Access Paths
When you call the evaluate endpoint, Vengtoo checks access through multiple paths. If any path grants access (and no DENY policy blocks it), the request is allowed.
The three paths
1. Direct access
A policy is assigned directly to the subject.
Subject → Policy → Resource
Use this for one-off grants or exceptions. Example: Give contractor Frank read-only access to a specific report.
2. Role-based access (RBAC)
The subject has a role, and the role has policies.
Subject → Role → Policy → Resource
Use this for standard permission patterns. Example: All editors can read and write documents.
3. Attribute-based access (ABAC)
A policy has conditions that compare attributes from the subject, resource, or context.
Subject + Resource + Context → Policy (with conditions) → Resource
Use this for fine-grained rules that depend on runtime data. Example: Users can only read documents in their own department.
See ABAC Conditions for full syntax.
DENY policies and access paths
DENY policies work through the same three paths — a DENY can be assigned directly to a subject, via a role, or via ABAC conditions. A DENY blocks access when its priority is equal to or higher than any matching ALLOW, meaning a high-priority ALLOW can override a low-priority DENY.
Evaluation order
- Vengtoo collects all applicable policies from all paths.
- If a DENY policy matches and has equal or higher priority than any matching ALLOW → access is denied.
- If any ALLOW policy matches → access is allowed.
- If no policy matches → access is denied (default deny).
When multiple ALLOW policies match, the one with the highest priority is reported in the response.
Access path in the response
The evaluate response includes which path was used:
{
"decision": true,
"context": {
"reason": "Policy 'editors-can-read-write' grants access",
"policy_id": "pol-789",
"access_path": "role"
}
}
Possible values for context.access_path:
| Value | Meaning |
|---|---|
"direct" | Access granted via a policy assigned directly to the subject |
"role" | Access granted via a role the subject holds |
"abac" | Access granted via a policy whose ABAC conditions matched |
"none" | No ALLOW policy matched, or a DENY overrode the match — decision is false |
Combining paths
A subject can have access through multiple paths simultaneously. Vengtoo evaluates all paths and the highest-priority match wins.
Example: Frank has the viewer role (read-only on all documents via RBAC) and a direct policy granting write on one specific document.
(Frank, read, any document)→ allowed viarolepath(Frank, write, doc-123)→ allowed viadirectpath(Frank, write, doc-456)→ denied — no matching ALLOW for write on that document
The access_path field in the response tells you which path produced the decision.
Related
- Policies — Policy structure, assignment, and conditions.
- ABAC Conditions — Condition syntax for attribute-based access.
- Decisions — What happens after evaluation.