ABAC Policies

ABAC policies declare rules that the policy engine evaluates at check time. Each policy specifies an effect (allow or deny), the actions and resourceType it applies to, and conditions on subject and resource attributes. Policies are combined using the deny-overrides algorithm — any matching deny blocks access even if allow policies also match — and the default is deny when no policy matches.

Use this reference to manage policies over the API.

GET    /orgs/{orgId}/api/v1/abac/policies
POST   /orgs/{orgId}/api/v1/abac/policies
GET    /orgs/{orgId}/api/v1/abac/policies/{policyId}
PUT    /orgs/{orgId}/api/v1/abac/policies/{policyId}
DELETE /orgs/{orgId}/api/v1/abac/policies/{policyId}

The Policy Object

Policy Object
{
  "id": "01JF3KPOL...",
  "name": "finance-approval",
  "description": "Finance team members can approve invoices within their limit",
  "effect": "allow",
  "actions": ["approve"],
  "resourceType": "invoice",
  "conditions": {
    "subject": {
      "attribute": "department",
      "operator": "equals",
      "value": "finance"
    },
    "resource": {
      "attribute": "amount",
      "operator": "lte",
      "attributeRef": "subject.approval_limit"
    }
  },
  "isActive": true,
  "priority": 100,
  "createdAt": "2026-01-15T10:30:00Z"
}

Note the attributeRef on the resource condition — it compares a resource attribute (amount) against a subject attribute (approval_limit) at evaluation time, instead of a literal value.

List Policies

List ABAC Policies
curl "https://app.lumoauth.dev/orgs/acme-corp/api/v1/abac/policies" \
  -H "Authorization: ApiKey lmk_abc123"

Create Policy

Create a Policy
curl -X POST https://app.lumoauth.dev/orgs/acme-corp/api/v1/abac/policies \
  -H "Authorization: ApiKey lmk_abc123" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "finance-approval",
    "description": "Finance team can approve invoices within limit",
    "effect": "allow",
    "actions": ["approve"],
    "resourceType": "invoice",
    "conditions": {
      "subject": {
        "attribute": "department",
        "operator": "equals",
        "value": "finance"
      },
      "resource": {
        "attribute": "amount",
        "operator": "lte",
        "attributeRef": "subject.approval_limit"
      }
    },
    "isActive": true,
    "priority": 100
  }'

Condition Operators

Operator	Description
`equals`	Exact match
`not_equals`	Not equal
`in`	Value is in the provided array
`not_in`	Value is not in the array
`gt`	Greater than
`gte`	Greater than or equal
`lt`	Less than
`lte`	Less than or equal
`contains`	String or array contains value
`starts_with`	String starts with value
`exists`	Attribute is present
`not_exists`	Attribute is absent

AI Policy Authoring

Describe a policy in plain English and let LumoAuth's AI draft the policy definition. The generated JSON is previewed so you can review before creating.

GET  /orgs/{orgId}/portal/policies/author
POST /orgs/{orgId}/portal/policies/author/parse
POST /orgs/{orgId}/portal/policies/author/create

This feature requires an AI provider to be configured (AI_PROVIDER, AI_API_KEY).

Attributes — attribute definitions referenced by policy conditions.
ABAC overview — evaluation semantics and worked examples.

The Policy Object​

List Policies​

Create Policy​

Condition Operators​

AI Policy Authoring​

Related​

The Policy Object

List Policies

Create Policy

Condition Operators

AI Policy Authoring

Related