{"templateId":"markdown","sharedDataIds":{"sidebar":"sidebar-apis/platform/iam/sidebars.yaml","oas-apis/platform/iam/openapi/iam-openapi.json":"oas-apis/platform/iam/openapi/iam-openapi.json"},"props":{"metadata":{"markdoc":{"tagList":["openapi-code-sample","admonition"]},"type":"markdown"},"seo":{"title":"Policies","keywords":"documentation, api, portal, banking, payment, account information, aritma, psd2, open banking, reconciliation","description":"Developer documentation for Aritma's banking and financial APIs - payments, account information, webhooks, authentication and integrations.","meta":[{"name":"google-site-verification","content":"hplqlK_5O42BZjNnjtVQMEpxv9JkxcD1eH4J1T-NQmI"}],"llmstxt":{"hide":false,"sections":[{"title":"Table of contents","includeFiles":["**/*"],"excludeFiles":[]}],"excludeFiles":[]}},"dynamicMarkdocComponents":["openapi"],"compilationErrors":[],"ast":{"$$mdtype":"Tag","name":"article","attributes":{},"children":[{"$$mdtype":"Tag","name":"Heading","attributes":{"level":1,"id":"policies","__idx":0},"children":["Policies"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["A policy is the fundamental unit of access control in Aritma IAM. It binds a subject to an action on a specific scope, granting that subject permission to perform that action on that resource."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"the-policy-model","__idx":1},"children":["The policy model"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Every policy has exactly three fields:"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Field"},"children":["Field"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Description"},"children":["Description"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Example"},"children":["Example"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["subject"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Who is being granted access (user, client, or group subject ID)"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["user-550e8400-e29b-41d4-a716-446655440000"]}]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["action"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["What they are allowed to do (dot-notation action string)"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["banking.manage"]}]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["scope"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Which resource the permission applies to (a URI)"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["/subscriptions/123/resource-groups/00000000-0000-0000-0000-000000000000"]}]}]}]}]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"example","__idx":2},"children":["Example"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["This policy grants Alice full banking management on a specific subscription:"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"json","header":{"controls":{"copy":{}}},"source":"{\n  \"subject\": \"user-550e8400-e29b-41d4-a716-446655440000\",\n  \"action\": \"banking.manage\",\n  \"scope\": \"/subscriptions/123/resource-groups/00000000-0000-0000-0000-000000000000\"\n}\n","lang":"json"},"children":[]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Because ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["banking.manage"]}," is a parent action, Alice also implicitly has all actions nested under it - such as ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["banking.consents.create"]}," and ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["banking.ais.read"]},"."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["See the Actions Hierarchy page for the full tree of available actions."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"subjects-can-be-groups","__idx":3},"children":["Subjects can be groups"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["If you want to grant the same permission to multiple users at once, create the policy with a group's ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["subjectId"]}," as the subject. All current and future members of that group will inherit the policy automatically."]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"json","header":{"controls":{"copy":{}}},"source":"{\n  \"subject\": \"group-7c9e6679-7425-40de-944b-e07fc1f90ae7\",\n  \"action\": \"banking.ais.read\",\n  \"scope\": \"/subscriptions/123/resource-groups/00000000-0000-0000-0000-000000000000\"\n}\n","lang":"json"},"children":[]},{"$$mdtype":"Tag","name":"hr","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"create-a-policy","__idx":4},"children":["Create a policy"]},{"$$mdtype":"Tag","name":"OpenApiCodeSample","attributes":{"descriptionFile":"oas-apis/platform/iam/openapi/iam-openapi.json","operationId":"CreatePolicy","language":"curl","parameters":{},"environments":{}},"children":[]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Request body:"]}]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"json","header":{"controls":{"copy":{}}},"source":"{\n  \"subject\": \"user-550e8400-e29b-41d4-a716-446655440000\",\n  \"action\": \"banking.manage\",\n  \"scope\": \"/subscriptions/123/resource-groups/00000000-0000-0000-0000-000000000000\"\n}\n","lang":"json"},"children":[]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Response:"]}]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"json","header":{"controls":{"copy":{}}},"source":"{\n  \"subject\": \"user-550e8400-e29b-41d4-a716-446655440000\",\n  \"action\": \"banking.manage\",\n  \"scope\": \"/subscriptions/123/resource-groups/00000000-0000-0000-0000-000000000000\",\n  \"tenant\": \"tenant_xyz\"\n}\n","lang":"json"},"children":[]},{"$$mdtype":"Tag","name":"Admonition","attributes":{"type":"info","name":"Idempotency"},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Creating the same policy twice returns ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["409 Conflict"]},". Check for an existing policy before creating if your code may run more than once."]}]},{"$$mdtype":"Tag","name":"hr","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"query-policies","__idx":5},"children":["Query policies"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Find policies matching a filter. You can filter by subject, action, scope, or any combination:"]},{"$$mdtype":"Tag","name":"OpenApiCodeSample","attributes":{"descriptionFile":"oas-apis/platform/iam/openapi/iam-openapi.json","operationId":"FindPolicies","language":"curl","parameters":{},"environments":{}},"children":[]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Example - find all policies for a specific subject on a given subscription:"]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"query-parameters","__idx":6},"children":["Query parameters"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Parameter"},"children":["Parameter"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Description"},"children":["Description"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["subject"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Filters results to policies belonging to this subject identifier"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["scope"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Filters results to policies on this scope"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["action"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Filters results to policies granting this action"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["includeDerived"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["If ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["true"]},", includes policies with a derived (child) scope"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["includeInherited"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["If ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["true"]},", includes policies with a parent scope"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["pageSize"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Number of items to return per page. Clamped between 10 and 200"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["cursor"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Opaque cursor returned from a previous response. Pass this to retrieve the next page"]}]}]}]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"pagination","__idx":7},"children":["Pagination"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["FindPolicies"]}," uses cursor-based pagination. Each response includes a ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["cursor"]}," field. Pass that value as ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["cursor"]}," in your next request to retrieve the following page. When ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["cursor"]}," is ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["null"]},", there are no more results."]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"json","header":{"controls":{"copy":{}}},"source":"{\n  \"policies\": [...],\n  \"cursor\": \"eyJhbGciOiJub25lIn0\"\n}\n","lang":"json"},"children":[]},{"$$mdtype":"Tag","name":"hr","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"delete-a-policy","__idx":8},"children":["Delete a policy"]},{"$$mdtype":"Tag","name":"OpenApiCodeSample","attributes":{"descriptionFile":"oas-apis/platform/iam/openapi/iam-openapi.json","operationId":"RemovePolicy","language":"curl","parameters":{},"environments":{}},"children":[]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The request body must match the policy exactly (same subject, action, and scope):"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"json","header":{"controls":{"copy":{}}},"source":"{\n  \"subject\": \"user-550e8400-e29b-41d4-a716-446655440000\",\n  \"action\": \"banking.manage\",\n  \"scope\": \"/subscriptions/123/resource-groups/00000000-0000-0000-0000-000000000000\"\n}\n","lang":"json"},"children":[]},{"$$mdtype":"Tag","name":"hr","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"common-patterns","__idx":9},"children":["Common patterns"]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"grant-a-user-access-to-a-new-subscription","__idx":10},"children":["Grant a user access to a new subscription"]},{"$$mdtype":"Tag","name":"OpenApiCodeSample","attributes":{"descriptionFile":"oas-apis/platform/iam/openapi/iam-openapi.json","operationId":"CreatePolicy","language":"curl","parameters":{},"environments":{}},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"grant-read-only-access","__idx":11},"children":["Grant read-only access"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Use a more specific action to limit what a subject can do:"]},{"$$mdtype":"Tag","name":"OpenApiCodeSample","attributes":{"descriptionFile":"oas-apis/platform/iam/openapi/iam-openapi.json","operationId":"CreatePolicy","language":"curl","parameters":{},"environments":{}},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"revoke-all-access-for-a-user","__idx":12},"children":["Revoke all access for a user"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["First, query all policies for that subject, then delete each one:"]},{"$$mdtype":"Tag","name":"OpenApiCodeSample","attributes":{"descriptionFile":"oas-apis/platform/iam/openapi/iam-openapi.json","operationId":"FindPolicies","language":"curl","parameters":{},"environments":{}},"children":[]},{"$$mdtype":"Tag","name":"OpenApiCodeSample","attributes":{"descriptionFile":"oas-apis/platform/iam/openapi/iam-openapi.json","operationId":"RemovePolicy","language":"curl","parameters":{},"environments":{}},"children":[]}]},"headings":[{"value":"Policies","id":"policies","depth":1},{"value":"The policy model","id":"the-policy-model","depth":2},{"value":"Example","id":"example","depth":3},{"value":"Subjects can be groups","id":"subjects-can-be-groups","depth":3},{"value":"Create a policy","id":"create-a-policy","depth":2},{"value":"Query policies","id":"query-policies","depth":2},{"value":"Query parameters","id":"query-parameters","depth":3},{"value":"Pagination","id":"pagination","depth":3},{"value":"Delete a policy","id":"delete-a-policy","depth":2},{"value":"Common patterns","id":"common-patterns","depth":2},{"value":"Grant a user access to a new subscription","id":"grant-a-user-access-to-a-new-subscription","depth":3},{"value":"Grant read-only access","id":"grant-read-only-access","depth":3},{"value":"Revoke all access for a user","id":"revoke-all-access-for-a-user","depth":3}],"frontmatter":{"title":"Policies","seo":{"title":"Policies"}},"lastModified":"2026-05-08T13:38:07.000Z","pagePropGetterError":{"message":"","name":""}},"slug":"/apis/platform/iam/guides/policies","userData":{"isAuthenticated":false,"teams":["anonymous"]},"isPublic":true}