Policy Overview

AZTP Client supports robust policy management for agent and workload identities. Policies define what actions are allowed or denied for each identity, enabling fine-grained access control and compliance with zero trust principles.

What is a Policy in AZTP?

A policy in AZTP is a set of rules attached to an identity that determines what actions (e.g., read, write, delete) are allowed or denied, and under what conditions. Policies are attached to identities and are enforced at every request.

Policies are structured as statements with Effect (Allow or Deny), Action (string or list), and optional Condition.
Policies can be retrieved, inspected, and evaluated programmatically.

Managing Policies in astha.ai

You can add and manage access policies for each agent or tool identity directly from the astha.ai platform (opens in a new tab):

Go to the agent or tool's profile (e.g., aztp://astha.cloud/paypal-agent).
Use the Policies tab to add, edit, or remove access policies.
Each policy is defined in JSON, specifying allowed/denied actions and optional conditions (see example below).
Once saved, these policies are immediately available to your code via the aztp-client SDK.

Example Policy Statement:

{
  "Version": "2025-05-12",
  "Statement": {
    "Sid": "ca7b2c40-7e88-4a5f-bd02-93b6cc44062a",
    "Effect": "Allow",
    "Action": [
      "read_user_profile",
      "list_users"
    ],
    "Condition": {
      "StringEquals": {
        "department": "Engineering",
        "trust_domain": "astha.ai"
      }
    }
  }
}

Intuition:

Policies are attached to identities, not just to code.
You can manage policies visually in the platform, and then enforce or check them in your code using the aztp-client SDK.
This makes it easy to update access rules without redeploying code.

Retrieving a Policy

TypeScript/JavaScript:

const identityAccessPolicy = await client.getPolicy(aztpId);
console.log(identityAccessPolicy);

Python:

identity_access_policy = await client.get_policy(aztp_id)
print(identity_access_policy)

Policy Statement Structure

A typical policy statement looks like this:

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["read", "write"]
    },
    {
      "Effect": "Deny",
      "Action": "delete"
    }
  ]
}

Effect: "Allow" or "Deny"
Action: a string or list of actions (e.g., "read", "write", "delete")
Condition: (optional) further restricts when the policy applies

Checking if an Action is Allowed

TypeScript/JavaScript:

const policy = client.getPolicyValue(identityAccessPolicy, "code", "policy:0650537f8614");
if (policy) {
  const isAllowed = client.isActionAllowed(policy, "read");
  console.log("Is 'read' allowed?", isAllowed);
}

Python:

policy = aztpClient.get_policy_value(identity_access_policy, "code", "policy:0650537f8614")
if policy:
    is_allowed = aztpClient.is_action_allowed(policy, "read")
    print(f"Is 'read' allowed? {is_allowed}")

Real-World Usage

Use policies to enforce least-privilege access for agents and tools.
Policies can be time-limited, domain-restricted, or action-specific.
Always retrieve and check policies before performing sensitive actions.

References

Overview Examples