Policy Service

The Policy Service is the unified Policy Decision Point (PDP) for the Citadel platform. It provides a single API endpoint for all authorization decisions, abstracting over Relationship-Based Access Control (ReBAC) and Attribute-Based Access Control (ABAC).

Overview

In a distributed system, authorization logic is often scattered across multiple services. The Policy Service centralizes this by:

Providing a single /authorize endpoint.
Consulting the Permissions Service for relationship-based checks (SpiceDB).
Evaluating Cedar policies for attribute-based logic.
Combining results based on configurable strategies (e.g., RBAC-first, AND, OR).

Key Features

Unified Authorization: One API call handles both roles and complex conditions.
Cedar Engine: Uses the high-performance AWS Cedar policy language.
Policy Management: CRUD APIs for dynamic policy updates without redeploying services.
Simulation: Test policies against sample data before enforcement.
Multi-Tenancy: Automatically isolates policies by tenant using X-Enriched-Tenant-ID.

Technology Stack

Go: High-performance backend service.
Cedar: Safe and expressive policy language.
PostgreSQL: Stores persistent policy definitions.

Authoring Policies

Policies are written in Cedar. A typical policy looks like this:

permit (
    principal,
    action == Action::"view",
    resource
)
when {
    resource.owner == principal ||
    principal.role == "admin"
};

For more details on writing policies, see the Policy Authoring Guide.

Integration

Services should use the /authorize endpoint to check permissions.

Example Request:

{
  "principal": "user:alice",
  "action": "view",
  "resource": "document:123",
  "context": {
    "time": "2023-10-27T10:00:00Z",
    "ip": "192.168.1.1"
  }
}

Progressive Configuration Guide

Overview​

Key Features​

Technology Stack​

Authoring Policies​

Integration​

Related​

Overview

Key Features

Technology Stack

Authoring Policies

Integration

Related