Thoryn

Policy rules · Policy rules

Role gate — admin only

A single equality on the `role` claim. Allow only credentials whose role is `admin`. The simplest role-based access control you can do.

Tested against:policyEngine: 1.0.0

policy-engine recipe — shared category architecture: how this pattern composes with Hub, Broker, and the rest of the catalog

Use case

You expose an admin endpoint that should only respond to credentials carrying role = admin. Anything else — including credentials without a role claim at all — is a DENY.

Rule

{
  "fact": "role",
  "operator": "equal",
  "value": "admin"
}

Facts shape

data class RoleFacts(val role: String)

Evaluation

val decision = policyEngine.evaluate(rule, mapOf("role" to claims["role"]))

Trace — DENY

When the credential carries role = "manager":

{
  "decision": "DENY",
  "trace": [
    { "fact": "role", "operator": "equal", "value": "admin", "actual": "manager", "result": "fail" }
  ]
}

When to use

  • A binary role check at the edge — admin or not, no nuance
  • Pre-checks before a more expensive policy evaluation

When not to use

  • You have multiple acceptable roles — use role-or
  • Roles overlap with department / region / time gates — compose with all or any

See also

More policy rules