Custom Properties

Most of the examples in the documentation focus on the id and roles that belong to principals; this is how you get Role-Based Access Control, which is a common feature request in business software.

Example: doctor discount

But some situations call for privileges to be based on other characteristics besides roles and id. For example, how could you use SGL to authorize doctors to receive a discount on insurance if they have more than 20 years of experience, and if they are a fellow of the American Academy of Family Physicians (possess the FAAFP certification)?

The answer is that principal objects can have as many additional properties as are useful in a particular system. For example:

{ 
  "id": "Prabhakar Ro", 
  "years_exp": 27, 
  "certifications": ["ABPP", "MCHES", "CHSE", "FAAFP"]
}

And rule objects can then reference these properties in exactly the same way that they reference id and roles:

{ 
    "grant": "insurance-discount",
    "when": {
        "any": [
            {"years_exp": 20, "op": ">"},
            {"certifications": "FAAFP"}
        ]
    }
}

Operators

Did you raise your eyebrows at the claim that this is “exactly the same” way that id and roles work? Was that because the op in the years_exp condition?

The fact is, each type of condition has an op field, but usually it is omitted because its default value is correct. But other operators are possible: