PolicyFlow

Introduction to PolicyFlow

A high-level, declarative language for modern authorization logic

PolicyFlow is a high-level, declarative, and type-safe language engineered for the precise and readable expression of modern authorization logic. It provides a unified and elegant syntax to implement a spectrum of access control models, including Role-Based (RBAC), Attribute-Based (ABAC), and Relationship-Based (ReBAC) access control, within a single, coherent framework.

Design Philosophy

The design of PolicyFlow is guided by a core set of principles aimed at addressing the challenges of enterprise-scale authorization:

Clarity and Readability

Authorization logic should be as clear as a business rule. Policies are designed to be self-documenting and easily understood by both technical (developers, security engineers) and non-technical (product managers, compliance officers) stakeholders.

Safety and Reliability

A strong, static type system eliminates entire classes of runtime errors. The language guarantees termination, is resistant to injection attacks, and is designed to prevent common security anti-patterns through its explicit syntax.

Modularity and Scalability

A robust module and schema system allows for the clean organization of policies, enabling them to scale from simple applications to complex enterprise ecosystems with thousands of rules, preventing naming collisions and promoting reuse.

Expressiveness and Power

A rich standard library, object-oriented method syntax, and first-class support for collections and graph-based relationships provide the tools to model even the most sophisticated and dynamic authorization scenarios.

The PolicyFlow Ecosystem

The PolicyFlow ecosystem consists of three primary file types that work in concert:

Policy Files (.pf)

The core files containing the authorization rules and logic. These are the executable components of the authorization model.

policy DocumentAccess {
    rules {
        rule OwnerAccess {
            when user.id == resource.ownerId
            then ALLOW
        }
    }
}

Schema Files (.pfs)

Files that define the data models (User, Resource, Context) that policies operate on. They act as the "data contract" for your policies.

schema AuthSchema {
    User type CorporateUser {
        id: UUID
        email: Email
        roles: String[]
        isActive: Boolean = true
    }
}

Test Files (.pftest)

Files for validating the correctness of your policies with a dedicated, expressive testing framework.

test DocumentAccessTests for DocumentAccess {
    case "Owner can access their document" {
        given {
            user: { id: "user-123" }
            resource: { ownerId: "user-123" }
        }
        expect: ALLOW
    }
}

Environment Files (.env)

An optional file at the project root for defining global, environment-specific constants.

ADMIN_ROLE = "policy-admin"
COMPANY_DOMAIN = "mycorp.com"

Next Steps

Getting Started

Set up your first PolicyFlow project

Core Concepts

Learn about modules, imports, and basic syntax

Writing Policies

Create your first authorization policy

PolicyFlow Documentation

Comprehensive guide to PolicyFlow - a powerful authorization language

Getting Started

Set up your first PolicyFlow project