Policy

A single ABAC group policy: an effect (ALLOW/DENY), one or more actions, optional attribute conditions, and the group whose members the policy applies to.

Conditions are evaluated AND within a policy and OR across policies on the same group. A policy with no conditions is a wildcard — it matches any resource of each action's entity. Deny policies win over allow policies. A policy can list actions across different entities (for example project:view together with instance:deploy); conditions whose attributes do not apply to a given entity simply never match for it. See docs/guides/abac.md for the full evaluation model.

type Policy {
  id: ID!
  effect: PolicyEffect!
  actions: [String!]!
  conditions: Conditions!
  group: Group!
  createdAt: DateTime!
  updatedAt: DateTime!
}

Fields

Policy.id ● ID! non-null scalar {#id}

Unique identifier for this policy.

Policy.effect ● PolicyEffect! non-null enum {#effect}

Whether this policy grants (ALLOW) or blocks (DENY) the actions.

Policy.actions ● [String!]! non-null scalar {#actions}

The actions this policy authorizes, each in {entity}:{verb} form (for example ["repo:pull", "instance:deploy"]). Always non-empty.

Policy.conditions ● Conditions! non-null scalar {#conditions}

Either "*" (the policy is a wildcard — every resource of the entity matches) or a JSON-encoded object of attribute conditions. Keys are attribute names; values are a string or list of strings.

Policy.group ● Group! non-null object {#group}

The group this policy applies to.

Policy.createdAt ● DateTime! non-null scalar {#created-at}

When this policy was created.

Policy.updatedAt ● DateTime! non-null scalar {#updated-at}

When this policy was last updated.

Member Of

PoliciesPage object ● PolicyPayload object