Skip to main content
Version: 3.102.8

AuthZEN Fine-Grained Authorization

cidaas provides fine-grained authorization beyond OAuth2 scopes and group/role restrictions through the OpenID AuthZEN standard. AuthZEN separates policy administration from policy decision and supports attribute-based policies (Rego/OPA), external data via Policy Information Points (PIP), and Relationship-Based Access Control (ReBAC).

Architecture

ComponentServiceResponsibility
Policy Managementpolicy-management-srvCreate and manage Rego policies, PIP data sources, AuthZEN entities, versions, export/import bundles, and ReBAC administration (schema, tuples, catalog)
Policy Decision Point (PDP)policy-decision-srvEvaluate access requests, run batch evaluations, search subjects/resources/actions, expose AuthZEN discovery
ReBAC runtimerebac-srvDecision-time ReBAC permission checks and lookups used by PDP rebac.* Rego builtins
ReBAC storeRelation StoreStores relationship tuples and schema; optional per-tenant configuration

How It Fits With Permission Management

AuthZEN complements the mechanisms described in Permission Management:

MechanismUse case
ScopesCoarse-grained client permissions on APIs
Groups & rolesUser membership and login-time token claims
AuthZEN policiesFine-grained, context-aware authorization (ABAC) at runtime
ReBACGraph-based permissions (owner, editor, viewer, group membership)

Typical flow:

  1. Authenticate the user or service and obtain an access_token.
  2. Call the PDP evaluation API with subject, resource, action, and optional context.
  3. Use the decision boolean to allow or deny the operation in your application.

Required Scopes and Roles

Administrative APIs require OAuth2 scopes and CIDAAS_ADMINS group roles.

ScopePurpose
cidaas:authzen_evaluateEvaluate access and run PDP search APIs
cidaas:authzen_readRead policies, entities, data sources, ReBAC
cidaas:authzen_writeCreate and update AuthZEN resources
cidaas:authzen_deleteDelete AuthZEN resources
cidaas:authzen_rebac_readRead ReBAC schema and relationships
cidaas:authzen_rebac_writeWrite ReBAC schema and relationships
cidaas:resource_exportExport configuration bundles
cidaas:resource_importImport configuration bundles

Eligible roles in the CIDAAS_ADMINS group include ADMIN, SECONDARY_ADMIN, AUTHZEN_MANAGER, POLICY_READ, POLICY_CREATE, and POLICY_DELETE.

Evaluation and search APIs on policy-decision-srv require a valid bearer token with cidaas:authzen_evaluate.

Documentation

TopicDescription
Policy ManagementPolicies, entities, data sources, validation, versions, export/import
Access EvaluationRuntime PDP evaluation, search, cache invalidation
ReBACReBAC schema, relationship tuples, Rego integration

OpenAPI References

APIOpenAPI
Policy Managementpolicy-management
Policy Decision (PDP)policy-decision
ReBAC (runtime)rebac

Quick Start

  1. Create a Rego policy via POST /policy-management-srv/admin/policies.
  2. Evaluate access with subject, resource, and action.

Policy Management

The policy-management-srv is the administrative API for AuthZEN authorization in cidaas. It stores Rego policies, PIP configuration, semantic versions, and ReBAC administration data.

Policies

Policies are written in Rego (Open Policy Agent) and must use package authzen. The evaluator looks for rules that set allow (or equivalent decision logic).

Policy structure


package authzen

default allow := false

allow if {

input.subject.properties.roles[_] == "admin"

input.action.name == "read"
}

The evaluation input object contains:

FieldDescription
subjectRequesting entity (id, type, properties)
resourceTarget resource (id, type, properties)
actionRequested action (name, properties)
contextAdditional context; PIP data appears under context.pip

Create a policy

APIDescriptionLink
Create policyStore a new Rego policyView API
List policiesList all tenant policiesView API
Get policyFetch policy by ID; optional version queryView API
Update policyReplace policy script and metadataView API
Delete policySoft-delete policy and versionsView API

Example: create policy


curl -X POST 'https://{host}/policy-management-srv/admin/policies' \
-H 'access_token: {token}' \
-H 'Content-Type: application/json' \
-d '{
"name": "DocumentReadPolicy",
"script": "package authzen\n\ndefault allow := false\n\nallow if {\n input.action.name == \"read\"\n input.resource.properties.owner_id == input.subject.id\n}\n",
"language": "rego"
}'

Policy Validation

Before deploying changes, validate the full bundle or a proposed dry-run set.

APIDescriptionLink
Validate all policiesAsync compile/validate of current bundleView API
Dry-runValidate proposed policy changes without savingView API
Profile bundleProfile evaluation against a sample requestView API
SSE streamReceive validation progress eventsView API

Async endpoints return a task with ref. Connect to GET /policy-management-srv/sse/{ref} to receive PENDING, SUCCESS, or FAILURE events.

Data Sources (PIP)

PIP (Policy Information Point) data sources fetch external attributes during evaluation. Discovery data sources provide URLs for entity lookup.

FieldPIPDiscovery
typePIPDiscovery
keyRequired unique PIP key
communicationEPHTTP endpoint URLDiscovery URL
apiAccessCredential setup (required)Credential setup (required)
matchingCriteriaSubject/resource/action type filters (* = all)
APIDescriptionLink
Create data sourceRegister PIP or Discovery endpointView API
List data sourcesOptional type filterView API
Get / update / deleteCRUD by IDView API

PIP data is available in Rego as input.context.pip.{key}.*.

Versions

Semantic versions track policy and ReBAC script history.

APIDescriptionLink
Create versionNew version for a policy or ReBAC artifactView API
Get version by IDFetch version documentView API
Get version by policyGET .../versions/{policyId}/{version}View API

Supported type values: POLICY, REBAC_SCHEMA, REBAC_RELATIONSHIP_TUPLE, REBAC_CAVEAT_PARAM.

Resource Export and Import

Move AuthZEN configuration between environments using cidaas-resource-bundle documents.

KindDescription
cidaas.authzen.policyRego policies
cidaas.authzen.datasourcePIP and Discovery sources
cidaas.authzen.entityAuthZEN subject, resource, and action entities
cidaas.authzen.rebac.schemaVersioned ReBAC schema catalog entries
cidaas.authzen.rebac.relationship_tupleVersioned relationship tuple catalog entries
cidaas.authzen.rebac.caveat_paramVersioned caveat parameter catalog entries
APIDescriptionLink
ExportJSON or ZIP (format=zip); query kinds, includeDeleted, includeSecretsView API
Import previewDetect conflicts; returns importSessionIdView API
Import applyResolve conflicts and apply bundleView API

Conflict resolutions: SKIP, KEEP_EXISTING, REPLACE, REPLACE_ALL.

AuthZEN Entities

Register subject, resource, and action entities used by PDP search APIs and entity discovery.

APIDescriptionLink
Create entityRegister a subject, resource, or actionView API
List entitiesList by entityType query (subject, resource, action)View API
Get / update / deleteCRUD by IDView API
Entity discoveryPaginated discovery at GET /policy-management-srv/authzen/entity/discoveryView API

Evaluation Audit

Query policy evaluation audit history stored by policy-management-srv.

APIDescriptionLink
Count auditsCount evaluations in a time windowView API
List auditsPaginated audit records with request/response payloadsView API

Webhooks and Activity

Policy create, update, and delete operations emit facts (AUTHZEN_POLICY_CREATED, AUTHZEN_POLICY_UPDATED, AUTHZEN_POLICY_DELETED) for activity streams and webhook integration.

Evaluation Audit

Every access evaluation performed by the PDP is recorded as an audit entry, capturing the original request(s) and the returned decision(s). Use these admin APIs to review or report on authorization activity.

APIDescriptionLink
Count auditsNumber of audit entries in a time rangeView API
List auditsAudit entries (newest first) with request and decisionView API

Both require a time range with from (required) and optional to (RFC 3339; defaults to now). Each audit entry contains evaluatedTime, tenantKey, refNumber, the request/response arrays, and evaluationCount (a single entry covers a whole batch request). Paginate the list by passing the response nextTime as the to of the next request. These read APIs require cidaas:authzen_read or cidaas:authzen_management.

Access Evaluation (Policy Decision Point)

The policy-decision-srv is the AuthZEN Policy Decision Point (PDP). It evaluates Rego policies from policy-management-srv, merges PIP data from configured data sources, and exposes AuthZEN-standard evaluation and search APIs.

OpenAPI: policy-decision.

Discovery

Discover PDP endpoints via the AuthZEN configuration document:

APIDescriptionLink
AuthZEN configurationWell-known PDP metadataView API

GET /policy-decision-srv/.well-known/authzen-configuration returns:

  • policy_decision_point
  • access_evaluation_endpoint
  • access_evaluations_endpoint
  • search_subject_endpoint, search_resource_endpoint, search_action_endpoint

Evaluation Workflow

Step 1: Ensure policies are current

The PDP caches compiled policy evaluators, PIP data, and discovery data per tenant. After a policy change you have three options:

ApproachAPIWhen to use
Invalidate immediatelyPOST /access/v1/cache/invalidateApply policy changes right away; the next evaluation reloads the latest bundle
Reload policiesPOST /access/v1/policies/reloadForce a re-fetch and rebuild of the evaluator cache
Wait for the cache TTLIf you do nothing, cached entries expire automatically and policies refresh on the next evaluation

Both operations accept an optional tenant_key body; when omitted, the tenant is resolved from the request token. They require cidaas:authzen_evaluate or cidaas:authzen_management.

Step 2: Single evaluation

APIDescriptionLink
Evaluate accessSingle subject–action–resource decisionView API

Request:


{
"subject": {
"id": "user-123",
"type": "user",
"properties": {
"roles": ["admin"]
}
},
"resource": {
"id": "doc-456",
"type": "document",
"properties": {
"owner_id": "user-123"
}
},
"action": {
"name": "read"
},
"context": {}
}

Response:


{
"decision": true,
"context": {
"reason": "Policy evaluation completed"
}
}

Unlike policy-management admin APIs, evaluation responses follow the AuthZEN specification directly (no success wrapper).

Step 3: Batch evaluation

APIDescriptionLink
Batch evaluateMultiple decisions in one requestView API

Use options.evaluations_semantic to control evaluation order:

ValueBehaviour
execute_allEvaluate all requests (default)
deny_on_first_denyStop at first decision: false
permit_on_first_permitStop at first decision: true

Parent-level subject, resource, action, and context are inherited by each item in evaluations unless overridden per item.

Search APIs

Search endpoints return candidate subjects, resources, or actions that match policy criteria. The PDP fetches the candidate pool from the Discovery data sources configured in policy-management-srv (see Data Sources), then evaluates each candidate against the fixed parts of the request before returning the matches. Configure at least one Discovery data source for the relevant entity type, otherwise search returns no candidates. Results support pagination.

APIDescriptionLink
Search subjectsWho can perform action on resourceView API
Search resourcesWhich resources match criteriaView API
Search actionsWhich actions are permittedView API

Pagination uses page.token and page.limit. Responses include page.next_token and results.

PIP Data in Evaluation

When PIP data sources are configured in policy-management-srv, the PDP fetches matching endpoints and injects data into input.context.pip before Rego evaluation.

Example Rego using PIP:


package authzen

default allow := false

allow if {
input.context.pip.my_pip_key.data.customFields.account_id in input.context.pip.my_pip_key.data.customFields.consent_accounts
}

Authentication

All PDP endpoints require a valid bearer token (access_token header or Authorization: Bearer). The token must include cidaas:authzen_evaluate.

  • ReBAC — graph-based permissions in Rego
warning
Need Support?

Please contact us on our support page or reach out to cidaas support at [email protected].