Policy query request and response examples
The following examples highlight different policy query request and response formats supported by the JSON PDP API. Learn more about the structure of such requests and responses in JSON PDP API request and response flow.
Using a query attribute with no values specified
The following request asks, "Which actions can the specified user perform on accounts?":
{
"query": [
{
"attribute": "Action"
},
{
"attribute": "Subject",
"values": ["John Smith"]
},
{
"attribute": "Resource",
"values": ["account"]
}
]
}
The response returns each action that produced a PERMIT
decision, given the specified subject and resource:
{
"requestId": "4da494e4-2f50-4165-b1b3-644981564196",
"timeStamp": "2024-09-19T21:44:51.905443Z",
"deploymentPackageId": "ed614a98-f4d0-483a-b9dd-574aa327ad11",
"elapsedTime": 7,
"result": [
{
"attribute": "Action",
"value": "edit",
"results": [
{
"attribute": "Subject",
"value": "John Smith",
"results": [
{
"attribute": "Resource",
"value": "account",
"decision": "PERMIT"
}
]
}
]
},
{
"attribute": "Action",
"value": "view",
"results": [
{
"attribute": "Subject",
"value": "John Smith",
"results": [
{
"attribute": "Resource",
"value": "account",
"decision": "PERMIT"
}
]
}
]
}
]
}
Using a query attribute with multiple values specified
The following request uses a request attribute with multiple values to ask, "Can the specified user edit or view account information?":
{
"query": [
{
"attribute": "Action",
"values": ["edit", "view"]
},
{
"attribute": "Subject",
"values": ["Tom Johnson"]
},
{
"attribute": "Resource",
"values": ["account"]
}
]
}
The response returns each action that produced a PERMIT
decision, given the specified subject and resource:
{
"requestId": "af52d214-6dbb-4699-9fe1-74ec88ccebac",
"timeStamp": "2024-09-20T01:40:04.381703Z",
"deploymentPackageId": "292863fe-2cde-440f-9c7b-9aee4a8dc94e",
"elapsedTime": 4,
"results": [
{
"attribute": "Action",
"value": "edit",
"results": [
{
"attribute": "Subject",
"value": "John Smith",
"results": [
{
"attribute": "Resource",
"value": "account",
"decision": "PERMIT"
}
]
}
]
},
{
"attribute": "Action",
"value": "view",
"results": [
{
"attribute": "Subject",
"value": "John Smith",
"results": [
{
"attribute": "Resource",
"value": "account",
"decision": "PERMIT"
}
]
}
]
}
]
}
Using a query attribute with no values specified and a query attribute with multiple values specified
The following request asks, "Which users can either edit or view bank accounts?":
{
"query": [
{
"attribute": "Subject"
},
{
"attribute": "Action",
"values": ["edit", "view"]
},
{
"attribute": "Resource",
"values": ["account"]
}
]
}
The response returns each user that produced a PERMIT
decision on either of the specified actions, given the specified resource:
{
"requestId": "2d3fe162-7490-43a4-abdf-56c978a35abf",
"timeStamp": "2024-09-20T01:53:06.102542Z",
"deploymentPackageId": "292863fe-2cde-440f-9c7b-9aee4a8dc94e",
"elapsedTime": 4,
"results": [
{
"attribute": "Subject",
"value": "John Smith",
"results": [
{
"attribute": "Action",
"value": "edit",
"results": [
{
"attribute": "Resource",
"value": "account",
"decision": "PERMIT"
}
]
},
{
"attribute": "Action",
"value": "view",
"results": [
{
"attribute": "Resource",
"value": "account",
"decision": "PERMIT"
}
]
}
]
},
{
"attribute": "Subject",
"value": "Sally White",
"results": [
{
"attribute": "Action",
"value": "edit",
"results": [
{
"attribute": "Resource",
"value": "account",
"decision": "PERMIT"
}
]
}
]
}
]
}
Using query attributes to resolve other query attributes
When building the Trust Framework around your policy query use case, you can use resolvers to create chains of dependence between query attributes.
In this example,
the Account
attribute is configured with query settings
to enable authorization questions, such as "Which accounts can this user update?
The AccountList
attribute is configured as the Account
attribute’s source collection:
The AccountList
attribute uses the Accounts
service as its resolver, and this service interpolates the User
attribute in its endpoint URL definition:
The following query requests asks, "Which accounts can John Smith edit?":
{
"query": [
{
"attribute": "Account"
},
{
"attribute": "Subject",
"values": ["John Smith"]
},
{
"attribute": "Action",
"values": ["edit"]
}
]
}
In resolving the Account
attribute, the Accounts
service uses the single-valued User
attribute included in the request to make an HTTP call and retrieve a list of accounts. The response then returns an array of accounts that produced a PERMIT
decision, given the specified user and action.
Using multivalued or unbounded query attributes to resolve other query attributes is not currently supported. |