IndyKite KBAC - authorization policies

KBAC (Knowledge-Based Access Control) is IndyKite's graph-driven authorization model. A KBAC policy declares who (subject) may perform which operations (actions) on what (resource), gated by a condition in Cypher (the Neo4j / openCypher graph query language) evaluated against the IKG — IndyKite's knowledge graph, a property-graph database. The policy itself renders no decision - it is the rule that the AuthZEN endpoints consult when a decision or search is requested.

This skill is the home of the KBAC policy lifecycle: writing the policy JSON and managing it through the Config API.

• A policy with meta.policy_version: "2.0-kbac", a single subject.type, an actions list, a single resource.type, and a condition.cypher that binds the reserved variables subject and resource.
• The Config API operations on /configs/v1/authorization-policies: create (POST), read (GET /{id} or by name), list (GET ?project_id=…&type=kbac), update (PUT /{id} with an If-Match ETag), and delete (DELETE /{id}).
• Publishing: a policy must be ACTIVE to participate in decisions; an INACTIVE or DRAFT policy is stored but ignored (DRAFT may even be invalid).

Once a policy is ACTIVE, the runtime AuthZEN skills evaluate it: