Skip to main content

Version: Next

Flows and Policies

Guardrails uses signer rules per step to determine who can approve.

Any-of vs All-of

use OVAC\\Guardrails\\Services\\Flow;

// Any-of permissions
Flow::make()
  ->anyOfPermissions(['orders.manage','orders.escalate'])
  ->signedBy(1, 'Ops')
  ->build();

// All-of roles (default)
Flow::make()
  ->roles(['ops_manager','finance_manager'])
  ->signedBy(1, 'Management')
  ->build();

Counting the Initiator

Flow::make()
  ->permissions(['local_rates.manage'])
  ->includeInitiator(true, true) // include and preapprove initiator
  ->signedBy(2, 'Ops Review') // only one other approval needed
  ->build();

Same-as-Initiator Constraints

Flow::make()
  ->permissions(['local_rates.manage'])
  ->requireAnyPermissions()
  ->samePermissionAsInitiator(true)
  ->signedBy(2, 'Peer Review')
  ->build();

Notes:

If the initiator lacks the allowed permission/role, the constraint yields no overlap and prevents signing.
Prefer includeInitiator(true, true) without “same-as” when you want initiator to count if eligible, otherwise ignored.

Any-of vs All-of
Counting the Initiator
Same-as-Initiator Constraints