Statement Elements

JSON policies are made up of elements that together determine who can do what with your application and under what conditions.

principal

Description Should match the user of the current request by identifying a group they belong to or their user ID.
Special Values
  • "*" (any user)
  • "authenticated" (any authenticated user)
  • "anonymous" (any non-authenticated user)
Type Union[str, List[str]]
Formats
  • Match by group with "group:{name}"
  • Match by ID with "id:{id}"
Examples
  • ["group:admins", "id:9322"]
  • ["id:5352"]
  • ["anonymous"]
  • "*"

action

Description The action or actions that the statement applies to. The value should match the name of a view set method or the name of the view function.

Alternatively, you can use placeholders to match the current request's HTTP method.
Type Union[str, List[str]]
Special Values
  • "*" (any action)
  • "<safe_methods>" (a read-only HTTP request: HEAD, GET, OPTIONS)
  • "<method:get|head|delete|put|patch|post>" (match a specific HTTP method)
Examples
  • ["list", "destroy", "create]
  • ["*"]
  • ["<safe_methods>"]
  • ["<method:post>"]

effect

Description Whether the statement, if it is in effect, should allow or deny access. All access is denied by default, so use deny when you'd like to override an allow statement that will also be in effect.
Type str
Values
  • "allow"
  • "deny"

condition

Description The name of a method on the policy that returns a boolean. If you want to pass a custom argument to the condition's method, format the value as {method_name}:{value}, e.g. user_must_be:owner will call a method named user_must_be, passing it the string "owner" as the final argument.

The method signature is condition(request, view, action: str, custom_arg: str=None). If it returns True, the statement will be in effect.

Useful for enforcing object-level permissions. If list of conditions is given, all conditions must evaluate to True.
Type Union[str, List[str]]
Examples
  • "is_manager_of_account"
  • "is_author_of_post"
  • ["balance_is_positive", "account_is_not_frozen"]`
  • "user_must_be:account_manager"