Policy DSL Tooling
Goal
Use the FQL (Fine-grained Query Language) code editor in the Admin Console to write, validate, and format policy expressions for ABAC and RADAC policies. After completing this guide, you can write expressions efficiently using auto-completion, the operator toolbar, the field browser, and real-time validation.
Audience
Developers authoring ABAC or RADAC policies who prefer writing expressions directly in the code editor rather than using the visual Expression Builder.
Prerequisites
- Access to a running Admin Console instance
- Policy management permissions (create or update scope on the Policies resource)
- Configured policy vocabulary — the editor uses vocabulary data for auto-completion and validation
Before You Start
The FQL code editor is available in two policy types:
| Policy Type | How to Access |
|---|---|
| ABAC | Create or edit an ABAC policy, then enable the Expression Mode (Advanced) toggle |
| RADAC | Create or edit a RADAC policy, then enable the Expression Mode (Advanced) toggle |
The editor provides syntax highlighting, auto-completion, real-time validation, formatting, and a field browser. It shares the same expression language in both policy types.
For an overview of policy creation flows, see Policy Management.
Worked Example
In this guide, you write an ABAC expression that grants access when a user has the manager role in the engineering department and the request occurs during business hours.
Steps
1. Open the FQL editor
Navigate to Authorization Policies and click Add Policy > ABAC. Fill in the Name and Description fields, then enable the Expression Mode (Advanced) toggle. The code editor appears with syntax highlighting and an empty editing area.
2. Understand FQL syntax
FQL expressions combine field references, comparison operators, logical operators, and values to define conditions.
Available context objects:
| Object | Description |
|---|---|
user | Attributes of the requesting user (role, department, title) |
resource | Attributes of the target resource (type, owner, classification) |
token | Claims from the access token (audience, scope, expiration) |
context | Request context attributes (IP address, time, location) |
org | Organization-level attributes |
tenant | Tenant-level attributes |
Access nested fields with dot notation: user.role, resource.type, context.time.
Comparison operators:
| Operator | Meaning | Example |
|---|---|---|
== | Equal to | user.role == 'admin' |
!= | Not equal to | resource.type != 'public' |
> | Greater than | context.time > 900 |
< | Less than | context.time < 1700 |
>= | Greater than or equal | user.level >= 3 |
<= | Less than or equal | token.exp <= 3600 |
contains | Contains value | user.groups contains 'engineering' |
Logical operators:
| Operator | Meaning | Example |
|---|---|---|
&& | Logical AND | user.role == 'admin' && context.time > 900 |
|| | Logical OR | user.role == 'admin' || user.role == 'manager' |
! | Logical NOT | !resource.isArchived |
Values:
- Strings: single or double quotes —
'admin'or"admin" - Numbers: integers and decimals —
900,3.14 - Booleans:
true,false
Use parentheses to control evaluation order: (user.role == 'admin' || user.role == 'manager') && context.time > 900.
3. Use auto-completion
The editor offers context-aware auto-completion as you type. Press Ctrl+Space (or Cmd+Space on macOS) to trigger suggestions manually.
Field completion: Type a context object name (such as user) followed by . — the editor suggests available fields from your policy vocabulary. Select a suggestion to insert the full field path.
Operator completion: After typing a field reference, press Space — the editor suggests comparison operators. After an expression, it also suggests logical operators (&&, ||).
Constant completion: Type t or f to see true and false suggestions.
Snippet templates: The editor offers pre-built expression templates:
| Snippet | Inserts |
|---|---|
| Comparison | field == 'value' with tab stops |
| Logical AND | condition1 && condition2 with tab stops |
| Logical OR | condition1 || condition2 with tab stops |
| Parentheses | (expression) with tab stop |
| Complex condition | Multi-clause expression template |
Select a snippet and press Tab to move between placeholder positions.
4. Use the operator toolbar
Below the editor, the operator toolbar provides buttons for every operator. Click a button to insert the operator at the cursor position with surrounding spaces.
Available buttons: ==, !=, >, <, >=, <=, &&, ||, !, contains.
Hover over a button to see a tooltip with the operator's documentation.
5. Browse available fields
The Fields panel displays all vocabulary fields organized by category (such as user, resource, context). Each entry shows:
- Field name
- Description
- Data type
Click a field to insert its full path into the editor at the cursor position. Use this panel to discover which fields are available in your vocabulary without memorizing paths.
6. Insert example expressions
The Examples panel provides pre-written expression templates for common patterns:
| Example | Expression |
|---|---|
| User role check | user.role == 'Admin' |
| Department access | resource.department == user.department |
| Time-based access | context.time >= 900 && context.time <= 1700 |
| Complex condition | Multi-condition expression with AND/OR |
Click an example to insert it into the editor. Use these as starting points and modify them for your use case.
7. Validate expressions
The editor validates your expression in real time as you type. Validation checks for:
| Check | Error Example |
|---|---|
| Mismatched parentheses | (user.role == 'admin' — missing closing ) |
| Unknown fields | usr.role == 'admin' — usr is not a recognized object |
| Incomplete expressions | user.role — field reference without an operator |
| Invalid operators | user.role === 'admin' — === is not valid |
| Unclosed quotes | user.role == 'admin — missing closing quote |
Errors appear as underlines in the editor with an error icon in the margin. The status bar below the editor shows the validation state and lists all errors.
Quick fixes: For unknown field errors, the editor suggests similar field names. Click the lightbulb icon next to the error to see suggestions and apply a fix.
8. Format the expression
Click Format in the editor toolbar to normalize spacing in your expression. The formatter:
- Adds spaces around operators
- Removes extra whitespace
- Trims leading and trailing spaces
Use Copy to copy the expression to your clipboard, and Clear to empty the editor.
9. Complete the worked example
Combine the steps above to write the worked example expression:
user.role == 'manager' && user.department == 'engineering' && context.time >= 900 && context.time <= 1700
Verify that the status bar shows the expression as valid, then click Create to save the policy.
Validation Scenario
Scenario
You create an ABAC policy with an FQL expression that checks user.role == 'editor' and verify the expression validates and saves.
Expected Result
- The expression shows no validation errors in the editor
- The policy is created and appears in the policy list with type ABAC
- Opening the policy for editing shows the saved expression in the FQL editor
How to Verify
- UI evidence: Navigate to Authorization Policies, find the policy, click its name. Enable Expression Mode (Advanced) and verify the expression text matches
- Logs: Check the browser network tab for a successful create/update response
- Audit evidence: Review the audit log for the policy creation event
Troubleshooting
- No auto-completion suggestions appear — Ensure policy vocabulary is configured. The editor requires vocabulary data for field suggestions. Check the status bar for "No vocabulary available" warnings.
- "Unknown vocabulary" validation error — The field path does not match any configured vocabulary item. Check the Fields panel for the correct path, or look for a quick-fix suggestion from the lightbulb icon.
- "Mismatched parentheses" error — Count your opening and closing parentheses. Each
(must have a matching). - Expression Mode toggle is not visible — The FQL editor is available for ABAC and RADAC policy types. Other policy types (RBAC, ReBAC, PBAC) use their own configuration interfaces.
- Format button has no visible effect — The expression is already normalized. Formatting only changes spacing — it does not alter the expression logic.
Next Steps
If you prefer building conditions visually instead of writing expressions, see GUI-Based Policy Authoring for the Expression Builder workflow.
Related Docs
Policy Management
Complete policy CRUD operations in the Admin Console.
GUI-Based Policy Authoring
Visual Expression Builder for drag-and-drop condition building.
Policy Authoring with DSL
FQL expression syntax, patterns, and writing strategies.
Attribute Management
Configure the policy vocabulary that powers editor auto-completion.