# Partial evaluation - draft This API is designed as part of an access control and data filtering system to enforce user-specific access policies in a document management, data retrieval system or RAG for AI. Its primary purpose is to allow or restrict access to data based on predefined rules that specify which documents or records a user can access and under what conditions. Here’s a breakdown of how this API works and what it achieves: ## Decision-making for Access Control The API operates as a Policy Decision Point (PDP), which evaluates the user’s access rights against a policy and returns specific instructions to the Policy Enforcement Point (PEP). These instructions help determine whether a user is allowed to view or perform certain actions on documents or data entries. ## Data Filtering and Search Guidance The returned decision is not just a simple `allow` or `deny` response but includes detailed filtering conditions to help the enforcement point (PEP) apply granular access rules based on the user's attributes, such as ownership or department. For instance: - In the response, users who are either the document owner (e.g., `alice@the-smiths.com`) or are part of the `sales` department are permitted to `read` specific documents. ## Flexible and Dynamic Access Rules The filters in the response define conditional expressions (using logical operators like and and or) that allow complex access rules. For example, this response supports cases where access might be granted based on: - Ownership of the document by a specific user. - Membership in a particular department. ## Enhancing Search and Query Efficiency By including filter criteria directly in the PDP response, the API enables efficient filtering of data at the source. This way, only authorized records are retrieved and processed, which can improve performance in scenarios with large data volumes. ## Examples: User definition: ```json= { "CiRmZDQ2MTRkMy1jMzlhLTQ3ODEtYjdiZC04Yjk2ZjVhNTEwMGQSBWxvY2Fs": { "id": "alice@the-smiths.com", "name": "Alice Smith", "email": "alice@the-smiths.com", "department": "sales" } } ``` ### Use case 1 - **Natural language:** Users can read, edit, delete their own docs. - **Question:** Which documents can Alice read? - **Unknowns:** document identifiers #### Request ```json= { "subject": { "type": "user", "id": "alice@the-smiths.com" }, "action": "read", "context": {}, "resource": { "type": "docs" } } ``` #### Response ```json= { "decision":{ "partial": { "filter": { "or": [ { "and": [ { "owner": { "eq": "alice@the-smiths.com" } } ] } ] } } } } ``` #### Alternative ```json= { "decision": { "partial": [ { "filter": { "or": [ { "and": [ { "attribute": "owner", "op": "eq", "type": "string", "value": "alice@the-smiths.com" } ] } ] } } ] } } ``` #### Translation into a known query language - SQL ```sql= SELECT * FROM docs where owner = 'alice@the-smiths.com' ``` ### Use case 2 - **Natural language:** Users can read, edit, delete their own docs. - **Question:** Which actions on which docs can Alice perform? - **Unknowns:** document identifiers, action values #### Request ```json= { "subject": { "type": "user", "id": "alice@the-smiths.com" }, "context": {}, "resource": { "type": "docs" } } ``` #### Response ```json= { "decision": { "type": "docs", "partial": [ { "actions": [ "read", "edit", "delete" ], "filter": { "or": [ { "and": [ { "owner": { "eq": "alice@the-smiths.com" } } ] } ] } } ] } } ``` #### Translation into a known query language - SQL ```sql= SELECT * FROM docs where owner = 'alice@the-smiths.com' ``` ### **Use case 3.** - **Natural language policy:** Users can read their own docs and all docs from their department. - **Question:** What docs can Alice read? - **Unknowns:** document identifiers #### Request ```json= { "subject": { "type": "user", "id": "alice@the-smiths.com" }, "action":"read", "context": {}, "resource": { "type": "docs" } } ``` #### Response ```json= { "decision": { "type": "docs", "partial": { "action":"read", "filter": { "or": [ { "and": [ { "owner": { "eq": "alice@the-smiths.com" } } ] }, { "and": [ { "department": { "eq": "sales" } } ] } ] } } } } ``` #### Translation into a known query language - SQL ```sql= SELECT * FROM docs where owner = 'alice@the-smiths.com' OR department = 'sales' ``` ### Use case 4 - **Natural language:** Users can read, edit, delete their own docs. Edit , delete docs from their department only if the status of the doc is draft. - **Question:** What actions on what docs can Alice perform? - **Unknowns:** document identifiers, actions #### Request ```json= { "subject": { "type": "user", "id": "alice@the-smiths.com" }, "context": {}, "resource": { "type": "docs" } } ``` #### Response ```json= { "decision": [ { "type": "todo", "partial": [ { "actions": [ "read", "edit", "delete" ], "filter": { "or": [ { "and": [ { "owner": { "eq": "alice@the-smiths.com" } } ] } ] } }, { "actions": [ "edit", "delete" ], "filter": { "or": [ { "and": [ { "department": { "eq": "sales" } }, { "status": { "eq": "draft" } } ] } ] } }, { "actions": [ "read" ], "filter": { "or": [ { "and": [ { "department": { "eq": "sales" } } ] } ] } } ] } ] } ``` #### Translation into a known query language - SQL - For action read ```sql= SELECT * FROM docs where owner = 'alice@the-smiths.com' OR department = 'sales' ``` - For action edit and delete ```sql= SELECT * FROM docs where owner = 'alice@the-smiths.com' OR (department = 'sales' AND status = 'draft') ``` - Other option - aggregated per action: ```json= { "decision": [ { "type": "todo", "partial": [ { "action": "read", "filter": { "or": [ { "and": [ { "owner": { "eq": "alice@the-smiths.com" } } ] }, { "and": [ { "department": { "eq": "sales" } } ] } ] } }, { "action": "edit", "filter": { "or": [ { "and": [ { "department": { "eq": "sales" } }, { "status": { "eq": "draft" } } ] } ] } }, { "action": "delete", "filter": { "or": [ { "and": [ { "department": { "eq": "sales" } }, { "status": { "eq": "draft" } } ] } ] } } ] } ] } ``` ## Enumerator of the comparison operators. ``` EQ = 'eq' NE = 'ne' GT = 'gt' GTE = 'gte' LT = 'lt' LTE = 'lte' CONTAIN = 'contain' LIKE = 'like' IN = 'in' NIN = 'nin' SW = 'sw' EW = 'ew' ``` ## Enumerator of the operations. ``` AND = 'and' OR = 'or' NOT = 'not' ```