Skip to main content

What is a Resource?

A resource represents an entity in your application that you want to protect with permissions. Documents, projects, users, reports, jobs—anything that subjects need permission to access is a resource.

Resource Types

Define categories of resources

Resource Hierarchies

Model parent-child resource relationships

Resource Scope Links

Share resources across scopes

Resource Collections

Dynamic resource grouping with match rules

Resource Policies

Fine-grained allow/deny on resources

Tags

Classify resources with tags

Resource Properties

PropertyTypeDescription
idstringUnique Bedrock identifier
resourceTypeIdstringReference to the resource type
scopeIdstringOwning scope
externalResourceIdstringYour system’s identifier
displayNamestring?Human-readable name
createdAtstringCreation timestamp
createdBystringSubject who created it

Creating Resources

# First, create a resource type
curl -X POST 'https://api.example.com/resource-types' \
  -d '{
    "name": "Document",
    "key": "document",
    "scopeId": "scope_org"
  }'

# Then create resource instances
curl -X POST 'https://api.example.com/resources' \
  -d '{
    "resourceTypeId": "rtype_document",
    "scopeId": "scope_engineering",
    "externalResourceId": "doc-123",
    "displayName": "Q4 Planning Doc"
  }'

Resource-Based Permissions

Permissions can target specific resources or resource patterns: 
# Permission for all documents
curl -X POST 'https://api.example.com/permissions' \
  -d '{
    "scopeId": "scope_org",
    "action": "read",
    "resourceType": "document",
    "resourcePattern": "*",
    "key": "document:read:*"
  }'

# Permission for a specific document
curl -X POST 'https://api.example.com/permissions' \
  -d '{
    "scopeId": "scope_org",
    "action": "read",
    "resourceType": "document",
    "resourcePattern": "doc-123",
    "key": "document:read:doc-123"
  }'

Evaluating Against Resources

When checking permissions, you can specify the resource: 
const decision = await bedrock.evaluate({
  actor: { subjectId: "subject_jane", subjectType: "user" },
  scopeId: "scope_engineering",
  action: "read",
  resource: {
    resourceId: "resource_doc_123",
    // OR
    externalResourceId: "doc-123",
    resourceType: "document"
  }
});

Resource Ownership

The scopeId on a resource indicates ownership. A document owned by the Engineering scope is primarily associated with that scope: 
curl -X POST 'https://api.example.com/resources' \
  -d '{
    "resourceTypeId": "rtype_document",
    "scopeId": "scope_engineering",  # Owner scope
    "externalResourceId": "doc-456",
    "displayName": "Engineering Handbook"
  }'

Common Patterns

Pattern 1: Document Management

# Resource types
curl -X POST 'https://api.example.com/resource-types/batch' \
  -d '[
    {"name": "Folder", "key": "folder", "scopeId": "scope_org"},
    {"name": "Document", "key": "document", "scopeId": "scope_org"},
    {"name": "Comment", "key": "comment", "scopeId": "scope_org"}
  ]'

Pattern 2: Project Management

curl -X POST 'https://api.example.com/resource-types/batch' \
  -d '[
    {"name": "Project", "key": "project", "scopeId": "scope_org"},
    {"name": "Task", "key": "task", "scopeId": "scope_org"},
    {"name": "Milestone", "key": "milestone", "scopeId": "scope_org"}
  ]'

Pattern 3: E-Commerce

curl -X POST 'https://api.example.com/resource-types/batch' \
  -d '[
    {"name": "Product", "key": "product", "scopeId": "scope_org"},
    {"name": "Order", "key": "order", "scopeId": "scope_org"},
    {"name": "Customer", "key": "customer", "scopeId": "scope_org"}
  ]'

API Reference

Create Resource Type

Define a new resource type

Create Resource

Create a resource instance

Get Resources

List resources

Resource Types API

All resource type operations

Next Steps

Resource Types

Learn how to define resource type schemas