← All examples

Role-Based Access

Access Control

Check whether a user's role permits the requested action (view, edit, publish, admin).

Use this recipe

Policy rule

A **request** is authorized
  if §request.view is permitted
  or §request.edit is permitted
  or §request.publish is permitted
  or §request.admin is permitted.

request.view. A **request** is permitted
  if __action__ of **request** is equal to "view".

request.edit. A **request** is permitted
  if __role__ of **request** is in ["editor", "publisher", "admin"]
  and __action__ of **request** is equal to "edit".

request.publish. A **request** is permitted
  if __role__ of **request** is in ["publisher", "admin"]
  and __action__ of **request** is equal to "publish".

request.admin. A **request** is permitted
  if __role__ of **request** is equal to "admin"
  and __action__ of **request** is equal to "admin".

Input schema

{
  "properties": {
    "request": {
      "properties": {
        "role": {
          "type": "string"
        },
        "action": {
          "type": "string"
        }
      },
      "required": [
        "role",
        "action"
      ],
      "type": "object"
    }
  },
  "required": [
    "request"
  ],
  "title": "Request Model",
  "type": "object"
}

Test cases

Editor can edit

Expect pass
{
  "request": {
    "role": "editor",
    "action": "edit"
  }
}

Viewer cannot publish

Expect fail
{
  "request": {
    "role": "viewer",
    "action": "publish"
  }
}

Integration

Execute this policy from your app using one of the official SDKs.

import { ExecutionClient } from "@policies2/sdk";

const client = new ExecutionClient({
	apiKey: process.env.POLICY_API_KEY!,
	transport: { kind: "rest", baseUrl: "https://api.policy2.net" },
});

const result = await client.executePolicy({
	id: "your-policy-id", // replace with your published policy ID
	reference: "base",
	data: {
		"request": {
			"role": "editor",
			"action": "edit"
		}
	},
});

if (result.result) {
	console.log("policy matched");
} else {
	console.log("policy did not match");
}

Ready to try this policy?

Open in editor