[deoxxa]

Ahhh. That rabbit hole is deep. Buckle up if you're going in because it starts ugly and gets worse.

I've spent quite some time exploring the caverns of XACML (eXtensible Access Control Markup Language), even going so far as writing a limited implementation of it in JavaScript. It's infinitely flexible, extremely capable, horrendously complex, and just about the least fun standard to work with. Sure as heck gets the job done though. Just get yourself used to writing and debugging XML and you'll be fine.

I've also looked in great detail at Amazon's IAM policies. These are significantly simpler, and heavily inspired my current favourite library, ladon [1]. I recently wrote a GraphQL API and I found that GraphQL mutations and field accesses mapped nicely to policies in ladon.

[1]: https://github.com/ory/ladon