Want to make sure your employees do not work outside of office hours? Want to get rid of UID 1's all-access pass? Well now you can, thanks to the brand-new Access Policy API!

Prerequisite
Attendees should have a basic understanding of how access works in Drupal core, with an emphasis on permission checks and perhaps entity access.

Outline
At DrupalCon Pittsburgh 2023 a contest was held where people could submit ideas to improve Drupal and get funded for it. One of the winning entries was revamping the access layer in core.

The idea was to move away from our current Role and Attribute Based Access Control (RBAC and ABAC) layer to a more powerful Policy Based Access Control (PBAC) layer.

This means that you can now hand out permissions based on any information coming from the global state: The time of day, your location, a flag on your account, even what type of sauce you want on your french fries.

Learning Objectives
The goal of this session is to inform the audience about what the new API looks like, how it's implemented in core and how they can start writing access policies of their own.

Key concepts such as the access policy processor, the permission checker and the calculated permissions value object will all be covered in detail, while other supporting parts such as VariationCache (new in Drupal 10.2) will be covered more briefly.