Skip to content
JITSudo Docs

Evaluate policies for a hypothetical request

POST
/v1/policies/evaluate
 
curl --request POST \
  --url https://example.com/v1/policies/evaluate \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --header 'X-Tenant-ID: 2489E9AD-2EE2-8E00-8EC9-32D5F69181C0' \
  --data '{ "principal": "example", "groups": [ "example" ], "resource": "example", "action": "example" }'

Authorizations

Section titled “Authorizations ”

Parameters

Section titled “ Parameters ”

Header Parameters

Section titled “Header Parameters ”
X-Tenant-ID
required
string format: uuid

Tenant identifier. Must match the tenant associated with the credential. Returns 403 tenant_mismatch if the credential and header belong to different tenants.

Request Body required

Section titled “Request Body required ”
Media type application/json
object
principal
required

User identifier (e.g. email or UUID) to test as.

string
groups

Groups the principal belongs to (e.g. [“sre”, “engineering”]).

Array<string>
resource
required

Resource in type:id format (e.g. aws_permission_set:arn:aws:sso:::permissionSet/ssoins-001/ps-admin).

string
action
required

Action to test (e.g. assume, read, write, admin).

string
Example generated
{
  "principal": "example",
  "groups": [
    "example"
  ],
  "resource": "example",
  "action": "example"
}

Responses

Section titled “ Responses ”

200

Section titled “200 ”

Evaluation result

Media type application/json
object
permitted
required
boolean
matching_policy_ids

IDs of policies that contributed to the decision.

Array<string>
reason
required

Human-readable explanation of the decision.

string
notices

Policy notices from Cedar evaluation.

Array<string>
Example generated
{
  "permitted": true,
  "matching_policy_ids": [
    "2489E9AD-2EE2-8E00-8EC9-32D5F69181C0"
  ],
  "reason": "example",
  "notices": [
    "example"
  ]
}

400

Section titled “400 ”

Invalid input

Media type application/json
object
code
required

Machine-readable error code (e.g. “not_found”, “tenant_mismatch”).

string
message
required

Human-readable description of the error.

string
details

Optional additional context about the error.

object
key
additional properties
any
notices

Policy notices from determining Cedar rules, if applicable.

Array<string>
Example generated
{
  "code": "example",
  "message": "example",
  "details": {},
  "notices": [
    "example"
  ]
}

401

Section titled “401 ”

Unauthenticated

Media type application/json
object
code
required

Machine-readable error code (e.g. “not_found”, “tenant_mismatch”).

string
message
required

Human-readable description of the error.

string
details

Optional additional context about the error.

object
key
additional properties
any
notices

Policy notices from determining Cedar rules, if applicable.

Array<string>
Example generated
{
  "code": "example",
  "message": "example",
  "details": {},
  "notices": [
    "example"
  ]
}

403

Section titled “403 ”

Forbidden

Media type application/json
object
code
required

Machine-readable error code (e.g. “not_found”, “tenant_mismatch”).

string
message
required

Human-readable description of the error.

string
details

Optional additional context about the error.

object
key
additional properties
any
notices

Policy notices from determining Cedar rules, if applicable.

Array<string>
Example generated
{
  "code": "example",
  "message": "example",
  "details": {},
  "notices": [
    "example"
  ]
}