Resource Policy
Gateway prefix: ${API_BASE}/metadata/resource-policies/...
Resource policies configure access control for resources (entities/views/metrics), supporting:
- Object-level: who can perform which actions on a resource
- Column-level: field visibility/masking rules
- Row-level: row-level predicates (RLS)
Backend controller: ResourcePolicyController (/api/v1/resource-policies).
ResourceType
resourceType values (from enum ResourcePolicy.ResourceType):
entity: data entityview: viewmetric: metric
DTO (ResourcePolicyDto)
Main request/response fields:
id: policy ID (returned)resourceType:entity | view | metric, requiredresourceId: resource ID, requiredresourceName: resource name (redundant, for display)description: descriptionobjectLevelPolicy: JSON stringcolumnLevelPolicy: JSON stringrowLevelPolicy: JSON stringisActive: whether enabled (default true)priority: priority (smaller number means higher priority)tenantId: tenant ID (written/returned by server)
Create resource policy
- POST
/resource-policies - Permissions:
tenant:admin/admin - Header:
Authorization: Bearer <token>
Example (object-level + column-level + row-level):
curl -X POST \
"${API_BASE}/metadata/resource-policies" \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
-d '{
"resourceType": "entity",
"resourceId": "en_xxx",
"resourceName": "orders",
"description": "Orders access policy",
"priority": 100,
"isActive": true,
"objectLevelPolicy": "{\"admin\":[\"read\",\"write\"],\"user\":[\"read\"]}",
"columnLevelPolicy": "{\"user\":{\"allowedColumns\":[\"id\",\"order_date\",\"total_amount\"],\"maskingRules\":{\"customer_email\":{\"type\":\"PARTIAL_MASK\"}}}}",
"rowLevelPolicy": "{\"user\":{\"predicates\":[{\"field\":\"tenant_id\",\"op\":\"eq\",\"value\":\"${user.tenant_id}\"}]}}"
}'
Update / delete / get
- PUT
/resource-policies/{id}: update (permissionstenant:admin/admin) - DELETE
/resource-policies/{id}: delete (permissionstenant:admin/admin) - GET
/resource-policies/{id}: get by ID (permissionstenant:admin/admin)
Query by resource
- GET
/resource-policies/resource/{resourceType}/{resourceId}(permissionstenant:admin/admin)
Example:
curl -X GET \
"${API_BASE}/metadata/resource-policies/resource/entity/en_xxx" \
-H "Authorization: Bearer <token>"
Pagination / by type / search
- GET
/resource-policies?page=1&size=20&sortBy=priority&sortDirection=asc - GET
/resource-policies/by-type/{resourceType}?page=0&size=20&sortBy=priority&sortDirection=asc - GET
/resource-policies/search?keyword=order&page=1&size=20&sortBy=priority&sortDirection=asc
Principal permissions matrix (admin)
- GET
/resource-policies/principal-permissions?resourceType=<type>&action=<action>&userName=<userName>&page=1&size=20 - Permissions:
admin - Description: inspect a user’s permission matrix on a given resource type (for debugging)
Internal API: get active policies for a resource
- GET
/resource-policies/internal/active/{resourceType}/{resourceId} - Permissions:
tenant:admin/admin - Header:
X-Tenant-Id: <tenantId> - Description: internal API for other services to load effective policies (returns a single
ResourcePolicyDtoornull)