---
title: "Policy Resolution"
slug: "policy-resolution-1"
updated: 2025-06-29T14:12:38Z
published: 2025-07-08T10:10:03Z
stale: true
---
> ## Documentation Index
> Fetch the complete documentation index at: https://docs.plainid.io/llms.txt
> Use this file to discover all available pages before exploring further.
# Policy Resolution
Get/api/runtime/resolution/v3
The Policy Resolution API enables you to create your own enforcement points when need to support access to large amounts of data (SQL, search engines, big data, etc.) or enforcement need to be done by another system/platform. It is designed to answer questions like: "What access filters need to be set up for a specific user to access an asset?". The response is expected to show the logical filtering of data and/or the list of allowed data items for the user.
### Notice
When accessing the Authorization APIs, the URL base/prefix, according to your PlainID PDP Location**United States Cloud PDP** - `https://tenant-name.us1.plainid.io`**Canadian Cloud PDP** - `https://tenant-name.ca1.plainid.io`**European Cloud PDP** - `https://tenant-name.eu1.plainid.io` **Local PAA Agent** - `https://your-paa.acme.local`
For more information on which Asset Types to use with your PAA or Cloud PDP, refer to [Managing Asset Types](https://docs.plainid.io/docs/managing-asset-types).
### cURL Sample Guidelines
In order for the relevant parameters to appear in the cURL sample, you can input the values in the interactive API console on the right under the Try It\* or the Code Sample tabs. They will then appear in the cURL sample in the correct format to use in your API tool. *\*Try It function coming soon.*
Header parametersX-Client-Idstring
Client ID of the Scope The clientId is **required**, ensure that it is defined either in the header as `X-Client-Id` or in the body as `clientId`.
X-Client-Secretstring
Client Secret ID of the Scope. You can also authenticate with an Authorization Token (in your API tool). Note that the X-Client-Id is still required, whether in the header or the body. Refer to [Setting up an Authentication Method](https://docs.plainid.io/v1/docs/managing-scope-authentication#setting-up-an-authentication-method-in-the-scope) for more information.
Query parametersentityIdstring
Unique identifier of the Identity
clientIdstring
Client ID of the Scope The Client ID is **required**, ensure that it is defined either in the header as `X-Client-Id` or in the body as `clientId`.
clientSecretstring
Client Secret ID of the Scope. You can also authenticate with an Authorization Token (in your API tool). Note that the X-Client-Id is still required, whether in the header or the body. Refer to [Setting up an Authentication Method](https://docs.plainid.io/v1/docs/managing-scope-authentication#setting-up-an-authentication-method-in-the-scope) for more information.
entityTypeIdstring
Identity Template ID
remoteIpstring
IP address to be used when validating a Policy. Ensure that your IP Ranges are correct based on an [IP calculator](https://www.ipaddressguide.com/cidr). If not defined, the IP considered in the calculation is taken from the X-Forwarded-For (Request header). If not defined,the IP considered in the calculation is taken from the X-Forwarded-For (Request header).
includeIdentitystring
Show/hide the Identity Attribute of the Identity in the response.
includeAssetAttributesstring
Show/hide the Asset Attribute of the assets in the response.
resourceTypesstring
This parameter enables you to decrease the payload size by including a list of Asset Types and their Attributes, which also return in the response. If not specified, all resources from all resource types will be included. If using this parameter, ensure you are sending either `allResourceTypes` or `resourceTypes` in the request. Sending both will result in an error. If not specified, all identities from all Identity Types will be included in the response.
Responses200
OK
Policy-Resolution-200
```json
{
"tokenValidity": 0,
"response": [
{
"access": [],
"privileges": {
"allowed": [
{
"resourceType": "Accounts",
"actions": [
{
"action": "Access",
"asset-attributes-filter": {
"OR": [
{
"OR": [
{
"AND": [
{
"attribute": "location",
"type": "STRING",
"operator": "EQUALS",
"values": [
"Alabama"
],
"match": "any"
}
]
}
]
}
]
}
}
]
}
],
"denied": []
}
}
]
}
```
Expand AllAnyOfresolutionResponseobject (resolutionResponse)tokenValidityinteger
response Array of object object access Array of object object pathstring
attributesobject
resourceTypestring
actions Array of object object actionstring
permissionstring
permissionIdstring
permissionMetadataobject (permissionMetadata)
Additional response metadata. This response is only returned when the `includeAccessPolicy` is set to true, and when the `permissionMetadata` object contains one or more properties.
contextDataobject attribute Array of string string
privilegesobject allowed Array of object object resourceTypestring
actions Array of object object actionstring
asset-attributes-filterobject OR Array of object object OR Array of object object AND Array of object object attributestring
typestring
operatorstring
values Array of string string
matchstring
identityobject (identityResponse) typestring
typeNamestring
attributesobject
additionalResponseInfoobject (additionalResponseInfoResponse) identitySourcesobject skipped Array of object (identitySourceInfo) object sourceIdstring
sourceNamestring
messagestring
attributes Array of string string
failed Array of object (identitySourceInfo) object sourceIdstring
sourceNamestring
messagestring
attributes Array of string string
assetContextResolutionResponseobject (assetContextResolutionResponse)data Array of object object assetContextobject AnyOfassetContextResponseItemobject (assetContextResponseItem)
assetContextMergedResponseItemobject (assetContextMergedResponseItem)resources Array of object (assetContextResponseItem) object AnyOfobjectobjectkeystring
An auto-generated key to set the correlation between the requested object and the response object (optional). When working with a single assetContext object, use the “singleObjectResponse” value to align to the original structure response.
objectobjectresourceTypestring
pathstring
actionstring
assetAttributesobject attribute_1 Array of string string
attribute_2 Array of string string
outputobject accessResponseobject (resolutionResponse) tokenValidityinteger
response Array of object object access Array of object object pathstring
attributesobject
resourceTypestring
actions Array of object object actionstring
permissionstring
permissionIdstring
permissionMetadataobject (permissionMetadata)
Additional response metadata. This response is only returned when the `includeAccessPolicy` is set to true, and when the `permissionMetadata` object contains one or more properties.
contextDataobject attribute Array of string string
privilegesobject allowed Array of object object resourceTypestring
actions Array of object object actionstring
asset-attributes-filterobject OR Array of object object OR Array of object object AND Array of object object attributestring
typestring
operatorstring
values Array of string string
matchstring
identityobject (identityResponse) typestring
typeNamestring
attributesobject
additionalResponseInfoobject (additionalResponseInfoResponse) identitySourcesobject skipped Array of object (identitySourceInfo) object sourceIdstring
sourceNamestring
messagestring
attributes Array of string string
failed Array of object (identitySourceInfo) object sourceIdstring
sourceNamestring
messagestring
attributes Array of string string
errorstring
400
Bad Request
401
Unauthorized
403
Forbidden
404
Not Found
500
Internal Server Error
501
Not Implemented