Policy Conditions

Variables

Inside conditions you can access two variables, which are records to call attributes on:

object, which translates to the object of the Resource type the user is trying to gain access to. The attributes that can be called on the object differ per Resource type. See the Resources page to find all of them.
subject, which is the current user trying to gain access. The attributes that can be called on the subject are id, name and email.

Attribute Value Types

The values attributes that can be called on the resources are always one of these types:

number, an integer, like an id, or relation_id.
string, a text
bool, boolean, true or false
datetime, a date & time object. This can be passed as a string, but gets evaluated as a datetime, so the string must be able to parse to a Datetime. See also: https://ss64.com/dates.html

Each resource page contains documentation of which attributes are applicable, with the correct type.

In order to force the correct evaluation of a value type inside the policy JSON, the root key inside the conditions block is always the value type, like this:

...
"statement": {
  ...
  "condition": {
    "number": {
      "==": {"object.site_id": 1234},
      ">":  {"object.id": 9876}
    }
    "string": {
      "==": {"subject.email": "test@email.com"}
    }
  }
  ...
}

Since the parsing is forced you are able to for example send strings inside the number block. This will work, because the values get parsed according to which block they’re in.

Evaluation Operators

The way the policy gets evaluated is determined by the value types, and by which operator is used. The policy condition operators are:

==, equals to. Applicable to all attribute value types.
!=, does not equal to. Applicable to datetime, number, string
>=, greater than or equals to. Applicable to datetime, number
>, greater than. Applicable to datetime, number
<=, less than or equals to. Applicable to datetime, number
<, less than. Applicable to datetime, number
like, regular expression. Applicable to string
like_ic, case insensitive regular expression (ignore case flag). Applicable to string

Inside the policy JSON, the operators are used as a key inside the value type block, and as a value it has a single key/value object with the attribute and the value to evaluate. See the example above.