Intelligent Policy Selection

WL-APDP implements intelligent policy selection that achieves 20-30x performance improvement by filtering applicable policies before Cedar evaluation.

The Problem

In a system with hundreds or thousands of policies, evaluating every policy for every request is expensive. Most policies won't apply to a given request:

A policy for the "engineering" group won't apply to a "finance" user
A policy for "Document" resources won't apply to a "Tool" resource
A policy requiring specific context won't apply if that context is missing

The Solution: Metadata-Based Filtering

When policies are added to WL-APDP, we extract metadata:

Policy: permit(principal in Group::"finance", action == Action::"read", resource is Document);

Metadata:
  - principal_pattern: Group::finance
  - action_pattern: Action::read
  - resource_pattern: Document
  - context_requirements: []
  - complexity_score: 2

During evaluation, we use this metadata to select only applicable policies:

Request: {principal: User::"alice" (in Group::"finance"), action: read, resource: Document::"report"}

Selection:
  1. Principal matches? User in Group::finance ✓
  2. Action matches? read == read ✓
  3. Resource matches? Document ✓
  4. Context present? (none required) ✓

Result: Policy is applicable, include in evaluation

Metadata Extraction

Principal Patterns

Pattern	Matches
`User::alice`	Only User::"alice"
`User`	Any User
`Group::admins`	Principals in Group::"admins"
`*`	Any principal

Action Patterns

Pattern	Matches
`Action::read`	Only Action::"read"
`[Action::read, Action::write]`	Either action
`*`	Any action

Resource Patterns

Pattern	Matches
`Document::report`	Only that document
`Document`	Any Document
`Folder::public/*`	Resources in folder
`*`	Any resource

Context Requirements

Policies with when clauses that reference context fields have those fields listed:

permit(...) when {
    context.intent.startsWith("analyze") &&
    context.goal == "reporting"
};

// Context requirements: [intent, goal]

Selection Algorithm

function selectApplicablePolicies(request, allPolicies):
    applicable = []

    for policy in allPolicies:
        if not policy.active:
            continue

        if not matchesPrincipal(policy.metadata, request.principal):
            continue

        if not matchesAction(policy.metadata, request.action):
            continue

        if not matchesResource(policy.metadata, request.resource):
            continue

        if not hasRequiredContext(policy.metadata, request.context):
            continue

        applicable.append(policy)

    return sortByComplexity(applicable)  // Simple policies first

Performance Impact

Before Intelligent Selection

Total policies: 500
Policies evaluated: 500
Average evaluation time: 150ms

After Intelligent Selection

Total policies: 500
Policies selected: 15-25
Policies evaluated: 15-25
Average evaluation time: 5-7ms

Result: 20-30x improvement

Complexity Scoring

Policies are scored by complexity (1-10) based on:

Factor	Score Impact
Specific principal (User::"alice")	+0
Principal type (is User)	+1
Group membership (in Group)	+2
Action list (in [...])	+1
Resource hierarchy (in Folder)	+2
Simple condition (==)	+1
Complex condition (contains, like)	+2
Multiple conditions	+1 each

Lower complexity policies are evaluated first, as they're more likely to match and faster to evaluate.

Viewing Policy Metadata

curl http://localhost:8081/policies/metadata

Response:

{
  "metadata": [
    {
      "policy_id": "admin-full-access",
      "principal_pattern": "Group::admins",
      "action_pattern": "*",
      "resource_pattern": "*",
      "context_requirements": [],
      "complexity_score": 1
    },
    {
      "policy_id": "agent-tool-execute",
      "principal_pattern": "Agent",
      "action_pattern": "Action::execute",
      "resource_pattern": "Tool",
      "context_requirements": ["intent", "goal"],
      "complexity_score": 4
    }
  ]
}

Analyzing Policy Application

See which policies would apply to a specific request:

curl -X POST http://localhost:8081/policies/analyze \
  -H "Content-Type: application/json" \
  -d '{
    "principal": "Agent::\"research-bot\"",
    "action": "Action::\"execute\"",
    "resource": "Tool::\"web-search\"",
    "context": {
      "intent": "search for information",
      "goal": "research task"
    }
  }'

Response:

{
  "total_policies": 500,
  "selected_policies": 23,
  "applicable_policies": [
    {
      "id": "agent-tool-execute",
      "name": "Agent Tool Execution",
      "complexity_score": 4,
      "match_reasons": [
        "Principal is Agent",
        "Action is execute",
        "Resource is Tool",
        "Context has required fields: intent, goal"
      ]
    }
  ],
  "selection_time_ms": 0.5,
  "estimated_eval_time_ms": 3.2
}

Best Practices

1. Be Specific When Possible

// More specific = better selection
permit(
    principal == User::"alice",  // Specific principal
    action == Action::"read",    // Specific action
    resource is Document         // Specific type
);

// Less specific = evaluated more often
permit(
    principal,                   // Any principal
    action,                      // Any action
    resource                     // Any resource
) when { ... };                  // Relies on conditions

2. Avoid Overly Broad Policies

// BAD: This policy must be evaluated for ALL requests
permit(
    principal,
    action,
    resource
) when {
    context.special_flag == true
};

// GOOD: Narrow the scope
permit(
    principal is Agent,
    action == Action::"execute",
    resource is Tool
) when {
    context.special_flag == true
};

3. Use Principal Groups Effectively

// Group membership allows efficient filtering
permit(
    principal in Group::"power-users",
    action,
    resource
);

4. Organize Policies by Specificity

Create policy hierarchies from most specific to least:

User-specific policies
Role-based policies
Group-based policies
Type-based policies
Default policies

Troubleshooting

Policy Not Being Selected

Check the /policies/analyze endpoint to see why:

{
  "not_selected_reasons": {
    "policy-xyz": "Principal pattern 'Group::admins' does not match 'User::alice'"
  }
}

Performance Not Improved

Ensure policies have extractable metadata:

// BAD: No extractable metadata
permit(principal, action, resource) when {
    someFunction(principal, resource)
};

// GOOD: Clear patterns
permit(
    principal is User,
    action == Action::"read",
    resource is Document
) when {
    resource.owner == principal
};

The Problem​

The Solution: Metadata-Based Filtering​

Metadata Extraction​

Principal Patterns​

Action Patterns​

Resource Patterns​

Context Requirements​

Selection Algorithm​

Performance Impact​

Before Intelligent Selection​

After Intelligent Selection​

Complexity Scoring​

Viewing Policy Metadata​

Analyzing Policy Application​

Best Practices​

1. Be Specific When Possible​

2. Avoid Overly Broad Policies​

3. Use Principal Groups Effectively​

4. Organize Policies by Specificity​

Troubleshooting​

Policy Not Being Selected​

Performance Not Improved​