Stats
Actions
Tags
From indykite-skills
Make a single KBAC authorization decision via the IndyKite AuthZEN REST API (`POST /access/v1/evaluation`) - returns a boolean `decision` for one (subject, action, resource) triple, optionally with per-request `context.input_params`. Use for a single yes/no question - "can ada PROVISION gpu-node-7?", "is this user allowed to delete this document?", "gate this operation on a live check", or debugging why one decision is false. Not for many checks at once (use indykite-authzen-evaluations), not for enumerating which actions/resources/subjects are allowed (use indykite-authzen-search-action / -search-resource / -search-subject), and not for authoring the policy behind the decision (use indykite-authzen-kbac). For the same decision over MCP/JSON-RPC see indykite-mcp-server (`authzen_evaluate`).
How this skill is triggered — by the user, by Claude, or both
Slash command
/indykite-skills:indykite-authzen-evaluationThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
A KBAC decision asks the AuthZEN endpoint one question - *may this subject perform this action on this resource?* - and gets back a boolean `decision`. The decision is rendered by evaluating the project's currently ACTIVE `2.0-kbac` policies against the IKG.
A KBAC decision asks the AuthZEN endpoint one question - may this subject perform this action on this resource? - and gets back a boolean decision. The decision is rendered by evaluating the project's currently ACTIVE 2.0-kbac policies against the IKG.
This skill covers making that single decision: framing the (subject, action, resource, context) request, sending it, and reading the boolean. It does not author policies - the policy whose subject / actions / resource / condition.cypher the decision is evaluated against is authored with indykite-authzen-kbac.
It is the single-call member of the AuthZEN family:
| Need | Endpoint | Skill |
|---|---|---|
| One yes/no decision | /access/v1/evaluation | this skill |
| Many decisions at once | /access/v1/evaluations | indykite-authzen-evaluations |
| Actions a subject may perform on a resource | /access/v1/search/action | indykite-authzen-search-action |
| Resources a subject may act on, given an action | /access/v1/search/resource | indykite-authzen-search-resource |
| Subjects allowed an action on a resource | /access/v1/search/subject | indykite-authzen-search-subject |
| Author / manage the KBAC policy | Config API | indykite-authzen-kbac |
Activate this skill when the user wants to:
ada PROVISION the server gpu-node-7 within a budget of 120000?");true or false.Do not activate this skill to author or modify the policy behind the decision (indykite-authzen-kbac), to make many decisions in one call (indykite-authzen-evaluations), to enumerate the allowed actions/resources/subjects rather than test one triple (the search skills -search-action / -search-resource / -search-subject), or to return or modify graph data (a decision is yes/no, not a data read or write).
subject.type / actions / resource.type cover the triple. If none exist, author them first with indykite-authzen-kbac; a decision with no matching policy is simply false.X-IK-ClientKey value).context.input_params.If a prerequisite is missing, say so - fixing it first is far cheaper than debugging an opaque false decision.
Pin the three parts of the question, plus any per-request values:
| Part | Field | Example |
|---|---|---|
| subject | subject.type + subject.id | Person / ada |
| action | action.name | PROVISION |
| resource | resource.type + resource.id | Server / gpu-node-7 |
| context | context.input_params | { "max_price": 120000 } |
subject.id / resource.id are the nodes' external_ids; action.name is case-sensitive.
{
"subject": { "type": "Person", "id": "ada" },
"resource": { "type": "Server", "id": "gpu-node-7" },
"action": { "name": "PROVISION" },
"context": { "input_params": { "max_price": 120000 } }
}
Supply context.input_params only when the matched policy's condition references a $name partial parameter; write each key without the leading $, keeping its type (numbers stay numbers). A ready body: assets/evaluation-provision-server.json.
POST <API_URL>/access/v1/evaluation
Authentication:
X-IK-ClientKey: <AppAgent-credentials-token> - authenticates the calling application.Authorization: Bearer <user-access-token> - applies only in some cases (e.g. a condition references a token claim/scope); not required otherwise.A runnable shell helper: scripts/evaluate.sh — run with --print to preview the curl (host-pinned; tokens redacted).
{ "decision": true }
true means at least one ACTIVE policy granted the (subject, action, resource) triple with its condition satisfied. false means no policy granted it - either no policy matched the triple, or the matching policy's condition did not hold for the supplied input_params and graph data. A false decision is a normal 200, not an error.
If the decision is not what you expected, walk this checklist before changing anything:
subject.type, action.name, and resource.type must match the policy's subject.type, actions, and resource.type exactly (case-sensitive verbs).subject / resource? The condition binds the request's subject/resource only through those reserved names.external_ids? subject.id / resource.id are matched against node external_id. A wrong id silently matches nothing → false.$param supplied? A missing input_params key the condition needs yields a 422 (errors: ["missing or wrong input params, '<name>'"]), not a silent false.Full request/response schema, error table, and a deeper troubleshooting walk-through: references/evaluation-reference.md and references/troubleshooting.md.
When this skill has been applied successfully:
POST /access/v1/evaluation returns {"decision": true} for an allowed (subject, action, resource) triple with valid input_params, and {"decision": false} for a denied one.input_params key is surfaced as a 422 and corrected, not mistaken for a denial.indykite-authzen-evaluations or invoked through the indykite-mcp-server authzen_evaluate tool with identical decision semantics.references/evaluation-reference.md - the /evaluation endpoint: base path, auth, request/response shape, error codes, and pointers to the batch and search sibling skills.references/troubleshooting.md - why a decision is unexpectedly true/false and how to isolate the responsible policy.assets/evaluation-provision-server.json - runnable single-evaluation request body for the Person PROVISION Server example.scripts/evaluate.sh - Bash helper that posts a decision request to /access/v1/evaluation (host-pinned; --print to preview).This skill uses generic markdown instructions and works across all agents listed in the README. The agent needs to be able to issue HTTP requests (curl, an HTTP client, or the IndyKite Terraform provider). No Claude Code hooks, Cursor @-mentions, or Copilot workspace context are required.
npx claudepluginhub indykite/skills --plugin indykite-skillsProvides CDSS development patterns for drug interaction checking, dose validation, clinical scoring (NEWS2, qSOFA), and alert classification integrated into EMR workflows.