Console

Policies

IAM policies grant precise, resource-level permissions on top of roles.

A policy is a reusable document of permission statements. You write it once, then attach it to the people or resources it should apply to. Where roles say who someone is broadly, policies say exactly what may be done, and where.

Anatomy

A policy is a list of statements. Each statement allows a set of actions on a set of resources, optionally narrowed by conditions. Manage them under Access → Policies, or via the API.

Policy document shape

{
  "name": "example-policy",
  "statements": [
    {
      "effect": "allow",
      "actions": ["<action>"],
      "resources": ["<resource>"]
    }
  ]
}

Valid actions and resources

The exact action and resource identifiers you can grant are returned by GET /v1/iam/catalog. Build your statements from that list rather than guessing names.

Creating and attaching

Create a policy, then attach it to a member, role or resource:

Create a policy

curl -X POST https://api.upgreat.ai/v1/orgs/{orgId}/policies \
  -H "Authorization: Bearer <access-token>" \
  -H "Content-Type: application/json" \
  -d @policy.json

Inspect what a policy currently governs with GET /v1/orgs/{orgId}/policies/{policyId}/attachments. The full set of policy endpoints is in the API reference.

Least privilege

Start from the narrowest policy that lets a person do their job, scoped to a single project, and widen only when needed. Combine policies rather than granting broad roles.