Policy insights
Policy insights allow you to review and validate the access permissions applicable to specific users, resources, or scenarios. They utilize the Contextual Authorization Query (CAQ) functionality of Access Decision Service (ADS) to identify the exact conditions required to reach a specific access decision, helping answer questions such as, "Which documents are accessible to Sales department employees?" or "Does Alice have access to confidential documents within the Sales department?".
Learn more about the CAQ functionality in the ADS documentation setOpens in a new tab.
Policy Insights consist of two core components: templates and reports. This separation of definition and execution allows you to review access decisions without needing to rewrite the underlying policy logic.
- Templates define a standardized access question with placeholders for runtime values.
- Reports are generated by filling in those placeholders and executing the template.
Together, they enable you to repeatedly validate access decisions for specific users or resources without needing to understand or alter the underlying policy logic.
Scoping and template reusability
Policy insights are scoped at the project level, granting template authors access to attributes across all domains within the project. This multi-domain availability is designed to maximize template reusability across diverse environments as authors can reference attributes either at the domain level or across the entire project.
Reports are executed against a specific environment, where each environment represents a CAQ runtime endpoint associated with a domain. The same template can back multiple reports targeting different environments, domains, and underlying policies.
For example, a template such as "Can USERNAME view DOCUMENT_TYPE?" can be reused across two distinct reports supported by different policies:
- Report 1 (HR Policy): Can Alice (
user.name = Alice) view salary reports (documentType = salary_report)? - Report 2 (Org Chart Policy): Can Maria (
user.name = Maria) view organization charts (documentType = engineering_org_chart)?
Despite sharing the same template, query structure, and attributes, these reports utilize different input values, domains, and underlying policies.
Consequently, authors must design templates with enough versatility to serve the project’s scope while remaining mindful that any single report execution is restricted by the context of the domain of its target environment (CAQ endpoint). If a template references attributes from a domain that is not deployed in the target environment, the report result may be Invalid.
The available environments are determined by the endpoint configuration performed by your DevOps or platform administrator. Read the Remote endpoint management section for details.
Accessing Policy insights
As with other areas within a project, accessing Policy insights requires the appropriate permissions. More specifically:
| Domain viewer | Project viewer | Project editor | Project admin | |
|---|---|---|---|---|
| View templates | ❌ | ✔️ | ✔️ | ✔️ |
| Create, edit, delete templates | ❌ | ❌ | ✔️ | ✔️ |
| View reports | ❌ | ✔️ | ✔️ | ✔️ |
| Run reports | ❌ | ❌ | ✔️ | ✔️ |
| Export reports | ❌ | ✔️ | ✔️ | ✔️ |
| Create, edit, delete reports | ❌ | ❌ | ✔️ | ✔️ |
Read the following sections to learn how to utilize templates and reports: