Policy rules · Policy rules

Role gate — admin or manager

ALLOW if `role` is in the configured list. Combines `any` over multiple equality leaves — short-circuits on the first match.

gate
role-based

Tested against:policyEngine: 1.0.0

Use case

Multiple roles are acceptable for the same surface — admin and manager both reach the dashboard, for instance. Express this as any over equality leaves so the engine short-circuits on the first match.

Rule

{
  "any": [
    { "fact": "role", "operator": "equal", "value": "admin" },
    { "fact": "role", "operator": "equal", "value": "manager" }
  ]
}

You can equivalently use in for compactness:

{
  "fact": "role",
  "operator": "in",
  "value": ["admin", "manager"]
}

any is more flexible (the children can be heterogeneous); in is tighter when the children are all the same shape.

Trace — ALLOW (manager)

{
  "decision": "ALLOW",
  "trace": [
    { "any": [
        { "fact": "role", "operator": "equal", "value": "admin", "actual": "manager", "result": "fail" },
        { "fact": "role", "operator": "equal", "value": "manager", "actual": "manager", "result": "pass" }
      ],
      "result": "pass"
    }
  ]
}

When to use

2–4 acceptable roles
Roles drawn from an authoritative claim, not user-editable

When not to use

Many roles — use the in form
Roles with hierarchy (admin > manager) — encode the hierarchy upstream and pass a normalised effective_role

Role gate — admin or manager

Use case

Rule

Trace — ALLOW (manager)

When to use

When not to use

See also

More policy rules

Age-over-18 gate

Age-over-21 gate

Composite — admin OR (manager AND finance)

Consent-required gate