
"allowed": False,
"reason": str(e),
"error": True
}
return results
# Usage
checks = [
{"resource": "database:prod:customers", "action": "read"},
{"resource": "database:prod:customers", "action": "write"},
{"resource": "environment:production", "action": "deploy"}
]
results = check_authorization_bulk("agent-uuid", checks)
print("Authorization Check Results:")
for check, result in results.items():
status = "✅ ALLOWED" if result['allowed'] else "❌ DENIED"
print(f" {check}: {status}")
Practical Examples
1. Policy Audit System
Copy
Ask AI
def audit_policies():
"""Generate comprehensive policy audit report"""
page = 1
all_policies = []
# Collect all policies
while True:
policies = client.policies.list(page=page, limit=100)
if not policies:
break
all_policies.extend(policies)
page += 1
audit = {
"total_policies": len(all_policies),
"enabled": 0,
"disabled": 0,
"by_type": {},
"by_priority": {},
"high_priority": [], # priority >= 200
"policies_without_description": []
}
for policy in all_policies:
# Count enabled/disabled
if policy.get('enabled', True):
audit['enabled'] += 1
else:
audit['disabled'] += 1
# Count by type
policy_type = policy.get('type', 'unknown')
audit['by_type'][policy_type] = audit['by_type'].get(policy_type, 0) + 1
# Track high priority policies
priority = policy.get('priority', 0)
if priority >= 200:
audit['high_priority'].append({
"name": policy['name'],
"priority": priority,
"type": policy_type
})
# Track policies without description
if not policy.get('description'):
audit['policies_without_description'].append(policy['name'])
return audit
# Usage
audit = audit_policies()
print(f"Policy Audit Report:")
print(f" Total Policies: {audit['total_policies']}")
print(f" Enabled: {audit['enabled']}")
print(f" Disabled: {audit['disabled']}")
print(f"\nBy Type:")
for policy_type, count in audit['by_type'].items():
print(f" {policy_type}: {count}")
print(f"\nHigh Priority Policies: {len(audit['high_priority'])}")
2. Policy Compliance Checker
Copy
Ask AI
def check_policy_compliance(required_policies: list):
"""Check if required policies are in place"""
page = 1
all_policies = []
while True:
policies = client.policies.list(page=page, limit=100)
if not policies:
break
all_policies.extend(policies)
page += 1
policy_names = {p['name']: p for p in all_policies}
compliance_report = {
"compliant": True,
"missing_policies": [],
"disabled_policies": [],
"compliance_score": 0
}
for required in required_policies:
if required not in policy_names:
compliance_report['missing_policies'].append(required)
compliance_report['compliant'] = False
elif not policy_names[required].get('enabled', True):
compliance_report['disabled_policies'].append(required)
compliance_report['compliant'] = False
# Calculate compliance score
found = len(required_policies) - len(compliance_report['missing_policies'])
enabled = found - len(compliance_report['disabled_policies'])
compliance_report['compliance_score'] = (enabled / len(required_policies)) * 100 if required_policies else 100
return compliance_report
# Usage
required_policies = [
"production-access-control",
"deployment-approval",
"data-protection",
"audit-logging"
]
compliance = check_policy_compliance(required_policies)
print(f"Compliance Score: {compliance['compliance_score']:.1f}%")
if compliance['missing_policies']:
print(f"❌ Missing: {compliance['missing_policies']}")
if compliance['disabled_policies']:
print(f"⚠️ Disabled: {compliance['disabled_policies']}")
3. Permission Matrix Generator
Copy
Ask AI
def generate_permission_matrix(entity_ids: list, resources: list, actions: list):
"""Generate a permission matrix for entities"""
matrix = {}
for entity_id in entity_ids:
matrix[entity_id] = {}
for resource in resources:
matrix[entity_id][resource] = {}
for action in actions:
try:
auth = client.policies.check_authorization(
entity_id=entity_id,
resource=resource,
action=action
)
matrix[entity_id][resource][action] = auth.get('allowed', False)
except PolicyError:
matrix[entity_id][resource][action] = False
return matrix
# Usage
entities = ["agent-1", "agent-2", "user-1"]
resources = ["database:prod", "environment:staging", "secrets:api-keys"]
actions = ["read", "write", "delete"]
matrix = generate_permission_matrix(entities, resources, actions)
# Display matrix
print(f"{'Entity':<20} {'Resource':<30} {'Read':<8} {'Write':<8} {'Delete':<8}")
print("-" * 80)
for entity_id, resources in matrix.items():
for resource, actions in resources.items():
read = "✅" if actions.get('read') else "❌"
write = "✅" if actions.get('write') else "❌"
delete = "✅" if actions.get('delete') else "❌"
print(f"{entity_id:<20} {resource:<30} {read:<8} {write:<8} {delete:<8}")
4. Policy Template Library
Copy
Ask AI
class PolicyTemplates:
"""Common policy templates"""
@staticmethod
def create_rbac_policy(role: str, allowed_actions: list, resources: list):
"""Create a basic RBAC policy"""
return {
"name": f"rbac-{role}",
"description": f"RBAC policy for {role} role",
"type": "rbac",
"rules": [
{
"effect": "allow",
"actions": allowed_actions,
"resources": resources,
"principals": [f"role:{role}"]
}
],
"enabled": True,
"priority": 100
}
@staticmethod
def create_time_restricted_policy(name: str, restricted_actions: list, time_window: dict):
"""Create a time-restricted policy"""
return {
"name": name,
"description": f"Time-restricted policy: {name}",
"type": "rbac",
"rules": [
{
"effect": "deny",
"actions": restricted_actions,
"resources": ["*"],
"principals": ["*"],
"conditions": {"time_window": time_window}
}
],
"enabled": True,
"priority": 150
}
@staticmethod
def create_approval_policy(resource_pattern: str, approver_roles: list, required_count: int):
"""Create an approval workflow policy"""
return {
"name": f"approval-{resource_pattern.replace(':', '-')}",
"description": f"Approval required for {resource_pattern}",
"type": "approval",
"rules": [
{
"effect": "require_approval",
"actions": ["*"],
"resources": [resource_pattern],
"principals": ["*"],
"approval_config": {
"required_approvers": required_count,
"approver_roles": approver_roles,
"timeout_hours": 24
}
}
],
"enabled": True,
"priority": 200
}
# Usage
templates = PolicyTemplates()
# Create RBAC policy
rbac_policy = templates.create_rbac_policy(
role="developer",
allowed_actions=["read", "list"],
resources=["database:*", "environment:dev"]
)
created = client.policies.create(rbac_policy)
print(f"Created RBAC policy: {created['uuid']}")
# Create time-restricted policy
time_policy = templates.create_time_restricted_policy(
name="after-hours-deployment-block",
restricted_actions=["deploy", "release"],
time_window={
"outside": {
"days": ["monday", "tuesday", "wednesday", "thursday", "friday"],
"hours": {"start": "09:00", "end": "17:00"}
}
}
)
created = client.policies.create(time_policy)
print(f"Created time-restricted policy: {created['uuid']}")
Error Handling
Copy
Ask AI
from kubiya.resources.exceptions import PolicyError
try:
# Try to get a policy
policy = client.policies.get("non-existent-policy")
except PolicyError as e:
print(f"Policy error: {e}")
# Handle error - maybe list all policies
print("Available policies:")
policies = client.policies.list(page=1, limit=10)
for policy in policies:
print(f" - {policy['name']}")
# Evaluate with error handling
try:
evaluation = client.policies.evaluate(
entity_id="agent-uuid",
action="deploy"
)
if evaluation.get('allowed'):
print("Action is allowed")
else:
print(f"Action denied: {evaluation.get('reason')}")
except PolicyError as e:
print(f"Evaluation error: {e}")
# Authorization check with error handling
try:
auth = client.policies.check_authorization(
entity_id="user-uuid",
resource="production-database",
action="delete"
)
if not auth.get('allowed'):
print(f"Not authorized: {auth.get('reason')}")
except PolicyError as e:
print(f"Authorization check failed: {e}")
Best Practices
1. Use Priority for Policy Ordering
Copy
Ask AI
# Higher priority policies are evaluated first
# Critical security policies should have highest priority
security_policy = {
"name": "critical-security",
"priority": 1000, # Evaluated first
"rules": [...]
}
# General policies can have lower priority
general_policy = {
"name": "general-access",
"priority": 100,
"rules": [...]
}
2. Always Check Authorization Before Actions
Copy
Ask AI
def perform_sensitive_action(entity_id: str, resource: str, action: str):
"""Always check authorization before sensitive operations"""
# Check authorization first
auth = client.policies.check_authorization(
entity_id=entity_id,
resource=resource,
action=action
)
if not auth.get('allowed'):
raise PermissionError(f"Not authorized: {auth.get('reason')}")
# Proceed with action
print(f"Performing {action} on {resource}...")
# ... perform action ...
return {"success": True}
# Usage
try:
result = perform_sensitive_action("agent-uuid", "prod-db", "delete")
except PermissionError as e:
print(f"❌ {e}")
3. Use Descriptive Policy Names
Copy
Ask AI
# Good - descriptive names
policy_data = {
"name": "production-database-read-only-developers",
"description": "Allows developers read-only access to production databases",
"type": "rbac"
}
# Bad - vague names
policy_data = {
"name": "policy-1",
"description": "Some policy",
"type": "rbac"
}
4. Test Policies Before Enabling
Copy
Ask AI
def test_policy_before_enabling(policy_data: dict, test_cases: list):
"""Test policy with sample cases before enabling"""
# Create policy as disabled
policy_data['enabled'] = False
policy = client.policies.create(policy_data)
print(f"Created test policy: {policy['uuid']}")
# Run test cases
all_passed = True
for test_case in test_cases:
auth = client.policies.check_authorization(
entity_id=test_case['entity_id'],
resource=test_case['resource'],
action=test_case['action']
)
expected = test_case['expected_allowed']
actual = auth.get('allowed', False)
if expected != actual:
print(f"❌ Test failed: {test_case}")
all_passed = False
else:
print(f"✅ Test passed: {test_case}")
# Enable if all tests passed
if all_passed:
client.policies.update(policy['uuid'], {"enabled": True})
print("✅ All tests passed, policy enabled")
else:
print("❌ Tests failed, policy remains disabled")
return all_passed
# Usage
test_cases = [
{"entity_id": "dev-1", "resource": "prod-db", "action": "read", "expected_allowed": True},
{"entity_id": "dev-1", "resource": "prod-db", "action": "delete", "expected_allowed": False}
]
test_policy_before_enabling(policy_data, test_cases)
API Reference
Methods
| Method | Description | Parameters |
|---|---|---|
list(page, limit) | List all policies | page: Page number (1, 2, 3…), limit: Records per page |
get(policy_id) | Get specific policy | policy_id: Policy UUID |
create(policy_data) | Create policy | policy_data: Policy configuration dictionary |
update(policy_id, policy_data) | Update policy | policy_id: UUID, policy_data: Updates |
delete(policy_id) | Delete policy | policy_id: Policy UUID |
evaluate(entity_id, action, resource) | Evaluate policy | entity_id: Entity UUID, action: Action string, resource: Optional resource dict |
check_authorization(entity_id, resource, action) | Check authorization | entity_id: Entity UUID, resource: Resource string, action: Action string |
Policy Object Structure
Copy
Ask AI
{
"uuid": "string", # Unique identifier
"name": "string", # Policy name
"description": "string", # Policy description
"type": "string", # Policy type (rbac, approval, etc.)
"enabled": bool, # Whether policy is enabled
"priority": int, # Policy priority (higher = evaluated first)
"rules": [ # List of policy rules
{
"effect": "string", # allow, deny, require_approval
"actions": ["string"], # Actions (read, write, delete, etc.)
"resources": ["string"], # Resources (database:*, environment:prod, etc.)
"principals": ["string"], # Principals (role:admin, user:*, etc.)
"conditions": dict # Optional conditions
}
],
"conditions": dict, # Global policy conditions
"enforcement": "string", # enforce, audit, disabled
"scope": "string", # Policy scope (global, org, team)
"created_at": "string", # Creation timestamp
"updated_at": "string" # Last update timestamp
}
Evaluation Result Object Structure
Copy
Ask AI
{
"allowed": bool, # Whether action is allowed
"reason": "string", # Reason for decision
"applied_policies": ["string"], # List of policy IDs that were applied
"denied_by": "string" # Policy that denied (if denied)
}
Authorization Result Object Structure
Copy
Ask AI
{
"allowed": bool, # Whether entity is authorized
"reason": "string", # Reason for decision
"applied_policies": ["string"], # Policies used in decision
"entity_id": "string", # Entity that was checked
"resource": "string", # Resource that was checked
"action": "string" # Action that was checked
}