Access Paths

When you call the evaluate endpoint, AuthzX checks access through three paths. If any path grants access (and no DENY policy blocks it), the request is allowed.

The three paths

1. Direct access

A policy is assigned directly to the subject.

Subject → Policy → Resource

Use this for one-off grants or exceptions. Example: Give contractor Frank read-only access to a specific report.

2. Role-based access (RBAC)

The subject has a role, and the role has policies.

Subject → Role → Policy → Resource

Use this for standard permission patterns. Example: All editors can read and write documents.

3. Group-based access

The subject is in a group, and the group has policies.

Subject → Group → Policy → Resource

Use this for team-level access. Example: Everyone in the Engineering Team can access engineering docs.

Evaluation order

AuthzX collects all applicable policies from all three paths.
If any DENY policy matches → access is denied.
If any ALLOW policy matches → access is allowed.
If no policy matches → access is denied (default deny).

Access path in the response

The evaluate response includes which path was used:

{
  "allowed": true,
  "reason": "Policy 'editors-can-read-write' grants access",
  "policy_id": "pol-789",
  "access_path": "role"
}

Possible values: "direct", "role", "group"

Combining paths

A subject can have access through multiple paths simultaneously. For example, Alice might have:

Direct policy for a specific document
editor role granting read/write to all documents
Engineering Team group granting access to engineering docs

AuthzX evaluates all paths and returns the first match.

The three paths​

1. Direct access​

2. Role-based access (RBAC)​

3. Group-based access​

Evaluation order​

Access path in the response​

Combining paths​