Actor Runtime Context Specification
The actor context represents the identity, attributes, and execution metadata of the caller performing an action.
At evaluation time, actor values are supplied as a runtime mapping of scalar fields.
This document defines the actor runtime contract used by the evaluation engine.
Purpose
The actor context is used for decisions based on:
- role
- department
- tenant
- permissions
- region
- trust level
- risk score
- approval authority
Typical policy usage:
subject:
domain: actor
field: role
operator: equals
value:
literal: admin
Runtime Shape
actor:
role: admin
department: finance
risk_score: 12
is_verified: true
Type: Mapping of actor field names to scalar values
Supported scalar types:
- string
- number
- boolean
This runtime input must conform to the declared schema.
Resolution Semantics
When a policy references:
subject:
domain: actor
field: role
The engine resolves the field from the actor map.
input.actor["role"]
If the field is missing, resolution returns non-match (false).
This is intentionally fail-safe.
Comparison Semantics
Actor fields support validated operators depending on scalar type.
String
equalsnot_equals
Number
equalsnot_equalsgreater_thanless_than
Boolean
equalsnot_equals
Best Practices
- keep actor identity minimal
- expose only policy-relevant fields
- avoid transient request metadata
- prefer stable field names
- use actor for caller identity, not resource state