Policy Config JSON
policies.json is where you define which views a policy grants access to. Create one file per module that has views, and place it in the module folder.
File Location
backend/
└── patients/
├── views.py
├── urls.py
└── policies.json ← here
Structure
{
"policies": [
{
"name": "PatientAccess",
"description": "Access to patient management views",
"statement": {
"permissions": [
{
"type": "view",
"name": "patients.views.PatientCrudView"
}
]
}
}
]
}
| Field | Description |
|---|---|
name | Policy name — shown in the App Panel |
description | Human-readable description |
statement.permissions | List of permissions this policy grants |
Permission Types
View Permission
Grants access to a specific view class. This is the most common type.
{
"type": "view",
"name": "<module_name>.views.<ViewClassName>"
}
The name follows the pattern: module_name.views.ClassName — where module_name matches the "name" field in your settings.json module registration.
Features (Fine-Grained Access Control)
Control specific operations within a view using the "features" array:
{
"type": "view",
"name": "patients.views.PatientCrudView",
"features": [
"add",
"download"
]
}
Common features:
"add"- Permission to create new records"download"- Permission to export/download data- Other features depend on the view implementation
Roles (Role-Based Assignment)
Specify which user roles have access to this policy using the "roles" array at the policy level:
{
"name": "PatientLeadCrudViewAccessPolicy",
"description": "Full access to Patient Lead management",
"statement": {
"permissions": [
{
"name": "backend.patients.views.PatientLeadCrudView",
"type": "view",
"features": [
"add",
"download"
]
}
]
},
"roles": [
"Patient Navigator",
"Admin"
]
}
The roles array defines which user roles automatically have this policy assigned. When users with these roles log in, they will have the specified features enabled.
Example with multiple views:
{
"policies": [
{
"name": "AdminAccess",
"description": "Full access for admins",
"statement": {
"permissions": [
{ "type": "view", "name": "patients.views.PatientCrudView" },
{ "type": "view", "name": "doctors.views.DoctorCrudView" },
{ "type": "view", "name": "reports.views.ReportView" }
]
},
"roles": [
"Admin"
]
}
]
}
User Access Permission
Restricts access by IP address (CIDR notation):
{
"type": "userAccess",
"accessIP": "0.0.0.0/0"
}
Multiple Policies Per Module
You can define multiple policies in one file — useful when different roles need different levels of access to the same module:
{
"policies": [
{
"name": "PatientReadOnly",
"description": "View-only access to patients",
"statement": {
"permissions": [
{ "type": "view", "name": "patients.views.PatientListView" }
]
}
},
{
"name": "PatientFullAccess",
"description": "Full patient management",
"statement": {
"permissions": [
{ "type": "view", "name": "patients.views.PatientCrudView" }
]
}
}
]
}
Sync After Changes
After creating or editing policies.json:
- Open the App Panel at
http://localhost:8000/platform - Navigate to your app and click on the Code section in the left sidebar
- Click on the Policies tab
- Click the "Sync Policy" button at the top right to sync the policies from your codebase
- Once synced, go to App Panel → Code → Policies to assign roles to the policy
Rules
- Only include views from this module — cross-module views go in their own module's
policies.json - Never reference
SystemUsersas a role for any policy - Always sync after creating or editing this file