Skip to main content

Access Paths

When you call the evaluate endpoint, AuthzX checks access through multiple paths. If any path grants access (and no DENY policy blocks it), the request is allowed.

The four paths

1. Direct access

A policy is assigned directly to the subject.

Subject → Policy → Resource

Use this for one-off grants or exceptions. Example: Give contractor Frank read-only access to a specific report.

2. Role-based access (RBAC)

The subject has a role, and the role has policies.

Subject → Role → Policy → Resource

Use this for standard permission patterns. Example: All editors can read and write documents.

3. Group-based access

The subject is in a group, and the group has policies.

Subject → Group → Policy → Resource

Use this for team-level access. Example: Everyone in the Engineering Team can access engineering docs.

4. Attribute-based access (ABAC)

A policy has conditions that compare attributes from the subject, resource, or context.

Subject (attributes) + Resource (attributes) + Context → Condition evaluation → Policy → Resource

Use this for fine-grained rules that depend on runtime data. Example: Users can only read documents in their own department.

See ABAC Conditions for full syntax.

Evaluation order

  1. AuthzX collects all applicable policies from all four paths.
  2. If any DENY policy matches → access is denied.
  3. If any ALLOW policy matches → access is allowed.
  4. If no policy matches → access is denied (default deny).

When multiple ALLOW policies match, the one with the highest priority is reported in the response.

Access path in the response

The evaluate response includes which path was used:

{
  "decision": true,
  "context": {
    "reason": "Policy 'editors-can-read-write' grants access",
    "policy_id": "pol-789",
    "access_path": "role"
  }
}

Possible values for context.access_path: "direct", "role", "group", "abac"

Combining paths

A subject can have access through multiple paths simultaneously. For example, Alice might have:

  • Direct policy for a specific document
  • editor role granting read/write to all documents
  • Engineering Team group granting access to engineering docs
  • An ABAC policy allowing access to documents in her department

AuthzX evaluates all paths and returns the first match. The access_path field tells you which path was used.

  • Policies — Policy structure, assignment, and conditions.
  • ABAC Conditions — Condition syntax for attribute-based access.
  • Decisions — What happens after evaluation.