ABAC Conditions

ABAC (Attribute-Based Access Control) conditions let you add fine-grained rules to any policy. A condition compares attributes from the subject, resource, or request context at evaluation time.

A policy with conditions only grants access when all conditions pass. If any condition fails, the policy does not match — even if the subject, action, and resource match.

Condition structure

Each condition has three parts:

Field	Description
`attribute_path`	The left-hand attribute to check (e.g., `subject.attributes.department`)
`operator`	The comparison operator (e.g., `equals`, `in`, `greater_than`)
`value`	The right-hand value — either a literal or another attribute path

Attribute paths

Attribute paths use dot notation to reference values from the authorization request:

Prefix	Source	Example
`subject.attributes.*`	Subject attributes	`subject.attributes.department`
`resource.attributes.*`	Resource attributes	`resource.attributes.classification`
`context.*`	Request context	`context.ip_address`

Nested attributes are supported via dot-path traversal. For example, if a subject has attributes.manager.region, you can reference it as subject.attributes.manager.region.

Operators

Operator	Description	Example
`equals`	Exact match	`department equals "engineering"`
`not_equals`	Not equal	`status not_equals "suspended"`
`in`	Value is in a list	`role in ["admin", "editor"]`
`not_in`	Value is not in a list	`department not_in ["finance"]`
`contains`	String/array contains	`tags contains "sensitive"`
`greater_than`	Numeric comparison	`level greater_than 3`
`less_than`	Numeric comparison	`clearance less_than 5`
`greater_than_or_equal`	Numeric comparison	`age greater_than_or_equal 18`
`less_than_or_equal`	Numeric comparison	`priority less_than_or_equal 100`

Value types

The right-hand value can be:

Literal value

A static value to compare against:

{
  "attribute_path": "subject.attributes.department",
  "operator": "equals",
  "value": "engineering"
}

Attribute reference

Compare against another attribute in the request — useful for matching subject attributes to resource attributes:

{
  "attribute_path": "subject.attributes.department",
  "operator": "equals",
  "value": {
    "type": "attribute",
    "path": "resource.attributes.department"
  }
}

This condition passes only when the subject's department matches the resource's department.

Examples

Department-scoped access

Allow users to read documents only in their own department:

{
  "name": "department-scoped-read",
  "effect": "ALLOW",
  "actions": ["read"],
  "conditions": [
    {
      "attribute_path": "subject.attributes.department",
      "operator": "equals",
      "value": {
        "type": "attribute",
        "path": "resource.attributes.department"
      }
    }
  ]
}

Classification-based restriction

Only allow access to classified documents for users with sufficient clearance:

{
  "conditions": [
    {
      "attribute_path": "subject.attributes.clearance_level",
      "operator": "greater_than_or_equal",
      "value": {
        "type": "attribute",
        "path": "resource.attributes.required_clearance"
      }
    }
  ]
}

IP-based access control

Restrict write access to requests from the corporate network:

{
  "conditions": [
    {
      "attribute_path": "context.network",
      "operator": "equals",
      "value": "corporate"
    }
  ]
}

Multiple conditions (all must pass)

Allow admin access only for senior engineers in the platform team:

{
  "conditions": [
    {
      "attribute_path": "subject.attributes.level",
      "operator": "greater_than_or_equal",
      "value": 5
    },
    {
      "attribute_path": "subject.attributes.team",
      "operator": "equals",
      "value": "platform"
    }
  ]
}

Terraform example

resource "authzx_policy" "dept_scoped_read" {
  application_id = authzx_application.crm.id
  name           = "department-scoped-read"
  effect         = "ALLOW"
  priority       = 50

  resources = [{
    resource_id = authzx_resource_type.document.id
    actions     = ["read"]
  }]

  conditions = [
    {
      attribute_path = "subject.attributes.department"
      operator       = "equals"
      value = jsonencode({
        type = "attribute"
        path = "resource.attributes.department"
      })
    }
  ]
}

In the evaluate request

For conditions to work, include the properties in your authorization request:

{
  "subject": {
    "id": "user-123",
    "type": "user",
    "properties": {
      "department": "engineering",
      "level": 5
    }
  },
  "resource": {
    "type": "document",
    "name": "Engineering Wiki",
    "properties": {
      "department": "engineering",
      "classification": "internal"
    }
  },
  "action": { "name": "read" },
  "context": {
    "ip_address": "10.0.0.42",
    "network": "corporate"
  }
}

Properties provided in the request are merged with stored properties. If the same key exists in both, the request value takes precedence. attributes is accepted as an alias for properties. See Context & Trust Model for the trust hierarchy.

Policies — Policy structure, assignment, and modifiers.
Context & Trust Model — How AuthzX decides which attributes to trust.
Authorize Access — The /v1/authorize request shape.

Condition structure​

Attribute paths​

Operators​

Value types​

Literal value​

Attribute reference​

Examples​

Department-scoped access​

Classification-based restriction​

IP-based access control​

Multiple conditions (all must pass)​

Terraform example​

In the evaluate request​

Related​