Condition Language
Full reference for the ABAC condition operators and logic combinators.
The condition language defines how resource policies evaluate attributes at permission check time. Conditions are JSON objects that combine operators and logic combinators into expression trees.
Condition structure
Each condition has three fields:
{ "field": "resource.status", "operator": "equals", "value": "published" }
| Field | Description |
|---|---|
field | Dot-path into the resource, actor, or context object |
operator | One of 13 comparison operators |
value | The value to compare against (can reference actor.* fields) |
Field paths
Fields are resolved from the resource, actor, or context objects passed in the permission check request:
resource.ownerId— attribute on the resourceactor.department— attribute on the actor (user)context.ip— attribute on the request context
Operators
Equality
{ "field": "resource.type", "operator": "equals", "value": "article" }
{ "field": "resource.status", "operator": "notEquals", "value": "archived" }
Set membership
{ "field": "actor.department", "operator": "in", "value": ["finance", "legal"] }
{ "field": "actor.role", "operator": "notIn", "value": ["intern", "contractor"] }
Numeric comparison
{ "field": "resource.amount", "operator": "gt", "value": 10000 }
{ "field": "resource.amount", "operator": "gte", "value": 10000 }
{ "field": "resource.priority", "operator": "lt", "value": 5 }
{ "field": "context.hour", "operator": "lte", "value": 17 }
String matching
{ "field": "resource.tags", "operator": "contains", "value": "urgent" }
{ "field": "resource.path", "operator": "startsWith", "value": "/public" }
{ "field": "resource.filename", "operator": "endsWith", "value": ".pdf" }
Existence
{ "field": "resource.approvedBy", "operator": "exists", "value": true }
{ "field": "resource.deletedAt", "operator": "exists", "value": false }
Logic combinators
all (AND)
All conditions must be true:
{
"all": [
{ "field": "resource.status", "operator": "equals", "value": "draft" },
{ "field": "resource.ownerId", "operator": "equals", "value": "actor.id" }
]
}
any (OR)
At least one condition must be true:
{
"any": [
{ "field": "actor.department", "operator": "equals", "value": "finance" },
{ "field": "actor.role", "operator": "equals", "value": "super-admin" }
]
}
not (negate)
Inverts a single condition:
{
"not": { "field": "actor.suspended", "operator": "equals", "value": true }
}
Nested combinators
Combinators can be nested to express complex logic:
{
"all": [
{ "field": "resource.ownerId", "operator": "equals", "value": "actor.id" },
{
"any": [
{ "field": "resource.status", "operator": "equals", "value": "draft" },
{ "field": "resource.status", "operator": "equals", "value": "review" }
]
},
{
"not": { "field": "actor.suspended", "operator": "equals", "value": true }
}
]
}
This reads: the actor owns the resource AND the status is draft or review AND the actor is not suspended.
Evaluation in the check pipeline
Conditions are evaluated after overrides and role capabilities. When a resource policy matches the requested resource and action, its conditions are evaluated against the check request's resource, actor, and context objects. If conditions pass and the effect is ALLOW, access is granted. If conditions pass and the effect is DENY, access is denied.
When comparing a resource attribute to an actor attribute, use the actor.* prefix as the value: { "field": "resource.ownerId", "operator": "equals", "value": "actor.id" }. The engine resolves actor.* references at evaluation time.