Atom
Queries & Search

Bulk Authorization Check

Check multiple actions on one protected object in one call.

POST /authz/check/bulk

Check whether an entity can perform multiple actions on one protected object in a single request. Avoids N round-trips when a UI needs to render permission-dependent buttons.

Request

{
  "subjectId": "uuid",
  "objectKind": "resource",
  "objectId": "uuid",
  "actions": ["read", "write", "delete", "publish", "manage"],
  "context": {}
}
FieldTypeRequiredDescription
subjectIdUUIDYesThe entity attempting the actions
objectKindstringYesProtected object kind, such as resource, entity, or tenant
objectIdUUIDYesProtected object ID
actionsstring[]YesAction names to check (max 20)
contextobjectNoAdditional ABAC context (default {})

Response

{
  "subjectId": "aaa-...",
  "objectKind": "resource",
  "objectId": "r1-...",
  "results": {
    "read":    { "allowed": true,  "reason": "allowed" },
    "write":   { "allowed": true,  "reason": "allowed" },
    "delete":  { "allowed": false, "reason": "no matching allow policy" },
    "publish": { "allowed": false, "reason": "explicitly denied by policy p1-..." },
    "manage":  { "allowed": false, "reason": "no matching allow policy" }
  }
}

Each key in results maps to the same {allowed, reason} shape as POST /authz/check.

Validation

  • actions must contain 1 to 20 entries.
  • Duplicates are deduplicated — each action appears once in the response.
  • Unknown actions return { "allowed": false, "reason": "unknown action '<name>'" }.
  • Known but inapplicable actions return denied for that action.

Performance

Entity, target object, role assignments, direct policies, and permission blocks are loaded once. Each action is resolved, checked through Action Applicability, and evaluated against the same effective permission set. This turns N database round-trips into a small fixed set of queries.

Previous

Audit Log

Next

Role Holders

On this page