Policy Layer Reference¶

policy MyPolicy {
  actor user: User
  context ctx: RequestContext

  rule can_action(resource: Resource) {
    // authorization logic
  }
}

rule can_edit(post: Post) {
  user.id == post.authorId
}

deny rule no_self_follow {
  user.id == target.id
}

allow override admin_override {
  user.role == Role.Admin
}

deny > allow override > allow

rule combined(resource: Resource) {
  BasePolicy.basic_check(resource) &&
  SpecialPolicy.special_check(resource)
}

policy MyPolicy {
  actor user: User
  context ctx: RequestContext

  rule time_restricted {
    isBusinessHours(ctx.timestamp)
  }
}

capability Email.Send requires can_send_email

verify policy MyPolicy {
  totality {
    // All actions covered
  }

  consistency {
    // No contradictions
  }
}