Skip to content

Commit 0da79b1

Browse files
mckaragozmckaragoz
authored
Create policies.md
1 parent c557468 commit 0da79b1

File tree

1 file changed

+127
-0
lines changed

1 file changed

+127
-0
lines changed

docs/content/plugin-domains/policies.md

Lines changed: 127 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,127 @@
1+
# 🛡 Policies & Access Control
2+
3+
UltimateAuth uses a **policy-driven authorization model**.
4+
5+
Policies are not simple checks —
6+
they are **composable decision units** evaluated at runtime.
7+
8+
## 🧠 Mental Model
9+
10+
Authorization in UltimateAuth is:
11+
12+
👉 Context-based
13+
👉 Policy-driven
14+
👉 Orchestrated
15+
16+
### Flow
17+
18+
1. Build `AccessContext`
19+
2. Resolve policies
20+
3. Execute authority
21+
4. Allow / Deny / Reauth
22+
23+
<br>
24+
25+
## ⚙️ AccessContext
26+
27+
Every authorization decision is based on:
28+
29+
- Actor (who is calling)
30+
- Target (what is being accessed)
31+
- Action (what is being done)
32+
- Tenant
33+
- Claims / permissions
34+
35+
<br>
36+
37+
## 🔌 Policy Resolution
38+
39+
Policies are resolved using:
40+
41+
- Action prefix matching
42+
- Runtime filtering (`AppliesTo`)
43+
44+
Example:
45+
46+
- `users.create.admin`
47+
- `users.*`
48+
- `authorization.roles.*`
49+
50+
<br>
51+
52+
## 🧩 Policy Types
53+
54+
### Global Policies
55+
56+
Always evaluated:
57+
58+
- RequireAuthenticated
59+
- DenyCrossTenant
60+
61+
### Runtime Policies
62+
63+
Resolved dynamically:
64+
65+
- RequireActiveUser
66+
- MustHavePermission
67+
- RequireSelf
68+
69+
### Invariants
70+
71+
Executed first:
72+
73+
- Cannot be bypassed
74+
- Hard security rules
75+
76+
<br>
77+
78+
## ⚖️ Policy Evaluation
79+
80+
Evaluation order:
81+
82+
1. Invariants
83+
2. Global policies
84+
3. Runtime policies
85+
86+
👉 First deny wins
87+
👉 Allow means “no objection”
88+
👉 Reauth can be requested
89+
90+
<br>
91+
92+
## 🔐 Example Policy
93+
94+
### Deny Admin Self Modification
95+
96+
- Blocks admin modifying own account
97+
- Applies only to `.admin` actions
98+
- Ignores read operations
99+
100+
### Require Active User
101+
102+
- Ensures user exists
103+
- Ensures user is active
104+
- Skips anonymous actions
105+
106+
<br>
107+
108+
## 🚀 Access Orchestrator
109+
110+
The orchestrator is the entry point:
111+
112+
- Enriches context (claims, permissions)
113+
- Resolves policies
114+
- Executes authority
115+
- Runs command if allowed
116+
117+
## 🎯 Key Principles
118+
119+
- Policies are composable
120+
- Authorization is deterministic
121+
- No hidden magic
122+
- Fully extensible
123+
124+
---
125+
126+
👉 Authorization is not a single check
127+
👉 It is a **pipeline of decisions**

0 commit comments

Comments
 (0)