Announcing a new feature in authorization policies: a limited form of negation (not
syntax). You can use negation in rules to express logic that applies only when a certain fact is not present. This is useful for opting certain actors or resources out of logic that shouldn't apply to them, without having to explicitly provide facts for everything the logic should apply to. For example, say you have a small number of users who are blocked from your system. Negation allows you to opt them out of authorization by writing:
allow(user: User, action, resource: Resource) if
not is_blocked(user) and
has_permission(user, action, resource);
This enables you to specify facts for just the small number of blocked users who we wish to opt out of this logic, without having to provide, for example, is_blocked(user, false)
facts for all of the rest of the users. Read more about it here.