@casual-simulation/aux-records 3.2.13 → 3.2.14-alpha.7890390188

package/PolicyController.d.ts

@@ -1,9 +1,9 @@
 import { AuthController } from './AuthController';
 import { RecordsController, ValidatePublicRecordKeyFailure, ValidatePublicRecordKeyResult } from './RecordsController';
 import { NotSupportedError, ServerError, SubscriptionLimitReached } from '@casual-simulation/aux-common/Errors';
-import { AvailablePermissions, PolicyDocument, DenialReason } from '@casual-simulation/aux-common';
+import { AvailablePermissions, ResourceKinds, ActionKinds, SubjectType, DenialReason, PrivacyFeatures, PermissionOptions } from '@casual-simulation/aux-common';
 import { ListedStudioAssignment, PublicRecordKeyPolicy } from './RecordsStore';
-import { AssignedRole, GetUserPolicyFailure, ListedUserPolicy, ListMarkerPoliciesResult, PolicyStore, RoleAssignment, UpdateUserPolicyFailure, UpdateUserRolesFailure } from './PolicyStore';
+import { AssignedRole, AssignPermissionToSubjectAndMarkerFailure, MarkerPermissionAssignment, PolicyStore, ResourcePermissionAssignment, RoleAssignment, UpdateUserRolesFailure } from './PolicyStore';
 /**
  * The maximum number of instances that can be authorized at once.
  */
@@ -13,13 +13,16 @@ export declare const MAX_ALLOWED_INSTANCES = 2;
  */
 export declare const MAX_ALLOWED_MARKERS = 2;
 /**
- * A generic not_authorized result.
+ * Gets the resources that need to be authorized when creating a resource with the given markers.
+ * @param markers The markers that will be placed on the resource.
  */
-export declare const NOT_AUTHORIZED_RESULT: Omit<AuthorizeDenied, 'reason'>;
+export declare function getMarkerResourcesForCreation(markers: string[]): ResourceInfo[];
 /**
- * A not_authorized result that indicates too many instances were used.
+ * Gets the resources that need to be authorized when updating a resource with the given markers.
+ * @param existingMarkers The markers that already exist on the resource.
+ * @param newMarkers The markers that will replace the existing markers. If null, then no markers will be added or removed.
  */
-export declare const NOT_AUTHORIZED_TO_MANY_INSTANCES_RESULT: AuthorizeResult;
+export declare function getMarkerResourcesForUpdate(existingMarkers: string[], newMarkers: string[]): ResourceInfo[];
 /**
  * Defines a class that is able to calculate the policies and permissions that are allowed for specific actions.
  */
@@ -33,21 +36,70 @@ export declare class PolicyController {
      * @param request The request that will be authorized.
      * @returns The authorization context that will be used to evaluate whether the request is authorized.
      */
-    constructAuthorizationContext(request: Omit<AuthorizeRequestBase, 'action'>): Promise<ConstructAuthorizationContextResult>;
+    constructAuthorizationContext(request: ConstructAuthorizationContextRequest): Promise<ConstructAuthorizationContextResult>;
     /**
-     * Attempts to authorize the given request.
-     * Returns a promise that resolves with information about the security properties of the request.
+     * Attempts to authorize the given user and instances for the action and resource(s).
      * @param context The authorization context for the request.
      * @param request The request.
      */
-    authorizeRequest(request: AuthorizeRequest): Promise<AuthorizeResult>;
+    authorizeUserAndInstances(context: AuthorizationContext, request: AuthorizeUserAndInstancesRequest): Promise<AuthorizeUserAndInstancesResult>;
     /**
-     * Attempts to authorize the given request.
-     * Returns a promise that resolves with information about the security properties of the request.
+     * Attempts to authorize the given user and instances for the given resources.
      * @param context The authorization context for the request.
      * @param request The request.
      */
-    authorizeRequestUsingContext(context: AuthorizationContext, request: AuthorizeRequest): Promise<AuthorizeResult>;
+    authorizeUserAndInstancesForResources(context: AuthorizationContext, request: AuthorizeUserAndInstancesForResources): Promise<AuthorizeUserAndInstancesForResourcesResult>;
+    /**
+     * Attempts to authorize the given subjects for the action and resource(s).
+     * @param context The authorization context for the request.
+     * @param request The request.
+     */
+    authorizeSubjects(context: AuthorizationContext, request: AuthorizeSubjectsRequest): Promise<AuthorizeSubjectsResult>;
+    /**
+     * Attempts to authorize the given subject for the action and resource(s).
+     * Returns a promise that resolves with information about the security properties of the request.
+     * @param context The context for the request.
+     * @param request The request to authorize.
+     */
+    authorizeSubject(context: ConstructAuthorizationContextResult, request: AuthorizeSubjectRequest): Promise<AuthorizeSubjectResult>;
+    /**
+     * Attempts to authorize the given subject for the action and resource(s).
+     * Returns a promise that resolves with information about the security properties of the request.
+     * @param context The context for the request.
+     * @param request The request to authorize.
+     */
+    authorizeSubjectUsingContext(context: AuthorizationContext, request: AuthorizeSubjectRequest): Promise<AuthorizeSubjectResult>;
+    /**
+     * Attempts to authorize the given subject for the action and resource(s).
+     * Returns a promise that resolves with information about the security properties of the request.
+     * @param context The context for the request.
+     * @param request The request to authorize.
+     */
+    private _authorizeSubjectUsingContext;
+    /**
+     * Gets the list of permissions in the given record.
+     * @param recordKeyOrRecordName The name of the record.
+     * @param userId The ID of the currently logged in user.
+     * @param instances The instances that are loaded.
+     */
+    listPermissions(recordKeyOrRecordName: string, userId: string, instances?: string[] | null): Promise<ListPermissionsResult>;
+    /**
+     * Gets the list of permissions that have been assigned to the given marker.
+     * @param recordKeyOrRecordName The name of the record.
+     * @param marker The marker that the permissions should be listed for.
+     * @param userId The ID of the currently logged in user.
+     * @param instances The instances that are loaded.
+     */
+    listPermissionsForMarker(recordKeyOrRecordName: string, marker: string, userId: string, instances?: string[] | null): Promise<ListPermissionsForMarkerResult>;
+    /**
+     * Gets the list of permissions that have been assigned to the given marker.
+     * @param recordKeyOrRecordName The name of the record.
+     * @param resourceKind The kind of the resource.
+     * @param resourceId The ID of the resource.
+     * @param userId The ID of the currently logged in user.
+     * @param instances The instances that are loaded.
+     */
+    listPermissionsForResource(recordKeyOrRecordName: string, resourceKind: ResourceKinds, resourceId: string, userId: string, instances?: string[] | null): Promise<ListPermissionsForResourceResult>;
     /**
      * Attempts to grant a permission to a marker.
      * @param request The request for the operation.
@@ -59,21 +111,20 @@ export declare class PolicyController {
      */
     revokeMarkerPermission(request: RevokeMarkerPermissionRequest): Promise<RevokeMarkerPermissionResult>;
     /**
-     * Attempts to read the policy for a marker.
-     * @param recordKeyOrRecordName The record key or record name.
-     * @param userId The ID of the user that is currently logged in.
-     * @param marker The marker.
-     * @param instances The instances that the request is being made from.
+     * Attempts to grant a permission to a resource.
+     * @param request The request.
      */
-    readUserPolicy(recordKeyOrRecordName: string, userId: string, marker: string, instances?: string[] | null): Promise<ReadUserPolicyResult>;
+    grantResourcePermission(request: GrantResourcePermissionRequest): Promise<GrantResourcePermissionResult>;
     /**
-     * Attempts to list the policies for a record.
-     * @param recordKeyOrRecordName The record key or the name of the record.
-     * @param userId The ID of the user that is currently logged in.
-     * @param startingMarker The marker that policies should be returned after.
-     * @param instances The instances that the request is being made from.
+     * Attempts to revoke a permission from a resource.
+     * @param request The request for the operation.
      */
-    listUserPolicies(recordKeyOrRecordName: string, userId: string, startingMarker: string | null, instances?: string[]): Promise<ListUserPoliciesResult>;
+    revokeResourcePermission(request: RevokeResourcePermissionRequest): Promise<RevokeResourcePermissionResult>;
+    /**
+     * Attempts to revoke the permission with the given ID.
+     * @param request The request for the operation.
+     */
+    revokePermission(request: RevokePermissionRequest): Promise<RevokePermissionResult>;
     /**
      * Attempts to list the roles that are assigned to a user.
      * @param recordKeyOrRecordName The record key or the name of the record.
@@ -122,127 +173,6 @@ export declare class PolicyController {
      * @param instances The instances that the request is being made from.
      */
     revokeRole(recordKeyOrRecordName: string, userId: string, request: RevokeRoleRequest, instances?: string[]): Promise<RevokeRoleResult>;
-    /**
-     * Attempts to authorize the given request.
-     * Returns a promise that resolves with information about the security properties of the request.
-     * @param context The authorization context for the request.
-     * @param request The request.
-     */
-    private _authorizeRequestUsingContext;
-    private _authorizeDataCreateRequest;
-    /**
-     * Authorizes the given subject for data.create requests.
-     *
-     * @param context The context for the authorization.
-     * @param subjectType The type of subject that is being authorized.
-     * @param id The ID of the subject.
-     * @returns The authorization that approves the subject for the request. Null if the subject is not authorized.
-     */
-    private _authorizeCreateData;
-    private _authorizeDataReadRequest;
-    private _authorizeDataRead;
-    private _authorizeDataUpdateRequest;
-    private _authorizeDataUpdate;
-    private _authorizeDataDeleteRequest;
-    private _authorizeDataDelete;
-    private _authorizeDataListRequest;
-    private _authorizeDataList;
-    private _authorizeFileCreateRequest;
-    private _authorizeFileCreate;
-    private _authorizeFileReadRequest;
-    private _authorizeFileRead;
-    private _authorizeFileListRequest;
-    private _authorizeFileList;
-    private _authorizeFileUpdateRequest;
-    private _authorizeFileUpdate;
-    private _authorizeFileDeleteRequest;
-    private _authorizeFileDelete;
-    private _authorizeEventCountRequest;
-    private _authorizeEventCount;
-    private _authorizeEventIncrementRequest;
-    private _authorizeEventIncrement;
-    private _authorizeEventUpdateRequest;
-    private _authorizeEventUpdate;
-    private _authorizeEventListRequest;
-    private _authorizeEventList;
-    private _authorizePolicyGrantPermissionRequest;
-    private _authorizePolicyGrantPermission;
-    private _authorizePolicyRevokePermissionRequest;
-    private _authorizePolicyRevokePermission;
-    private _authorizePolicyReadRequest;
-    private _authorizePolicyRead;
-    private _authorizePolicyListRequest;
-    private _authorizePolicyList;
-    private _authorizeRoleListRequest;
-    private _authorizeRoleList;
-    private _authorizeRoleReadRequest;
-    private _authorizeRoleRead;
-    private _authorizeRoleGrantRequest;
-    private _authorizeRoleGrant;
-    private _authorizeRoleRevokeRequest;
-    private _authorizeRoleRevoke;
-    private _authorizeInstCreateRequest;
-    /**
-     * Authorizes the given subject for inst.create requests.
-     *
-     * @param context The context for the authorization.
-     * @param subjectType The type of subject that is being authorized.
-     * @param id The ID of the subject.
-     * @returns The authorization that approves the subject for the request. Null if the subject is not authorized.
-     */
-    private _authorizeCreateInst;
-    private _authorizeInstReadRequest;
-    private _authorizeInstRead;
-    private _authorizeInstUpdateRequest;
-    private _authorizeInstUpdate;
-    private _authorizeInstUpdateDataRequest;
-    private _authorizeInstUpdateData;
-    private _authorizeInstDeleteRequest;
-    private _authorizeInstDelete;
-    private _authorizeInstListRequest;
-    private _authorizeInstList;
-    private _authorizeInstSendActionRequest;
-    private _authorizeInstSendAction;
-    /**
-     * Attempts to authorize the given request based on common request properties.
-     *
-     * Evaluates the recordKey, userId, and instances with the given resource markers and authorize function.
-     * The given authorize function will be called with the User ID, and each inst and should return the authorization that should be used for each case.
-     * If it returns null, then the request is not authorized and will be rejected as such.
-     *
-     * @param context The context for the request.
-     * @param request The request that should be authorized.
-     * @param resourceMarkers The list of markers that need to be validated.
-     * @param authorize The function that should be used to authorize each subject in the request.
-     * @param skipInstanceChecksWhenValidRecordKeyIsProvided Whether or not to skip instance checks when a valid record key is provided.
-     * @param isListOperation Whether the request is a list operation.
-     */
-    private _authorizeRequest;
-    private _authorizeInstances;
-    private _listPermissionsForMarkers;
-    private _every;
-    private _some;
-    private _byType;
-    private _byData;
-    private _byFile;
-    private _byEvent;
-    private _byInst;
-    private _byRecordOwner;
-    private _byStudioRole;
-    private _byEveryoneRole;
-    private _byAdminRole;
-    private _bySubjectRole;
-    private _byUserRole;
-    private _byInstRole;
-    private _byRole;
-    private _byPolicy;
-    private _byRolePermission;
-    private _byRoleGrant;
-    private _byRoleRevoke;
-    private _byPolicyList;
-    private _byRoleList;
-    private _testRegex;
-    private _findPermissionByFilter;
 }
 /**
  * Determines if any markers will be remaining after the removal and addition of the specified markers.
@@ -251,24 +181,10 @@ export declare class PolicyController {
  * @param addedMarkers The markers that will be added.
  */
 export declare function willMarkersBeRemaining(existingMarkers: string[], removedMarkers: string[] | null, addedMarkers: string[] | null): boolean;
-export declare function returnAuthorizationResult(a: AuthorizeDenied): {
-    success: false;
-    errorCode: Exclude<AuthorizeDenied['errorCode'], 'action_not_supported'>;
-    errorMessage: AuthorizeDenied['errorMessage'];
-} & Omit<AuthorizeDenied, 'allowed'>;
 /**
- * Merges the permissions from the given marker policies and filters out any permissions that are not allowed according to
- * the privacy settings of the record owner and the user.
- * @param markerPolicies The marker policies that should be merged.
+ * Gets a simple human readable explaination for the given permission assignment.
  */
-export declare function filterAndMergeMarkerPermissions(markerPolicies: {
-    marker: string;
-    result: ListMarkerPoliciesResult;
-}[]): MarkerPermission[];
-export interface MarkerPermission {
-    marker: string;
-    permissions: PossiblePermission[];
-}
+export declare function explainationForPermissionAssignment(subjectType: SubjectType, permissionAssignment: MarkerPermissionAssignment | ResourcePermissionAssignment): string;
 export type ConstructAuthorizationContextResult = ConstructAuthorizationContextSuccess | ConstructAuthorizationContextFailure;
 export interface ConstructAuthorizationContextSuccess {
     success: true;
@@ -287,506 +203,32 @@ export interface AuthorizationContext {
     recordStudioId: string;
     recordStudioMembers?: ListedStudioAssignment[];
     subjectPolicy: PublicRecordKeyPolicy;
-}
-export interface RolesContext<T extends AuthorizeRequestBase> extends AuthorizationContext {
-    userRoles: Set<string> | null;
-    instRoles: {
-        [inst: string]: Set<string>;
-    };
-    markers: MarkerPermission[];
-    request: T;
-    allowedDataItems?: ListedDataItem[];
-    allowedFileItems?: ListedFileItem[];
-    allowedEventItems?: ListedEventItem[];
-    allowedInstItems?: ListedInstItem[];
-}
-interface PossiblePermission {
-    policy: PolicyDocument;
-    permission: AvailablePermissions;
-}
-export type AuthorizeRequest = AuthorizeDataCreateRequest | AuthorizeReadDataRequest | AuthorizeUpdateDataRequest | AuthorizeDeleteDataRequest | AuthorizeListDataRequest | AuthorizeCreateFileRequest | AuthorizeReadFileRequest | AuthorizeListFileRequest | AuthorizeUpdateFileRequest | AuthorizeDeleteFileRequest | AuthorizeCountEventRequest | AuthorizeIncrementEventRequest | AuthorizeUpdateEventRequest | AuthorizeListEventRequest | AuthorizeGrantPermissionToPolicyRequest | AuthorizeRevokePermissionToPolicyRequest | AuthorizeReadPolicyRequest | AuthorizeListPoliciesRequest | AuthorizeListRolesRequest | AuthorizeReadRoleRequest | AuthorizeGrantRoleRequest | AuthorizeRevokeRoleRequest | AuthorizeInstCreateRequest | AuthorizeInstDeleteRequest | AuthorizeInstReadRequest | AuthorizeInstUpdateDataRequest | AuthorizeInstUpdateRequest | AuthorizeInstListRequest | AuthorizeInstSendActionListRequest;
-export interface AuthorizeRequestBase {
-    /**
-     * The record key that should be used or the name of the record that the request is being authorized for.
-     */
-    recordKeyOrRecordName: string;
-    /**
-     * The type of the action that is being authorized.
-     */
-    action: string;
-    /**
-     * The ID of the user that is currently logged in.
-     */
-    userId?: string | null;
-    /**
-     * The instances that the request is being made from.
-     */
-    instances?: string[] | null;
-}
-export interface AuthorizeDataCreateRequest extends AuthorizeRequestBase {
-    action: 'data.create';
-    /**
-     * The address that the new record will be placed at.
-     */
-    address: string;
-    /**
-     * The list of resource markers that should be applied to the data.
-     */
-    resourceMarkers: string[];
-}
-export interface AuthorizeReadDataRequest extends AuthorizeRequestBase {
-    action: 'data.read';
-    /**
-     * The address that the record is placed at.
-     */
-    address: string;
-    /**
-     * The list of resource markers that are applied to the data.
-     */
-    resourceMarkers: string[];
-}
-export interface AuthorizeUpdateDataRequest extends AuthorizeRequestBase {
-    action: 'data.update';
-    /**
-     * The address that the record is placed at.
-     */
-    address: string;
-    /**
-     * The list of resource markers that are applied to the data.
-     */
-    existingMarkers: string[];
-    /**
-     * The new resource markers that will be added to the data.
-     * If omitted, then no markers are being added to the data.
-     */
-    addedMarkers?: string[];
-    /**
-     * The markers that will be removed from the data.
-     * If omitted, then no markers are being removed from the data.
-     */
-    removedMarkers?: string[];
-}
-export interface AuthorizeDeleteDataRequest extends AuthorizeRequestBase {
-    action: 'data.delete';
-    /**
-     * The address that the record is placed at.
-     */
-    address: string;
-    /**
-     * The list of resource markers that are applied to the data.
-     */
-    resourceMarkers: string[];
-}
-export interface AuthorizeListDataRequest extends AuthorizeRequestBase {
-    action: 'data.list';
-    /**
-     * The list of items that should be filtered.
-     */
-    dataItems: ListedDataItem[];
-}
-export interface AuthorizeFileRequest extends AuthorizeRequestBase {
-    /**
-     * The size of the file that is being created in bytes.
-     */
-    fileSizeInBytes: number;
-    /**
-     * The MIME Type of the file.
-     */
-    fileMimeType: string;
-}
-export interface AuthorizeCreateFileRequest extends AuthorizeFileRequest {
-    action: 'file.create';
-    /**
-     * The list of resource markers that should be applied to the file.
-     */
-    resourceMarkers: string[];
-}
-export interface AuthorizeReadFileRequest extends AuthorizeFileRequest {
-    action: 'file.read';
-    /**
-     * The list of resource markers that are applied to the file.
-     */
-    resourceMarkers: string[];
-}
-export interface AuthorizeListFileRequest extends AuthorizeRequestBase {
-    action: 'file.list';
-    /**
-     * The list of items that should be filtered.
-     */
-    fileItems: ListedFileItem[];
-}
-export interface AuthorizeUpdateFileRequest extends AuthorizeFileRequest {
-    action: 'file.update';
-    /**
-     * The list of resource markers that are applied to the file.
-     */
-    existingMarkers: string[];
-    /**
-     * The new resource markers that will be added to the file.
-     * If omitted, then no markers are being added to the file.
-     */
-    addedMarkers?: string[];
-    /**
-     * The markers that will be removed from the file.
-     * If omitted, then no markers are being removed from the file.
-     */
-    removedMarkers?: string[];
-}
-export interface AuthorizeDeleteFileRequest extends AuthorizeFileRequest {
-    action: 'file.delete';
-    /**
-     * The list of resource markers that are applied to the file.
-     */
-    resourceMarkers: string[];
-}
-export interface AuthorizeEventRequest extends AuthorizeRequestBase {
-    /**
-     * The name of the event.
-     */
-    eventName: string;
-}
-export interface AuthorizeCountEventRequest extends AuthorizeEventRequest {
-    action: 'event.count';
-    /**
-     * The list of resource markers that are applied to the event.
-     */
-    resourceMarkers: string[];
-}
-export interface AuthorizeIncrementEventRequest extends AuthorizeEventRequest {
-    action: 'event.increment';
-    /**
-     * The list of resource markers that are applied to the event.
-     */
-    resourceMarkers: string[];
-}
-export interface AuthorizeUpdateEventRequest extends AuthorizeEventRequest {
-    action: 'event.update';
-    /**
-     * The list of resource markers that are applied to the event.
-     */
-    existingMarkers: string[];
-    /**
-     * The new resource markers that will be added to the event.
-     * If omitted, then no markers are being added to the event.
-     */
-    addedMarkers?: string[];
-    /**
-     * The markers that will be removed from the event.
-     * If omitted, then no markers are being removed from the event.
-     */
-    removedMarkers?: string[];
-}
-export interface AuthorizeListEventRequest extends AuthorizeRequestBase {
-    action: 'event.list';
-    /**
-     * The list of items that should be filtered.
-     */
-    eventItems: ListedEventItem[];
-}
-export interface AuthorizePolicyRequest extends AuthorizeRequestBase {
-    /**
-     * The name of the policy.
-     */
-    policy: string;
-}
-export interface AuthorizeGrantPermissionToPolicyRequest extends AuthorizePolicyRequest {
-    action: 'policy.grantPermission';
-}
-export interface AuthorizeRevokePermissionToPolicyRequest extends AuthorizePolicyRequest {
-    action: 'policy.revokePermission';
-}
-export interface AuthorizeReadPolicyRequest extends AuthorizePolicyRequest {
-    action: 'policy.read';
-}
-export interface AuthorizeListPoliciesRequest extends Omit<AuthorizePolicyRequest, 'policy'> {
-    action: 'policy.list';
-}
-export interface AuthorizeRoleRequest extends AuthorizeRequestBase {
-    /**
-     * The name of the role.
-     */
-    role: string;
-}
-export interface AuthorizeListRolesRequest extends Omit<AuthorizeRoleRequest, 'role'> {
-    action: 'role.list';
-}
-export interface AuthorizeReadRoleRequest extends AuthorizeRoleRequest {
-    action: 'role.read';
-}
-export interface AuthorizeGrantRoleRequest extends AuthorizeRoleRequest {
-    action: 'role.grant';
-    /**
-     * The ID of the user that the role should be granted to.
-     */
-    targetUserId?: string;
-    /**
-     * The inst that the role should be granted to.
-     */
-    targetInstance?: string;
-    /**
-     * The time that the grant will expire.
-     * If omitted, then the grant will never expire.
-     */
-    expireTimeMs?: number | null;
-}
-export interface AuthorizeRevokeRoleRequest extends AuthorizeRoleRequest {
-    action: 'role.revoke';
-    /**
-     * The ID of the user that the role should be granted to.
-     */
-    targetUserId?: string;
-    /**
-     * The inst that the role should be granted to.
-     */
-    targetInstance?: string;
-}
-export interface AuthorizeInstRequest extends AuthorizeRequestBase {
-    /**
-     * The inst that the request is being made for.
-     */
-    inst: string;
-    /**
-     * The list of resource markers that are applied to the inst.
-     */
-    resourceMarkers: string[];
-}
-export interface AuthorizeInstCreateRequest extends AuthorizeInstRequest {
-    action: 'inst.create';
-}
-export interface AuthorizeInstDeleteRequest extends AuthorizeInstRequest {
-    action: 'inst.delete';
-}
-export interface AuthorizeInstUpdateRequest extends AuthorizeRequestBase {
-    action: 'inst.update';
-    /**
-     * The inst that the request is being made for.
-     */
-    inst: string;
-    /**
-     * The list of resource markers that are applied to the inst.
-     */
-    existingMarkers: string[];
-    /**
-     * The new resource markers that will be added to the inst.
-     * If omitted, then no markers are being added to the inst.
-     */
-    addedMarkers?: string[];
-    /**
-     * The markers that will be removed from the inst.
-     * If omitted, then no markers are being removed from the inst.
-     */
-    removedMarkers?: string[];
-}
-export interface AuthorizeInstUpdateDataRequest extends AuthorizeInstRequest {
-    action: 'inst.updateData';
-}
-export interface AuthorizeInstReadRequest extends AuthorizeInstRequest {
-    action: 'inst.read';
-}
-export interface AuthorizeInstListRequest extends AuthorizeRequestBase {
-    action: 'inst.list';
-    /**
-     * The list of insts.
-     */
-    insts: ListedInstItem[];
-}
-export interface AuthorizeInstSendActionListRequest extends AuthorizeInstRequest {
-    action: 'inst.sendAction';
-}
-export interface ListedDataItem {
-    /**
-     * The address of the item.
-     */
-    address: string;
-    /**
-     * The list of markers for the item.
-     */
-    markers: string[];
-}
-export interface ListedFileItem {
-    /**
-     * The name of the file.
-     */
-    fileName: string;
-    /**
-     * The MIME type of the file.
-     */
-    fileMimeType: string;
-    /**
-     * The size of the file in bytes.
-     */
-    fileSizeInBytes: number;
-    /**
-     * The list of markers for the item.
-     */
-    markers: string[];
-}
-export interface ListedEventItem {
-    /**
-     * The name of the event.
-     */
-    eventName: string;
-    /**
-     * The list of markers for the item.
-     */
-    markers: string[];
-}
-export interface ListedInstItem {
-    /**
-     * The name of the inst.
-     */
-    inst: string;
-    /**
-     * The markers that are applied to the inst.
-     */
-    markers: string[];
-}
-export type AuthorizeResult = AuthorizeAllowed | AuthorizeDenied;
-export interface AuthorizeAllowed {
-    allowed: true;
-    /**
-     * The name of the record that the request should be for.
-     */
-    recordName: string;
-    /**
-     * The ID of the owner of the record key.
-     * Null if no record key was provided.
-     */
-    recordKeyOwnerId: string | null;
-    /**
-     * The ID of the user who (directly or indirectly) authorized the request.
-     * If a valid record key was provided, then this is the ID of the owner of the record key.
-     * If only a user ID was provided, then this is the ID of the user who is logged in.
-     * If no one was logged in, then this is null.
-     */
-    authorizerId: string | null;
-    /**
-     * The authorization information about the subject.
-     */
-    subject: SubjectAuthorization;
-    /**
-     * The authorization information about the instances.
-     */
-    instances: InstEnvironmentAuthorization[];
-    /**
-     * The list of allowed data items.
-     */
-    allowedDataItems?: ListedDataItem[];
-    /**
-     * The list of allowed file items.
-     */
-    allowedFileItems?: ListedFileItem[];
-    /**
-     * The list of allowed event items.
-     */
-    allowedEventItems?: ListedEventItem[];
-    /**
-     * The list of allowed inst items.
-     */
-    allowedInstItems?: ListedInstItem[];
-}
-export type GenericResult = GenericAllowed | GenericDenied;
-export interface GenericAllowed {
-    success: true;
-    authorization: GenericAuthorization;
-}
-export interface GenericDenied {
-    success: false;
-    reason: DenialReason;
-}
-export interface GenericAuthorization {
-    /**
-     * The role that was selected for authorization.
-     *
-     * If true, then that indicates that the "everyone" role was used.
-     * If a string, then that is the name of the role that was used.
-     */
-    role: string | true;
-    /**
-     * The security markers that were evaluated.
-     */
-    markers: MarkerAuthorization[];
-}
-/**
- * Defines an interface that contains authorization information aboutthe subject that is party to an action.
- *
- * Generally, this includes information about the user and if they have the correct permissions for the action.
- */
-export interface SubjectAuthorization extends GenericAuthorization {
-    /**
-     * The ID of the user that was authorized.
-     * Null if no user ID was provided.
-     */
-    userId: string | null;
-    /**
-     * the policy that should be used for storage of subject information.
-     */
-    subjectPolicy: PublicRecordKeyPolicy;
-}
-/**
- * Defines an interface that represents the result of calculating whether a particular action is authorized for a particular marker.
- */
-export interface MarkerAuthorization {
     /**
-     * The marker that the authorization is for.
+     * The ID of the user who created the record key.
      */
-    marker: string;
+    recordKeyCreatorId: string;
     /**
-     * The actions that have been authorized for the marker.
+     * The privacy features of the user that owns the record.
      */
-    actions: ActionAuthorization[];
-}
-/**
- * Defines an interface that represents the result of calculating the policy and permission that grants a particular action.
- */
-export interface ActionAuthorization {
-    /**
-     * The action that was granted.
-     */
-    action: AvailablePermissions['type'];
-    /**
-     * The policy document that authorizes the action.
-     */
-    grantingPolicy: PolicyDocument;
-    /**
-     * The permission that authorizes the action to be performed.
-     */
-    grantingPermission: AvailablePermissions;
-}
-/**
- * Defines an interface that contains authorization information about the environment that is party to an action.
- *
- * Generally, this includes information about the inst that is triggering the operation.
- */
-export type InstEnvironmentAuthorization = AuthorizedInst | NotRequiredInst;
-export interface AuthorizedInst extends GenericAuthorization {
+    recordOwnerPrivacyFeatures: PrivacyFeatures;
     /**
-     * The type of authorization that this inst has received.
+     * The privacy features of the user that is currently logged in.
      */
-    authorizationType: 'allowed';
+    userPrivacyFeatures: PrivacyFeatures;
     /**
-     * The inst that was authorized.
-     */
-    inst: string;
-}
-export interface NotRequiredInst {
-    /**
-     * The inst that was authorized.
+     * The ID of the user that is currently logged in.
      */
-    inst: string;
+    userId: string;
+}
+export interface ConstructAuthorizationContextRequest {
     /**
-     * The type of authorization that this inst has received.
+     * The record key that should be used or the name of the record that the request is being authorized for.
      */
-    authorizationType: 'not_required';
-}
-export interface AuthorizeDenied {
-    allowed: false;
-    errorCode: ServerError | ValidatePublicRecordKeyFailure['errorCode'] | 'action_not_supported' | 'not_logged_in' | 'not_authorized' | SubscriptionLimitReached | 'unacceptable_request';
-    errorMessage: string;
+    recordKeyOrRecordName: string;
     /**
-     * The reason that the authorization was denied.
+     * The ID of the user that is currently logged in.
      */
-    reason?: DenialReason;
+    userId?: string | null;
 }
 export interface GrantMarkerPermissionRequest {
     recordKeyOrRecordName: string;
@@ -796,7 +238,7 @@ export interface GrantMarkerPermissionRequest {
     instances?: string[] | null;
 }
 /**
- * Defines the possible results of revoking a marker permission from a policy.
+ * Defines the possible results of granting a permission to a marker.
  *
  * @dochash types/records/policies
  * @doctitle Policy Types
@@ -831,21 +273,19 @@ export interface GrantMarkerPermissionFailure {
     /**
      * The error code that indicates why the request failed.
      */
-    errorCode: ServerError | AuthorizeDenied['errorCode'] | UpdateUserPolicyFailure['errorCode'];
+    errorCode: ServerError | ConstructAuthorizationContextFailure['errorCode'] | AuthorizeSubjectFailure['errorCode'] | AssignPermissionToSubjectAndMarkerFailure['errorCode'];
     /**
      * The error message that indicates why the request failed.
      */
     errorMessage: string;
 }
 export interface RevokeMarkerPermissionRequest {
-    recordKeyOrRecordName: string;
+    permissionId: string;
     userId: string;
-    marker: string;
-    permission: AvailablePermissions;
     instances?: string[] | null;
 }
 /**
- * Defines the possible results of revoking a marker permission from a policy.
+ * Defines the possible results of revoking a permission from a marker.
  *
  * @dochash types/records/policies
  * @docgroup 02-revoke
@@ -854,7 +294,7 @@ export interface RevokeMarkerPermissionRequest {
  */
 export type RevokeMarkerPermissionResult = RevokeMarkerPermissionSuccess | RevokeMarkerPermissionFailure;
 /**
- * Defines an interface that represents a successful request to revoke a marker permission from a policy.
+ * Defines an interface that represents a successful request to revoke a permission from a marker.
  *
  * @dochash types/records/policies
  * @docgroup 02-revoke
@@ -865,7 +305,7 @@ export interface RevokeMarkerPermissionSuccess {
     success: true;
 }
 /**
- * Defines an interface that represents a failed request to revoke a marker permission from a policy.
+ * Defines an interface that represents a failed request to revoke a permission from a marker.
  *
  * @dochash types/records/policies
  * @docgroup 02-revoke
@@ -877,32 +317,141 @@ export interface RevokeMarkerPermissionFailure {
     /**
      * The error code that indicates why the request failed.
      */
-    errorCode: ServerError | AuthorizeDenied['errorCode'] | GetUserPolicyFailure['errorCode'] | UpdateUserPolicyFailure['errorCode'];
+    errorCode: ServerError | 'permission_not_found' | ConstructAuthorizationContextFailure['errorCode'] | AuthorizeSubjectFailure['errorCode'];
     /**
      * The error message that indicates why the request failed.
      */
     errorMessage: string;
 }
-export type ReadUserPolicyResult = ReadUserPolicySuccess | ReadUserPolicyFailure;
-export interface ReadUserPolicySuccess {
+export interface GrantResourcePermissionRequest {
+    recordKeyOrRecordName: string;
+    userId: string;
+    permission: AvailablePermissions;
+    instances?: string[] | null;
+}
+/**
+ * Defines the possible results of granting a permission to a resource.
+ *
+ * @dochash types/records/policies
+ * @docname GrantResourcePermissionResult
+ */
+export type GrantResourcePermissionResult = GrantResourcePermissionSuccess | GrantResourcePermissionFailure;
+/**
+ * Defines an interface that represents a successful request to grant a permission to a resource.
+ *
+ * @dochash types/records/policies
+ * @docgroup 01-grant
+ * @docorder 1
+ * @docname GrantResourcePermissionSuccess
+ */
+export interface GrantResourcePermissionSuccess {
+    success: true;
+}
+/**
+ * Defines an interface that represents a failed request to grant a permission to a resource.
+ *
+ * @dochash types/records/policies
+ * @docgroup 01-grant
+ * @docorder 2
+ * @docname GrantResourcePermissionFailure
+ */
+export interface GrantResourcePermissionFailure {
+    success: false;
+    /**
+     * The error code that indicates why the request failed.
+     */
+    errorCode: ServerError | ConstructAuthorizationContextFailure['errorCode'] | AuthorizeSubjectFailure['errorCode'] | AssignPermissionToSubjectAndMarkerFailure['errorCode'];
+    /**
+     * The error message that indicates why the request failed.
+     */
+    errorMessage: string;
+}
+export interface RevokeResourcePermissionRequest {
+    permissionId: string;
+    userId: string;
+    instances?: string[] | null;
+}
+/**
+ * Defines the possible results of revoking a resource permission.
+ *
+ * @dochash types/records/policies
+ * @docgroup 02-revoke
+ * @docorder 0
+ * @docname RevokeResourcePermissionResult
+ */
+export type RevokeResourcePermissionResult = RevokeResourcePermissionSuccess | RevokeResourcePermissionFailure;
+/**
+ * Defines an interface that represents a successful request to revoke a permission from a resource.
+ *
+ * @dochash types/records/policies
+ * @docgroup 02-revoke
+ * @docorder 1
+ * @docname RevokeResourcePermissionSuccess
+ */
+export interface RevokeResourcePermissionSuccess {
     success: true;
-    document: PolicyDocument;
-    markers: string[];
 }
-export interface ReadUserPolicyFailure {
+/**
+ * Defines an interface that represents a failed request to revoke a permission from a resource.
+ *
+ * @dochash types/records/policies
+ * @docgroup 02-revoke
+ * @docorder 2
+ * @docname RevokeResourcePermissionFailure
+ */
+export interface RevokeResourcePermissionFailure {
     success: false;
-    errorCode: ServerError | AuthorizeDenied['errorCode'] | GetUserPolicyFailure['errorCode'];
+    /**
+     * The error code that indicates why the request failed.
+     */
+    errorCode: ServerError | 'permission_not_found' | ConstructAuthorizationContextFailure['errorCode'] | AuthorizeSubjectFailure['errorCode'];
+    /**
+     * The error message that indicates why the request failed.
+     */
     errorMessage: string;
 }
-export type ListUserPoliciesResult = ListUserPoliciesSuccess | ListUserPoliciesFailure;
-export interface ListUserPoliciesSuccess {
+export interface RevokePermissionRequest {
+    permissionId: string;
+    userId: string;
+    instances?: string[] | null;
+}
+/**
+ * Defines the possible results of revoking a permission.
+ *
+ * @dochash types/records/policies
+ * @docgroup 02-revoke
+ * @docorder 0
+ * @docname RevokeMarkerPermissionResult
+ */
+export type RevokePermissionResult = RevokePermissionSuccess | RevokePermissionFailure;
+/**
+ * Defines an interface that represents a successful request to revoke a permission.
+ *
+ * @dochash types/records/policies
+ * @docgroup 02-revoke
+ * @docorder 1
+ * @docname RevokePermissionSuccess
+ */
+export interface RevokePermissionSuccess {
     success: true;
-    policies: ListedUserPolicy[];
-    totalCount: number;
 }
-export interface ListUserPoliciesFailure {
+/**
+ * Defines an interface that represents a failed request to revoke a permission.
+ *
+ * @dochash types/records/policies
+ * @docgroup 02-revoke
+ * @docorder 2
+ * @docname RevokePermissionFailure
+ */
+export interface RevokePermissionFailure {
     success: false;
-    errorCode: ServerError | AuthorizeDenied['errorCode'];
+    /**
+     * The error code that indicates why the request failed.
+     */
+    errorCode: ServerError | 'permission_not_found' | ConstructAuthorizationContextFailure['errorCode'] | AuthorizeSubjectFailure['errorCode'];
+    /**
+     * The error message that indicates why the request failed.
+     */
     errorMessage: string;
 }
 export type ListAssignedUserRolesResult = ListAssignedUserRolesSuccess | ListAssignedUserRolesFailure;
@@ -915,7 +464,7 @@ export interface ListAssignedUserRolesSuccess {
 }
 export interface ListAssignedUserRolesFailure {
     success: false;
-    errorCode: ServerError | AuthorizeDenied['errorCode'];
+    errorCode: ServerError | ConstructAuthorizationContextFailure['errorCode'] | AuthorizeSubjectFailure['errorCode'];
     errorMessage: string;
 }
 export type ListAssignedInstRolesResult = ListAssignedInstRolesSuccess | ListAssignedInstRolesFailure;
@@ -928,7 +477,7 @@ export interface ListAssignedInstRolesSuccess {
 }
 export interface ListAssignedInstRolesFailure {
     success: false;
-    errorCode: ServerError | AuthorizeDenied['errorCode'];
+    errorCode: ServerError | ConstructAuthorizationContextFailure['errorCode'] | AuthorizeSubjectFailure['errorCode'];
     errorMessage: string;
 }
 export type ListRoleAssignmentsResult = ListRoleAssignmentsSuccess | ListRoleAssignmentsFailure;
@@ -945,7 +494,7 @@ export interface ListRoleAssignmentsSuccess {
 }
 export interface ListRoleAssignmentsFailure {
     success: false;
-    errorCode: ServerError | NotSupportedError | AuthorizeDenied['errorCode'];
+    errorCode: ServerError | NotSupportedError | ConstructAuthorizationContextFailure['errorCode'] | AuthorizeSubjectFailure['errorCode'];
     errorMessage: string;
 }
 export interface GrantRoleRequest {
@@ -990,7 +539,7 @@ export interface GrantRoleFailure {
     /**
      * The error code that indicates why the request failed.
      */
-    errorCode: ServerError | AuthorizeDenied['errorCode'] | UpdateUserRolesFailure['errorCode'];
+    errorCode: ServerError | ConstructAuthorizationContextFailure['errorCode'] | AuthorizeSubjectFailure['errorCode'] | UpdateUserRolesFailure['errorCode'];
     /**
      * The error message that indicates why the request failed.
      */
@@ -1034,11 +583,297 @@ export interface RevokeRoleFailure {
     /**
      * The error code that indicates why the request failed.
      */
-    errorCode: ServerError | AuthorizeDenied['errorCode'] | UpdateUserRolesFailure['errorCode'];
+    errorCode: ServerError | ConstructAuthorizationContextFailure['errorCode'] | AuthorizeSubjectFailure['errorCode'] | UpdateUserRolesFailure['errorCode'];
     /**
      * The error message that indicates why the request failed.
      */
     errorMessage: string;
 }
-export {};
+export interface ResourceInfo {
+    /**
+     * The kind of the resource.
+     */
+    resourceKind: ResourceKinds;
+    /**
+     * The ID of the resource.
+     */
+    resourceId: string;
+    /**
+     * The kind of the action.
+     */
+    action: ActionKinds;
+    /**
+     * The markers that are applied to the resource.
+     */
+    markers: string[];
+}
+export interface AuthorizeSubject {
+    /**
+     * The type of the subject that should be authorized.
+     */
+    subjectType: SubjectType;
+    /**
+     * The ID of the subject that should be authorized.
+     */
+    subjectId: string | null;
+}
+export interface AuthorizeUserAndInstancesRequest {
+    /**
+     * The ID of the user that should be authorized.
+     */
+    userId: string;
+    /**
+     * The instances that should be authorized.
+     */
+    instances: string[];
+    /**
+     * The kind of resource that the action is being performed on.
+     */
+    resourceKind: ResourceKinds;
+    /**
+     * The kind of the action.
+     */
+    action: ActionKinds;
+    /**
+     * The ID of the resource.
+     * Should be omitted if the action is "list".
+     */
+    resourceId?: string;
+    /**
+     * The markers that are applied to the resource.
+     */
+    markers: string[];
+}
+export type AuthorizeUserAndInstancesResult = AuthorizeUserAndInstancesSuccess | AuthorizeSubjectFailure;
+export interface AuthorizeUserAndInstancesSuccess {
+    success: true;
+    recordName: string;
+    /**
+     * The permission that authorizes the user to perform the request.
+     */
+    user: AuthorizedSubject;
+    /**
+     * The results for each subject.
+     */
+    results: AuthorizedSubject[];
+}
+export interface AuthorizeUserAndInstancesForResources {
+    /**
+     * The ID of the user that should be authorized.
+     */
+    userId: string;
+    /**
+     * The instances that should be authorized.
+     */
+    instances: string[];
+    /**
+     * The resources that should be authorized.
+     */
+    resources: ResourceInfo[];
+}
+export type AuthorizeUserAndInstancesForResourcesResult = AuthorizeUserAndInstancesForResourcesSuccess | AuthorizeSubjectFailure;
+export interface AuthorizeUserAndInstancesForResourcesSuccess {
+    success: true;
+    recordName: string;
+    results: AuthorizedResource[];
+}
+export interface AuthorizedResource extends ResourceInfo, AuthorizeUserAndInstancesSuccess {
+}
+export interface AuthorizeSubjectsRequest {
+    /**
+     * The list of subjects that should be authorized.
+     */
+    subjects: AuthorizeSubject[];
+    /**
+     * The kind of resource that the action is being performed on.
+     */
+    resourceKind: ResourceKinds;
+    /**
+     * The kind of the action.
+     */
+    action: ActionKinds;
+    /**
+     * The ID of the resource.
+     * Should be omitted if the action is "list".
+     */
+    resourceId?: string;
+    /**
+     * The markers that are applied to the resource.
+     */
+    markers: string[];
+}
+export interface AuthorizeSubjectRequest {
+    /**
+     * The type of the subject that should be authorized.
+     */
+    subjectType: SubjectType;
+    /**
+     * The ID of the subject that should be authorized.
+     */
+    subjectId: string | null;
+    /**
+     * The kind of resource that the action is being performed on.
+     */
+    resourceKind: ResourceKinds;
+    /**
+     * The kind of the action.
+     */
+    action: ActionKinds;
+    /**
+     * The ID of the resource.
+     * Should be omitted if the action is "list".
+     */
+    resourceId?: string;
+    /**
+     * The markers that are applied to the resource.
+     */
+    markers: string[];
+}
+export type AuthorizeSubjectsResult = AuthorizeSubjectsSuccess | AuthorizeSubjectFailure;
+export interface AuthorizeSubjectsSuccess {
+    success: true;
+    recordName: string;
+    /**
+     * The results for each subject.
+     */
+    results: AuthorizedSubject[];
+}
+export type AuthorizeSubjectResult = AuthorizeSubjectSuccess | AuthorizeSubjectFailure;
+export interface AuthorizeSubjectSuccess {
+    success: true;
+    /**
+     * The name of the record that the action should be for.
+     */
+    recordName: string;
+    /**
+     * The permission that authorizes the request.
+     */
+    permission: MarkerPermissionAssignment | ResourcePermissionAssignment;
+    /**
+     * The explaination for the authorization.
+     */
+    explanation: string;
+}
+export interface AuthorizedSubject extends AuthorizeSubjectSuccess {
+    /**
+     * The type of the subject that was authorized.
+     */
+    subjectType: SubjectType;
+    /**
+     * The ID of the subject that was authorized.
+     */
+    subjectId: string;
+}
+export interface AuthorizeSubjectFailure {
+    success: false;
+    /**
+     * The error code that occurred.
+     */
+    errorCode: ServerError | ValidatePublicRecordKeyFailure['errorCode'] | 'action_not_supported' | 'not_logged_in' | 'not_authorized' | SubscriptionLimitReached | 'unacceptable_request';
+    /**
+     * The error message that occurred.
+     */
+    errorMessage: string;
+    /**
+     * The denial reason.
+     */
+    reason?: DenialReason;
+}
+export type ListPermissionsResult = ListPermissionsSuccess | ListPermissionsFailure;
+export interface ListPermissionsSuccess {
+    success: true;
+    recordName: string;
+    resourcePermissions: ListedResourcePermission[];
+    markerPermissions: ListedMarkerPermission[];
+}
+export interface ListPermissionsFailure {
+    success: false;
+    errorCode: ServerError | ValidatePublicRecordKeyFailure['errorCode'] | AuthorizeSubjectFailure['errorCode'];
+    errorMessage: string;
+}
+export type ListPermissionsForMarkerResult = ListPermissionsForMarkerSuccess | ListPermissionsFailure;
+export interface ListPermissionsForMarkerSuccess {
+    success: true;
+    recordName: string;
+    markerPermissions: ListedMarkerPermission[];
+}
+export type ListPermissionsForResourceResult = ListPermissionsForResourceSuccess | ListPermissionsFailure;
+export interface ListPermissionsForResourceSuccess {
+    success: true;
+    recordName: string;
+    resourcePermissions: ListedResourcePermission[];
+}
+/**
+ * Defines an interface that represents a permission that grants access.
+ */
+export interface ListedPermission {
+    /**
+     * The ID of the permission.
+     */
+    id: string;
+    /**
+     * The name of the record.
+     */
+    recordName: string;
+    /**
+     * The kind of the actions that the subject is allowed to perform.
+     * Null if the subject is allowed to perform any action.
+     */
+    action: ActionKinds | null;
+    /**
+     * The options for the permission assignment.
+     */
+    options: PermissionOptions;
+    /**
+     * The ID of the subject.
+     */
+    subjectId: string;
+    /**
+     * The type of the subject.
+     */
+    subjectType: SubjectType;
+    /**
+     * The ID of the user that the assignment grants permission to.
+     * Null if the subject type is not "user".
+     */
+    userId: string | null;
+    /**
+     * The time that the permission expires.
+     * Null if the permission never expires.
+     */
+    expireTimeMs: number | null;
+}
+/**
+ * Defines an interface that represents a permission that grants access to a single resource.
+ *
+ * @dochash types/permissions
+ * @docname ResourcePermission
+ */
+export interface ListedResourcePermission extends ListedPermission {
+    /**
+     * The kind of the resource.
+     */
+    resourceKind: ResourceKinds;
+    /**
+     * The ID of the resource.
+     */
+    resourceId: string;
+}
+/**
+ * Defines an interface that represents a permission that grants access to resources with a marker.
+ *
+ * @dochash types/permissions
+ * @docname MarkerPermission
+ */
+export interface ListedMarkerPermission extends ListedPermission {
+    /**
+     * The marker that the permission applies to.
+     */
+    marker: string;
+    /**
+     * The kind of the resource.
+     * Null if the permission applies to all resources.
+     */
+    resourceKind: ResourceKinds | null;
+}
 //# sourceMappingURL=PolicyController.d.ts.map