Resolve allow/deny for (viewer, action, resource) per PR-06.

POST

/access/check

curl --request POST \
  --url https://api.gospl.example/v1/access/check \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --data '{ "action": "example", "resourceType": "example", "resourceOwnerId": "2489E9AD-2EE2-8E00-8EC9-32D5F69181C0" }'

• Production (placeholder)
• Mock server (generated from this contract)

Server-authoritative. Returns allow only if a functional role OR the viewer’s relationship to the resource owner grants the action; default-deny otherwise.

Authorizations

• bearerAuth

Request Body ^required

Media type application/json

object

action

required

E.g. goals.view, mvp.report.export

string

resourceType

required

string

resourceOwnerId

required

string format: uuid

Example ^generated

{
  "action": "example",
  "resourceType": "example",
  "resourceOwnerId": "2489E9AD-2EE2-8E00-8EC9-32D5F69181C0"
}

Responses

200

OK

Media type application/json

object

allow

required

boolean

viaRole

Functional role. people_team and senior_leadership both carry org-wide read for People-area data. Feature-elevated grants are separate explicit grants.

string

Allowed values: employee people_team senior_leadership admin

viaRelationship

Viewer’s org-chart relationship to a resource owner.

string

Allowed values: self colleague line_manager manager_of_managers

reason

string

Example

{
  "viaRole": "employee",
  "viaRelationship": "self"
}

401

Missing/invalid credentials.

Media type application/json

object

code

required

string

message

required

string

Example ^generated

{
  "code": "example",
  "message": "example"
}