Skip to content


Repository files navigation


NPM JavaScript Style Guide


Define an allowed or denied set of actions against a set of resources with optional context and conditions.

Deny rules trump allow rules.

This is a fork of @ddt/iam updated with new functionalities.


npm install --save iam-policies


yarn add iam-policies


const {Role}=require('iam-policies')

const role = new Role([
    effect: 'allow', // optional, defaults to allow
    resource: ['secrets:${}:*'],
    action: ['read', 'write'],
    resource: ['secrets:${user.bestfriends}:*'],
    action: 'read',
    effect: 'deny',
    resource: 'secrets:admin:*',
    action: 'read'

const context = { user: { id: 456, bestfriends: [123, 563, 1211] } }

// true
role.can('read', 'secrets:563:sshhh', context)
// false
role.can('read', 'secrets:admin:super-secret', context)
const friendsWithAdminContext = { user: { id: 456, bestfriends: ['admin'] } }

// false
role.can('read', 'secrets:admin:super-secret', friendsWithAdminContext)

const adminRole = new Role([
    resource: '*',
    action: '*',

// true
adminRole.can('read', 'someResource')
// true
adminRole.can('write', 'otherResource')

const conditions={
    return data>expected

const roleWithCondition = new Role([
    effect: 'allow', // optional, defaults to allow
    resource: 'secrets:*',
    action: ['read', 'write'],
    condition: {
], conditions)
// true
roleWithCondition.can('read', 'secrets:sshhh', { user: { age: 19 } })
// false
roleWithCondition.can('read', 'secrets:admin:super-secret', { user: { age: 18 } })


Supports these glob features:

  • Role creation
  • Permission verifications

Role Class

Create custom role with actions and permissions.

const {Role}=require('iam-policies')

const role = new Role(StatementConfigs,conditionResolvers)


Name Type Default Required Description
StatementConfigs object[] undefined true It contains permission statements.
StatementConfigs[].effect string allow false It allow (allow) or deny (deny) the action.
StatementConfigs[].resource string or string[] undefined true It represents the protected resource.
StatementConfigs[].action string or string[] undefined true It represents the action associated to the protected resource.
StatementConfigs[].condition object undefined false It contains function condition for each statementConfig.


role.can(action, resource, context)

public: Verify if action for specific resource is allowed (true) or denied (false).

Name Type Default Required Description
action string undefined true It represents the action you are asking.
resource string undefined true It represents the resource for the action you are asking.
context object undefined false It represents the properties that will be embedded into your resources.

Statement Class

Create custom statement.

const {Statement}=require('iam-policies')

const statement = new Statement(StatementConfig)


Name Type Default Required Description
StatementConfig object undefined true It contains permission statements.
StatementConfig.effect string allow false It allow (allow) or deny (deny) the action.
StatementConfig.resource string or string[] undefined true It represents the protected resource.
StatementConfig.action string or string[] undefined true It represents the action associated to the protected resource.
StatementConfig.condition object undefined false It contains function condition for each statementConfig.


statement.matches(action, resource, context, conditionResolvers)

public: Verify if action for specific resource is allowed (true) or denied (false) into the statement.

Name Type Default Required Description
action string undefined true It represents the action you are asking.
resource string undefined true It represents the resource for the action you are asking.
context object undefined false It represents the properties that will be embedded into your resources.
conditionResolvers object undefined false It contains function conditions.

getValueFromPath(data, path) Function

Get object value from path.

const {getValueFromPath}=require('iam-policies')

const value = getValueFromPath(data, path)


Name Type Default Required Description
data object undefined true It is our context.
path string undefined true It is the value path from data. Separate attribute names by dots (.).

applyContext(str, context) Function

Get string with context value embedded into it.

const {applyContext}=require('iam-policies')

const embeddedStr = applyContext(str, context)


Name Type Default Required Description
str string undefined true It could contain embedded path values into it by using (${}).
context object undefined false It represents the context that should be embedded into str.


MIT © Rogger794