Policy
Feature Flags can use a Policy product to control sensitive actions.
When to use Policy
Section titled “When to use Policy”Use Policy when you want to protect:
- flag changes
- publishes
- rollbacks
- audit access
- internal admin routes
Attach Policy
Section titled “Attach Policy”import { policy } from "@layeron/modules"
const flagPolicy = policy({ name: "flags-admin", rules: [ { id: "flags-admins", effect: "allow", actions: ["flags:*"], resources: ["feature_flags:*"], subjects: ["admin"], }, ],})
const flags = featureFlags({ name: "main", policy: flagPolicy, flags: { checkoutV2: flag.boolean({ default: false }), },})What Policy controls
Section titled “What Policy controls”With Policy attached, Layeron checks the subject, action, and resource before the flag product accepts admin work.
Use actions like:
flags:readflags:evaluateflags:publishflags:rollback
Pass a subject when an admin tool publishes, reads history, or rolls back:
await flags.publish({ environment: "prod", message: "Enable checkout v2", subject: { kind: "admin", id: "user_123", roles: ["release-manager"], },})Keep user reads simple
Section titled “Keep user reads simple”Most application reads stay simple:
const enabled = await flags.enabled("checkoutV2", { tenantId: tenant.id,})Use Policy when a flag read itself should be restricted, such as a server-only flag or an internal operator view.
Recommended pattern
Section titled “Recommended pattern”Keep rollout logic in Feature Flags and access control in Policy.
- Feature Flags decides what value a request sees.
- Policy decides who may change or inspect the rollout.