Skip to content
DocsAPIEcosystemBlogCommunityPlayground
Get Started

wb.security

WorkbookSecurity

8 methods

addPolicy

Promise<PolicyId>
addPolicy(policy: Omit<AccessPolicy, 'id'>): Promise<PolicyId>;
ParameterTypeRequired
policyOmit<AccessPolicy, 'id'>required

Add a new access policy. Rust enforces capability attenuation: the caller's effective workbook level must be >= the granted level. @returns The assigned PolicyId

AccessPolicyPolicyId

removePolicy

Promise<void>
removePolicy(id: PolicyId): Promise<void>;
ParameterTypeRequired
idPolicyIdrequired

Remove a policy by ID. Idempotent at the store layer.

PolicyId

updatePolicy

Promise<void>
updatePolicy(id: PolicyId, updates: Partial<Omit<AccessPolicy, 'id'>>): Promise<void>;
ParameterTypeRequired
idPolicyIdrequired
updatesPartial<Omit<AccessPolicy, 'id'>>required

Update fields on an existing policy. Attenuation re-runs when `level` is patched.

PolicyIdAccessPolicy

getPolicies

Promise<AccessPolicy[]>
getPolicies(): Promise<AccessPolicy[]>;

Get all policies currently on the document, in stable id-sorted order.

AccessPolicy

getEffectiveAccess

Promise<AccessLevel>
getEffectiveAccess(principal: AccessPrincipal, target: AccessTarget): Promise<AccessLevel>;
ParameterTypeRequired
principalAccessPrincipalrequired
targetAccessTargetrequired

Get the effective access level for a principal at a target.

AccessPrincipalAccessTargetAccessLevel

explainAccess

Promise<AccessExplanation>
explainAccess(principal: AccessPrincipal, target: AccessTarget): Promise<AccessExplanation>;
ParameterTypeRequired
principalAccessPrincipalrequired
targetAccessTargetrequired

Explain why a principal has a given access level at a target. Returns the winning policy, reason, candidates, and any warnings.

AccessPrincipalAccessTargetAccessExplanation

applyTemplate

Promise<PolicyId[]>
applyTemplate(templateId: string, options: Record<string, unknown>): Promise<PolicyId[]>;
ParameterTypeRequired
templateIdstringrequired
optionsRecord<string, unknown>required

Apply a named template, generating policies. The `templateId` is the Rust tagged-enum variant name (e.g. `protect_workbook`, `protect_sheet`, `agent_structure`); `options` merges into the wire payload under the same keys the Rust `Template` variant expects. @returns The PolicyIds of the generated policies.

PolicyId

removeTemplate

Promise<void>
removeTemplate(templateId: string): Promise<void>;
ParameterTypeRequired
templateIdstringrequired

Remove all policies generated by a template.