Policies
Policies are the authorization rules. Each policy defines who can do what on which resources.
Policy structure
A policy has:
| Field | Description |
|---|---|
| Name | Human-readable identifier |
| Effect | ALLOW or DENY |
| Actions | What actions this policy covers (e.g., read, write) |
| Resources | Which resources or resource types this policy applies to |
Policy assignment
Policies don't do anything on their own — they need to be assigned. You can assign a policy to:
- A role — All subjects with that role get the policy (RBAC)
- A group — All subjects in that group get the policy (group-based)
- A subject directly — Only that specific subject gets the policy (direct access)
DENY policies
DENY policies take precedence over ALLOW policies. If any applicable DENY policy matches, access is denied regardless of ALLOW policies.
Use DENY policies for:
- Revoking access for specific subjects
- Blocking access to sensitive resources
- Temporary access restrictions
Examples
| Policy | Effect | Actions | Resource type | Assigned to |
|---|---|---|---|---|
| editors-can-read-write | ALLOW | read, write | document | editor role |
| sales-can-manage-contacts | ALLOW | read, write, delete | contact | Sales Team group |
| block-contractor-delete | DENY | delete | * | Frank (subject) |