Permission Model Reference
Scope
This reference defines the data structures for permission evaluation requests and responses in the Authorization Decision Provider. It covers resource definitions, permission context attributes, and evaluation result types used when requesting authorization decisions.
Definitions
| Term | Description |
|---|---|
| Resource | A protected entity with a name and associated scopes |
| Scope | An action that can be performed on a resource (e.g., read, write, delete) |
| Permission Context | Additional attributes providing context for policy evaluation |
| Permission Response | The evaluation result for a single resource-scope combination |
| Evaluation Result | The overall authorization decision (GRANT, DENY, or ERROR) |
Allowed Values
Evaluation Result Types
| Value | Description |
|---|---|
GRANT | Permission is granted for the requested resource and scope |
DENY | Permission is denied for the requested resource and scope |
ERROR | An error occurred during permission evaluation |
Used By
Diagram
Request Structure
PermissionEvaluateRequest
The request payload for evaluating permissions.
| Field | Type | Required | Description |
|---|---|---|---|
clientId | String | Yes | The client ID requesting the evaluation |
resources | List<Resource> | Yes | List of resources with their scopes to evaluate |
context | PermissionContext | Yes | Additional context for policy evaluation |
Resource
Defines a resource and its requested scopes.
| Field | Type | Required | Description |
|---|---|---|---|
name | String | Yes | The name of the resource |
scopes | Set<String> | Yes | Set of scopes to evaluate for the resource |
PermissionContext
Provides additional context for permission evaluation.
| Field | Type | Required | Description |
|---|---|---|---|
attributes | PermissionContextAttributes | Yes | Object containing context attributes |
PermissionContextAttributes
Attributes providing evaluation context.
| Field | Type | Required | Description |
|---|---|---|---|
body | String | Yes | Request body content as JSON string |
headers | String | Yes | Request headers as JSON string |
context | String | Yes | Additional contextual data as JSON string |
method | String | Yes | HTTP method (GET, POST, PUT, DELETE) |
path | String | Yes | Resource path being accessed |
resource | String | Yes | Resource metadata as JSON string |
Response Structure
PermissionEvaluateResponse
The response payload containing evaluation results.
| Field | Type | Description |
|---|---|---|
status | String | Overall evaluation result (GRANT, DENY, or ERROR) |
permissions | Set<PermissionResponse> | Individual results for each resource-scope combination |
PermissionResponse
Result for a single permission evaluation.
| Field | Type | Description |
|---|---|---|
permission | String | The resource name that was evaluated |
status | Integer | Numeric status: 1 (GRANT), 2 (DENY), 3 (ERROR) |
Minimal Example
Request
{
"clientId": "web-application",
"resources": [
{
"name": "documents",
"scopes": ["read", "write"]
}
],
"context": {
"attributes": {
"body": "{}",
"headers": "{\"authorization\":\"Bearer <token>\"}",
"context": "{\"ip\":\"192.0.2.1\"}",
"method": "GET",
"path": "/api/documents",
"resource": "{\"type\":\"document\",\"owner\":{\"id\":\"user_001\"}}"
}
}
}
Response (Granted)
{
"status": "GRANT",
"permissions": [
{
"permission": "documents",
"status": 1
}
]
}
Invalid Example
Missing required clientId field:
{
"resources": [
{
"name": "documents",
"scopes": ["read"]
}
],
"context": {
"attributes": {}
}
}
Error Response:
{
"error": "Bad Request",
"message": "clientId is required"
}
Status Codes
| Code | Description |
|---|---|
200 | Request processed successfully |
400 | Invalid request payload or missing required fields |
401 | Client is not authenticated |
403 | Permission denied for all requested scopes |
Notes
- All context attribute fields accept JSON strings, not parsed JSON objects
- The
statusfield inPermissionResponseuses numeric values (1, 2, 3) while the top-levelstatususes string values (GRANT,DENY,ERROR) - Each resource-scope combination is evaluated independently
- The overall
statusreflects the aggregate result across all requested permissions
Empty resources array or empty scopes for a resource will result in a 400 Bad Request error.
Next Step
After understanding the permission model, implement authorization checks in your application using the Role & Authorization API.