Policies
Policies define permissions using AWS IAM-style syntax with Action, Resource, Effect, and Condition. Policies can be attached to groups or directly to users/service accounts.
The Policy Object
{
"id": "pol-read-only",
"name": "ReadOnlyAccess",
"description": "Read-only access to all resources",
"organization_id": "org-abc123xyz",
"policy_type": "managed",
"document": {
"Version": "2023-10-01",
"Statement": [
{
"Effect": "Allow",
"Action": ["*:Get", "*:List"],
"Resource": "*"
}
]
},
"created_at": "2025-09-30T10:00:00Z",
"updated_at": "2025-09-30T10:00:00Z"
}
Attributes
| Attribute | Type | Description |
|---|---|---|
id | string | Unique identifier for the policy |
name | string | Human-friendly policy name |
description | string | Optional description |
organization_id | string | Parent organization ID |
policy_type | string | managed or inline |
document | object | IAM-style policy document |
created_at | string | ISO 8601 timestamp of creation |
updated_at | string | ISO 8601 timestamp of last update |
Policy Document Structure
{
"Version": "2023-10-01",
"Statement": [
{
"Effect": "Allow",
"Action": [
"accounts:GetAccount",
"accounts:ListAccounts"
],
"Resource": "rid:pdaas:organization:org-abc123xyz:account:*",
"Condition": {
"IpAddress": {
"source_ip": ["203.0.113.0/24"]
},
"DateGreaterThan": {
"current_date": "2025-01-01T00:00:00Z"
}
}
}
]
}
Statement Components
| Component | Required | Description |
|---|---|---|
Effect | Yes | Allow or Deny |
Action | Yes | List of actions (e.g., accounts:GetAccount, *:List) |
Resource | Yes | RID pattern or * for all resources |
Condition | No | Conditions for when the statement applies |
Supported Condition Operators
| Operator | Description | Example |
|---|---|---|
StringEquals | Exact string match | {"user_id": "user-123"} |
StringLike | Wildcard string match | {"email": "*@acme.com"} |
IpAddress | IP address/CIDR match | {"source_ip": ["203.0.113.0/24"]} |
DateGreaterThan | Date comparison | {"current_date": "2025-01-01T00:00:00Z"} |
DateLessThan | Date comparison | {"current_date": "2026-01-01T00:00:00Z"} |
List Policies
Retrieves a paginated list of policies.
GET /policies
Query Parameters
| Parameter | Type | Default | Description |
|---|---|---|---|
page | integer | 1 | Page number |
quantity | integer | 20 | Results per page (max: 100) |
order_by | string | -created_at | Sort field |
policy_type | string | - | Filter by type (managed or inline) |
Example Request
curl "https://api.console.solucao42.com.br/policies?page=1" \
-H "Authorization: HMAC sa_abc123_acc456_xyz:signature" \
-H "x-date: 2025-09-30T12:00:00Z" \
-H "x-nonce: unique-request-id" \
-H "x-content-sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
Example Response
{
"total": 20,
"page": 1,
"results": [
{
"id": "pol-read-only",
"name": "ReadOnlyAccess",
"description": "Read-only access to all resources",
"organization_id": "org-abc123xyz",
"policy_type": "managed",
"document": {
"Version": "2023-10-01",
"Statement": [
{
"Effect": "Allow",
"Action": ["*:Get", "*:List"],
"Resource": "*"
}
]
},
"created_at": "2025-09-30T10:00:00Z",
"updated_at": "2025-09-30T10:00:00Z"
}
]
}
Get Policy
Retrieves a specific policy by ID.
GET /policies/{id}
Path Parameters
| Parameter | Type | Description |
|---|---|---|
id | string | Policy ID |
Example Request
curl https://api.console.solucao42.com.br/policies/pol-read-only \
-H "Authorization: HMAC sa_abc123_acc456_xyz:signature" \
-H "x-date: 2025-09-30T12:00:00Z" \
-H "x-nonce: unique-request-id" \
-H "x-content-sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
Example Response
{
"id": "pol-read-only",
"name": "ReadOnlyAccess",
"description": "Read-only access to all resources",
"organization_id": "org-abc123xyz",
"policy_type": "managed",
"document": {
"Version": "2023-10-01",
"Statement": [
{
"Effect": "Allow",
"Action": ["*:Get", "*:List"],
"Resource": "*"
}
]
},
"created_at": "2025-09-30T10:00:00Z",
"updated_at": "2025-09-30T10:00:00Z"
}
Create Policy
Creates a new managed policy.
POST /policies
Request Body
{
"name": "DeveloperAccess",
"description": "Developer permissions for non-production accounts",
"document": {
"Version": "2023-10-01",
"Statement": [
{
"Effect": "Allow",
"Action": [
"accounts:GetAccount",
"accounts:ListAccounts",
"service-accounts:ListServiceAccounts",
"service-accounts:GetServiceAccount"
],
"Resource": "*"
},
{
"Effect": "Deny",
"Action": "accounts:DeleteAccount",
"Resource": "*"
}
]
}
}
Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
name | string | Yes | Policy name |
description | string | No | Description |
document | object | Yes | IAM policy document |
Example Request
curl -X POST https://api.console.solucao42.com.br/policies \
-H "Authorization: HMAC sa_abc123_acc456_xyz:signature" \
-H "Content-Type: application/json" \
-H "x-date: 2025-09-30T12:00:00Z" \
-H "x-nonce: unique-request-id" \
-H "x-content-sha256: <body-hash>" \
-d '{
"name": "DeveloperAccess",
"description": "Developer permissions",
"document": {
"Version": "2023-10-01",
"Statement": [
{
"Effect": "Allow",
"Action": ["*:Get", "*:List"],
"Resource": "*"
}
]
}
}'
Example Response
{
"id": "pol-developer",
"name": "DeveloperAccess",
"description": "Developer permissions",
"organization_id": "org-abc123xyz",
"policy_type": "managed",
"document": {
"Version": "2023-10-01",
"Statement": [
{
"Effect": "Allow",
"Action": ["*:Get", "*:List"],
"Resource": "*"
}
]
},
"created_at": "2025-09-30T12:00:00Z",
"updated_at": "2025-09-30T12:00:00Z"
}
Update Policy
Updates an existing policy.
PATCH /policies/{id}
Path Parameters
| Parameter | Type | Description |
|---|---|---|
id | string | Policy ID |
Request Body
{
"description": "Updated description",
"document": {
"Version": "2023-10-01",
"Statement": [
{
"Effect": "Allow",
"Action": ["*:Get", "*:List"],
"Resource": "*"
}
]
}
}
Example Request
curl -X PATCH https://api.console.solucao42.com.br/policies/pol-developer \
-H "Authorization: HMAC sa_abc123_acc456_xyz:signature" \
-H "Content-Type: application/json" \
-H "x-date: 2025-09-30T12:00:00Z" \
-H "x-nonce: unique-request-id" \
-H "x-content-sha256: <body-hash>" \
-d '{
"description": "Updated developer permissions"
}'
Example Response
{
"id": "pol-developer",
"name": "DeveloperAccess",
"description": "Updated developer permissions",
"organization_id": "org-abc123xyz",
"policy_type": "managed",
"document": {
"Version": "2023-10-01",
"Statement": [
{
"Effect": "Allow",
"Action": ["*:Get", "*:List"],
"Resource": "*"
}
]
},
"created_at": "2025-09-30T12:00:00Z",
"updated_at": "2025-09-30T12:30:00Z"
}
Delete Policy
Deletes a policy. The policy must not be attached to any groups or principals.
DELETE /policies/{id}
Path Parameters
| Parameter | Type | Description |
|---|---|---|
id | string | Policy ID |
Example Request
curl -X DELETE https://api.console.solucao42.com.br/policies/pol-old \
-H "Authorization: HMAC sa_abc123_acc456_xyz:signature" \
-H "x-date: 2025-09-30T12:00:00Z" \
-H "x-nonce: unique-request-id" \
-H "x-content-sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
Response
204 No Content
Policy Simulation
Tests whether a policy would allow or deny a specific action.
POST /policies/simulate
Request Body
{
"principal_type": "user",
"principal_id": "user-john001",
"account_id": "acc-prod001",
"action": "accounts:DeleteAccount",
"resource": "rid:pdaas:organization:org-abc123xyz:account:acc-prod001"
}
Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
principal_type | string | Yes | user or service_account |
principal_id | string | Yes | Principal ID |
account_id | string | Yes | Account context |
action | string | Yes | Action to test (e.g., accounts:DeleteAccount) |
resource | string | Yes | Resource RID |
Example Request
curl -X POST https://api.console.solucao42.com.br/policies/simulate \
-H "Authorization: HMAC sa_abc123_acc456_xyz:signature" \
-H "Content-Type: application/json" \
-H "x-date: 2025-09-30T12:00:00Z" \
-H "x-nonce: unique-request-id" \
-H "x-content-sha256: <body-hash>" \
-d '{
"principal_type": "user",
"principal_id": "user-john001",
"account_id": "acc-prod001",
"action": "accounts:DeleteAccount",
"resource": "rid:pdaas:organization:org-abc123xyz:account:acc-prod001"
}'
Example Response
{
"decision": "deny",
"matched_statements": [
{
"policy_id": "pol-developer",
"statement_index": 1,
"effect": "Deny",
"reason": "Explicit deny for DeleteAccount action"
}
],
"evaluated_policies": ["pol-developer", "pol-read-only"]
}
Response Fields
| Field | Type | Description |
|---|---|---|
decision | string | allow or deny |
matched_statements | array | Statements that matched the request |
evaluated_policies | array | All policies evaluated |
Response Codes
| Code | Description |
|---|---|
| 200 | Success |
| 201 | Created |
| 204 | No Content (delete successful) |
| 400 | Invalid request body or policy document |
| 401 | Authentication failed |
| 403 | Insufficient permissions |
| 404 | Policy not found |
| 409 | Policy is attached and cannot be deleted |
| 422 | Validation error |
Permissions
Required Permissions
| Action | Permission |
|---|---|
| List policies | policies:ListPolicies |
| Get policy | policies:GetPolicy |
| Create policy | policies:CreatePolicy |
| Update policy | policies:UpdatePolicy |
| Delete policy | policies:DeletePolicy |
| Simulate policy | policies:SimulatePolicy |
Policy Examples
Example 1: Full Admin Access
{
"Version": "2023-10-01",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
Example 2: Read-Only Access
{
"Version": "2023-10-01",
"Statement": [
{
"Effect": "Allow",
"Action": ["*:Get", "*:List"],
"Resource": "*"
}
]
}
Example 3: Account-Specific Access
{
"Version": "2023-10-01",
"Statement": [
{
"Effect": "Allow",
"Action": ["accounts:*"],
"Resource": "rid:pdaas:organization:org-abc123xyz:account:acc-prod001"
}
]
}
Example 4: Time-Based Access
{
"Version": "2023-10-01",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*",
"Condition": {
"DateGreaterThan": {
"current_date": "2025-09-30T09:00:00Z"
},
"DateLessThan": {
"current_date": "2025-09-30T17:00:00Z"
}
}
}
]
}
Example 5: IP-Restricted Access
{
"Version": "2023-10-01",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*",
"Condition": {
"IpAddress": {
"source_ip": ["203.0.113.0/24", "198.51.100.0/24"]
}
}
}
]
}
Related Resources
- Groups - Attach policies to groups
- Users - Assign policies to users
- Service Accounts - Assign policies to service accounts
Notes
- Policies are evaluated in this order: Explicit Deny > Explicit Allow > Default Deny
- Wildcard (
*) is supported for actions and resources - RID format:
rid:pdaas:organization:{org_id}:{resource_type}:{resource_id} - Conditions are evaluated using AND logic (all must be true)
- Multiple values in a condition are evaluated using OR logic
- Policy simulation does not make actual changes