{"templateId":"markdown","sharedDataIds":{"sidebar":"sidebar-apis/platform/iam/sidebars.yaml"},"props":{"metadata":{"markdoc":{"tagList":[]},"type":"markdown"},"seo":{"title":"Policies","keywords":"documentation, api, portal, banking, payment, account information, aritma, psd2, open banking, reconciliation","description":"Developer documentation for Aritma's banking and financial APIs - payments, account information, webhooks, authentication and integrations.","meta":[{"name":"google-site-verification","content":"hplqlK_5O42BZjNnjtVQMEpxv9JkxcD1eH4J1T-NQmI"}],"llmstxt":{"hide":false,"sections":[{"title":"Table of contents","includeFiles":["**/*"],"excludeFiles":[]}],"excludeFiles":[]}},"dynamicMarkdocComponents":[],"compilationErrors":[],"ast":{"$$mdtype":"Tag","name":"article","attributes":{},"children":[{"$$mdtype":"Tag","name":"Heading","attributes":{"level":1,"id":"policies","__idx":0},"children":["Policies"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["A ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["policy"]}," is the binding that grants a subject permission to perform an action on a resource. Every resource-based access decision in Aritma resolves to one or more policies."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["A policy has three components:"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Component"},"children":["Component"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Description"},"children":["Description"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Example"},"children":["Example"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Subject"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Who is being granted access"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["A user's ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["subjectId"]},", a client, or a group"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Action"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["What they are allowed to do"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["banking.manage"]},", ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["banking.ais.read"]}]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Scope"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Which resource the permission applies to"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["/subscriptions/abc123/resource-groups/..."]}]}]}]}]}]},{"$$mdtype":"Tag","name":"hr","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"actions","__idx":1},"children":["Actions"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Actions use dot-notation and form a hierarchy. Granting a parent action implicitly grants all child actions beneath it."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["For example, granting ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["banking.manage"]}," gives the subject access to everything under ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["banking.*"]},", including ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["banking.ais.read"]},", ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["banking.pis.write"]},", and so on."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["This hierarchy lets you grant broad access with a single policy, or narrow it down to a specific operation."]},{"$$mdtype":"Tag","name":"hr","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"scopes","__idx":2},"children":["Scopes"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["A scope is a URI that identifies the resource a policy applies to. The same subject can have different permissions on different scopes."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["For example, a user might have ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["banking.ais.read"]}," on ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["/subscriptions/123/..."]}," but no access to ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["/subscriptions/456/..."]},". Policies are always evaluated against both the action being requested and the scope of the resource being accessed."]},{"$$mdtype":"Tag","name":"hr","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"policy-inheritance-through-groups","__idx":3},"children":["Policy inheritance through groups"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["When a policy is assigned to a group, all members of that group inherit it immediately. This means you can grant access to an entire team by assigning a single policy to the group, rather than managing individual policies per subject."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["If a user belongs to multiple groups, they receive the union of all policies inherited from those groups plus any policies assigned to them directly."]},{"$$mdtype":"Tag","name":"hr","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"policy-evaluation","__idx":4},"children":["Policy evaluation"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["When a subject makes an API call, Aritma evaluates whether any of their policies — direct or inherited — grant an action that covers the requested operation on the targeted scope. If no policy matches, the request is denied."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["There is no delay or caching: policies take effect the moment they are created, and access is revoked the moment a policy is deleted or a subject is removed from a group."]},{"$$mdtype":"Tag","name":"hr","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"related","__idx":5},"children":["Related"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"a","attributes":{"href":"/apis/platform/iam/guides/policies"},"children":["Policies guide"]}," — create, list, and delete policies via the API"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"a","attributes":{"href":"/apis/platform/iam/concepts/subjects"},"children":["Subjects"]}," — what can be used as the ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["subject"]}," in a policy"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"a","attributes":{"href":"/apis/platform/iam/guides/groups"},"children":["Groups"]}," — how group-level policies propagate to members"]}]}]},"headings":[{"value":"Policies","id":"policies","depth":1},{"value":"Actions","id":"actions","depth":2},{"value":"Scopes","id":"scopes","depth":2},{"value":"Policy inheritance through groups","id":"policy-inheritance-through-groups","depth":2},{"value":"Policy evaluation","id":"policy-evaluation","depth":2},{"value":"Related","id":"related","depth":2}],"frontmatter":{"title":"Policies","seo":{"title":"Policies"}},"lastModified":"2026-05-08T13:38:07.000Z","pagePropGetterError":{"message":"","name":""}},"slug":"/apis/platform/iam/concepts/policies","userData":{"isAuthenticated":false,"teams":["anonymous"]},"isPublic":true}