policy
policy
Authorization policy on a store resource. Policies control which actors can perform which actions on the resource, using authorize_if and forbid_if conditions. Compiles to Ash Framework policies at runtime, providing row-level and action-level access control.
When to use
Use policy when you need to:
- Restrict data access by actor role, attribute, or identity
- Allow certain actions only for specific users or machine contexts
- Implement row-level security (e.g., users can only read their own records)
- Protect sensitive data from unauthorized queries or modifications
Policies are optional. A resource without policies allows any action by any actor. Add policies when the data has access control requirements.
Syntax
resource <resource_name> policy action_type(<action_type>) authorize_if <condition> forbid_if <condition>Policy for all actions
resource <resource_name> policy always() authorize_if <condition>Parameters
| Parameter | Required | Description |
|---|---|---|
action_type | Yes | Which actions this policy applies to: create, read, update, destroy, or * for all. |
authorize_if | No | Condition that grants access. If the condition is true, the action is allowed. Can appear multiple times. |
forbid_if | No | Condition that denies access. If the condition is true, the action is forbidden. Can appear multiple times. |
Conditions
| Condition | Description | Example |
|---|---|---|
actor_attribute(field, value) | Actor has the specified attribute value | actor_attribute(role, "admin") |
relates_to_actor_via(field) | The record’s field matches the actor’s ID | relates_to_actor_via(:user_id) |
always() | Always true (useful as a catch-all deny) | forbid_if always() |
never() | Always false | authorize_if never() |
Policy conditions are evaluated in order. The first matching authorize_if or forbid_if determines the outcome. If no condition matches, the action is forbidden by default (deny-by-default).
Examples
Role-based access
resource report id as uuid, is primary_key title as text, is required classification as text, default: "internal" timestamps
read all_reports destroy remove_report
policy action_type(read) authorize_if actor_attribute(role, "analyst") authorize_if actor_attribute(role, "admin")
policy action_type(destroy) authorize_if actor_attribute(role, "admin") forbid_if always()Analysts and admins can read reports. Only admins can delete them. All other actors are denied.
Row-level security
resource note id as uuid, is primary_key user_id as uuid, is required content as text timestamps
create add_note accept: [content]
read my_notes
policy action_type(read) authorize_if relates_to_actor_via(:user_id)
policy action_type(create) authorize_if always()
policy action_type(destroy) authorize_if relates_to_actor_via(:user_id) forbid_if always()Users can create notes freely, but can only read and delete their own notes.
Deny-by-default pattern
resource secret id as uuid, is primary_key value as text, is required timestamps
defaults: [read]
policy action_type(read) authorize_if actor_attribute(clearance, "top_secret") forbid_if always()The final forbid_if always() acts as a catch-all that denies access to anyone who did not match a preceding authorize_if. This is the recommended pattern for sensitive data.
Governance
Policies are part of the machine’s governance story. They work alongside the ensures > permissions section:
ensures > permissionscontrols which capabilities the machine itself has (e.g., whether the machine can write data at all)policyblocks on resources control which actors can perform which operations on specific data
Both layers are enforced. A machine must have the db capability, and the actor must satisfy the resource’s policies.
Policy evaluations are recorded in the behavioral ledger. Every authorization decision (allowed or denied) is logged with the actor, action, resource, and the condition that matched.
Translations
| Language | Keyword |
|---|---|
| English | policy |
| Spanish | politica |
| French | politique |
| German | Richtlinie |
| Japanese | ポリシー |
| Chinese | 策略 |
| Korean | 정책 |