Skip to content

Policies

Policies are named authorization rules. Commands and queries reference them by name with authorize. Multiple policies on a single construct must all pass (AND semantics). Policies support role-based, claim-based, and fully custom logic.

policy <Name>
require authenticated
require role "<role>"
require claim "<claim>" matches <subject|value>
require role "<role>" or role "<role>"
require (role "<role>" and claim "<claim>" matches <value>)
csharp
```
<C# returning PolicyResult>
```
ConditionMeaning
authenticatedThe caller must be authenticated.
role "<role>"The caller must have the role.
claim "<claim>" matches subjectThe claim must match the subject of the current event source.
claim "<claim>" matches <value>The claim must match a specific value or expression.

Conditions combine with or and and, and parentheses group them. A condition may continue on the next line at deeper indentation.

policy IsAuthenticated
require authenticated
policy IsAccountant
require role "Accountant"
policy CanViewSensitiveFinancials
require role "FinanceDirector"
or role "Auditor"
policy IsCustomerSelf
require claim "customerId" matches subject
policy CanManageInvoice
require role "InvoiceManager"
or (role "Accountant" and claim "department" matches invoice.department)

When the declarative conditions cannot express the rule, drop into C#. The block must return a PolicyResult:

policy IsAdultCustomer
csharp
```
var dob = context.User.FindFirst("dateOfBirth")?.Value;
if (dob is null) return PolicyResult.Fail("Date of birth claim missing");
return DateTime.Parse(dob) <= DateTime.UtcNow.AddYears(-18)
? PolicyResult.Success()
: PolicyResult.Fail("Customer must be 18 or older");
```

See Commands and Queries for how policies are applied.