Skip to main content

Resources

Resources are the things you want to protect — documents, dashboards, API endpoints, database records, or anything else.

Resource types

Before creating resources, define a resource type. A resource type is a blueprint that specifies:

  • Name — The category (e.g., document, dashboard, contact)
  • Actions — What can be done with this type (e.g., read, write, delete, share)
  • Attribute definitions — Expected attributes on resources of this type (optional)

Example resource type:

{
  "name": "document",
  "actions": ["read", "write", "delete", "share"],
  "attribute_definitions": [
    { "key": "classification", "type": "string" },
    { "key": "department", "type": "string" }
  ]
}

When you define attribute definitions on a resource type, the console auto-populates a dropdown when editing resources of that type and when building ABAC conditions.

Resources

A resource is a specific instance of a resource type:

{
  "name": "Engineering Wiki",
  "type": "document",
  "id": "doc-456",
  "attributes": {
    "classification": "internal",
    "department": "engineering"
  }
}

Resource attributes in conditions

Resource attributes can be used in ABAC conditions to create fine-grained policies. For example, a policy can match only resources where classification equals confidential, or compare the resource's department against the subject's department.

{
  "conditions": [
    {
      "attribute_path": "resource.attributes.classification",
      "operator": "equals",
      "value": "internal"
    }
  ]
}

Attributes stored on a resource are automatically included when that resource is referenced in an /v1/authorize call. You can also pass attributes in the request body — request-provided values take precedence over stored values.

Resource hierarchy

Resources can have parent-child relationships via the parent_id field. This enables hierarchical access control — for example, granting access to a folder automatically grants access to documents within it.

In the evaluate call

When checking access, specify the resource by id (UUID) or by type + name:

{
  "resource": {
    "type": "document",
    "name": "Engineering Wiki"
  }
}

Name-based lookup avoids hardcoding UUIDs in application code and matches the names visible in the console and Terraform.