Skip to main content

Policy Service

The policy resource contains all your companys security policies


The Policy REST API is a full CRUD API allowing you to search and filter policies as well as create, update and delete them. It is accessed through the following URL:

The API consists of the following calls:

GETGet the build information for this service
GET{release}v1List all security policies
GET{release}/{key}v1/TESTRetrieve a single policy using its unique id
POST{release}v1Create or update a policy, the policy is the body of the POST request
DELETE{release}/{key}v1/TESTDelete a policy


Policy Entity

The policy entity contains the following information:

_idStringThe unique identifier for this policy
_typeStringThe type of the policy - always Policy
categoryStringAn optional category used for filtering policies
descriptionStringA description of what this policy does
sourceStringThe source of data that this policy covers
serviceStringThe name of the service providing the data for this policy (can be * for all services)
conditionStringAn optional condition defining the subset of data that this policy covers
actionsArrayA list of actions this policy covers (create, read, update, delete, run)
membersArrayA list of user emails or security group id's that this policy is attributed to (can be * for all members)
denyBooleanTrue if this is a denial policy, false for an allow policy
enabledBooleanA flag indicating if this policy is to be used or not

Notes on policy properties

  • Source

    Source is usually private or custom MongoDB collections

  • Condition

    This is a logical condition used to filter documents in the service. It is the same as a where condition in ODSL and can include and and or operators.

  • Actions

    These are the actions that the policy applies to:

    • Create - the members are allowed to create new resources
    • Update - the members are allowed to update existing resources
    • Read - the members are allowed to read resources
    • Delete - the members are allowed to delete resources
    • run - this is applicable only to report and process services where the members are allowed to run the resource
  • Members

    This is a list of user email addresses or AAD security group id's that users are assigned to

  • Deny

    Setting deny to true explicitly denies access to the resources secured by this policy

  • Enabled

    This is a true/false flag that makes this security policy active or inactive

Policy Examples

Below are some examples of security policies:

Allow reading reports from the Examples category

"_id": "ReadExampleReports",
"_type": "Policy",
"category": "TeamUsers",
"description": "Read access to reports in the Examples category",
"source": "private",
"service": "report",
"condition": "category = 'Examples'",
"deny": false,
"actions": [
"members": [
"enabled": true,

Allow read access to objects with a property source set to NCDEX

"_id": "ReadAllNCDEXData",
"_type": "Policy",
"category": "TeamUsers",
"description": "Read all data from source NCDEX",
"source": "private",
"service": "object",
"condition": "source = 'NCDEX'",
"deny": false,
"actions": [
"members": [
"enabled": true

Further Information

For full details on policies and how to manage them, see Policies in ODSL