Resource Policies
Standalone ABAC policies with condition operators and logic combinators.
Resource policies provide attribute-based access control (ABAC) independent of roles. Each policy defines conditions that are evaluated against the resource and request context at check time.
Policy structure
A resource policy consists of:
| Field | Description |
|---|---|
name | Human-readable label |
resource | The resource path this policy applies to |
action | The action this policy governs |
effect | ALLOW or DENY |
priority | Integer — lower numbers evaluated first |
conditions | JSON condition tree using operators and combinators |
Policies are evaluated in priority order. Deny always wins — if any matching policy denies, the result is deny regardless of other policies.
Condition operators
| Operator | Example |
|---|---|
equals | resource.status equals "published" |
notEquals | resource.type notEquals "draft" |
in | actor.department in ["finance", "accounting"] |
notIn | actor.role notIn ["intern"] |
gt / gte | resource.amount gt 1000 |
lt / lte | context.hour lt 18 |
contains | resource.tags contains "urgent" |
startsWith | resource.path startsWith "/public" |
endsWith | resource.name endsWith ".pdf" |
exists | resource.approvedBy exists true |
Logic combinators
Combine conditions with all (AND), any (OR), and not:
{
"all": [
{ "field": "resource.ownerId", "operator": "equals", "value": "actor.id" },
{ "any": [
{ "field": "resource.status", "operator": "equals", "value": "draft" },
{ "field": "resource.status", "operator": "equals", "value": "review" }
]},
{ "not": {
"field": "actor.suspended", "operator": "equals", "value": true
}}
]
}
This reads: allow if the actor owns the resource AND the status is draft or review AND the actor is not suspended.
Creating a policy
curl -X POST https://api.platformxe.com/api/v1/permissions/policies \
-H "Content-Type: application/json" \
-H "x-api-key: pxk_live_your_api_key_here" \
-d '{
"name": "Owners can update own resources",
"resource": "documents",
"action": "update",
"effect": "ALLOW",
"priority": 10,
"conditions": {
"all": [
{ "field": "resource.ownerId", "operator": "equals", "value": "actor.id" }
]
}
}'
Resource policies are evaluated after overrides and role capabilities in the permission check pipeline. See the Condition Language reference for the full operator specification.