Stats
Actions
Tags
From indykite-skills
Run many KBAC authorization decisions in one call via the IndyKite AuthZEN REST API (`POST /access/v1/evaluations`), with top-level subject/action/resource/context as defaults overridden per entry; returns one `decision` per entry, in order. Use when checking a known, fixed set of checks at once - one subject against many resources, one action across many subjects, or any mix of triples - e.g. "of these servers, which can grace provision?", "for each of these users, can they deploy gpu-node-7?". For a single check use indykite-authzen-evaluation; to enumerate ALL allowed actions/resources/subjects (open-ended, not a fixed list) use indykite-authzen-search-action / -search-resource / -search-subject; to author the policy use indykite-authzen-kbac.
How this skill is triggered — by the user, by Claude, or both
Slash command
/indykite-skills:indykite-authzen-evaluationsThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Batch evaluation makes **many KBAC decisions in one request**. You supply top-level `subject` / `action` / `resource` / `context` as **defaults** and an `evaluations[]` array where each entry overrides only the parts it specifies; the response carries one boolean `decision` per entry, in order.
Batch evaluation makes many KBAC decisions in one request. You supply top-level subject / action / resource / context as defaults and an evaluations[] array where each entry overrides only the parts it specifies; the response carries one boolean decision per entry, in order.
This skill covers building and sending the batch request and reading the results. It does not author policies - the 2.0-kbac policies every entry is evaluated against are authored with indykite-authzen-kbac.
Activate this skill when the user wants to:
grace PROVISION?");gpu-node-7?");(subject, action, resource) triples in a single call.Do not activate this skill to make a single yes/no decision (indykite-authzen-evaluation), to enumerate all instances for one probe (the search skills indykite-authzen-search-action / -search-resource / -search-subject), or to author a policy or read/write graph data (batch evaluation only renders decisions).
indykite-authzen-kbac.X-IK-ClientKey value).context.input_params.Decide which parts are constant across the batch (put them at the top level) and which vary (put them in each evaluations[] entry). An entry inherits every top-level part it does not override.
Running example: one action (
PROVISION) and one resource (gpu-node-7) are the defaults; the subject varies per entry, and one entry also overrides the resource.
{
"action": { "name": "PROVISION" },
"resource": { "type": "Server", "id": "gpu-node-7" },
"evaluations": [
{ "subject": { "type": "Person", "id": "linus" } },
{ "subject": { "type": "Person", "id": "grace" } },
{ "subject": { "type": "Person", "id": "grace" }, "resource": { "type": "Server", "id": "edge-box-2" } },
{ "subject": { "type": "Person", "id": "dennis" } }
],
"context": { "input_params": { "max_price": 80000 } }
}
subject.id / resource.id are node external_ids; action.name is case-sensitive; context.input_params keys are written without the $ and keep their types. A ready body: assets/evaluations-provision-servers.json.
POST <API_URL>/access/v1/evaluations
Authentication:
X-IK-ClientKey: <AppAgent-credentials-token>.Authorization: Bearer <user-access-token> - applies only in some cases (e.g. a condition references a token claim/scope), where it can flip claim-gated entries.A runnable shell helper: scripts/evaluate-batch.sh — run with --print to preview the curl (host-pinned; tokens redacted).
{
"evaluations": [
{ "decision": false },
{ "decision": true },
{ "decision": false },
{ "decision": true }
]
}
The array is positional: evaluations[i] is the decision for request entry i.
A single /evaluation that omits a required partial parameter returns 422. A batch call does not fail wholesale - it returns 200, and each entry whose matched policy needed the missing parameter comes back as decision: false with a context.reason:
{ "decision": false, "context": { "reason": "invalid_argument: missing or wrong input params, 'max_price'" } }
So always distinguish a genuine deny (decision: false, no context) from a missing-input deny (decision: false with context.reason) before concluding access is denied.
When this skill has been applied successfully:
POST /access/v1/evaluations returns an evaluations[] array with one decision per request entry, in order, with top-level parts correctly applied as defaults.decision: false + context.reason (a 200), not mistaken for a request failure.indykite-authzen-evaluation) would return for the same triple.references/evaluations-reference.md - /evaluations: request/response shapes, defaults-and-override semantics, the missing-parameter behaviour, error codes.assets/evaluations-provision-servers.json - runnable batch request body for the PROVISION example.scripts/evaluate-batch.sh - Bash helper that posts a batch request to /access/v1/evaluations (host-pinned; --print to preview).This skill uses generic markdown instructions and works across all agents listed in the README. The agent needs to be able to issue HTTP requests (curl, an HTTP client, or the IndyKite Terraform provider). No Claude Code hooks, Cursor @-mentions, or Copilot workspace context are required.
Provides CDSS development patterns for drug interaction checking, dose validation, clinical scoring (NEWS2, qSOFA), and alert classification integrated into EMR workflows.
npx claudepluginhub indykite/skills --plugin indykite-skills