Is there any way of setting a principal policy to everybody with a role (eg: deny any request if a JWT property is false)?

Principal policies only work for an individual principal matched by ID, so I think your best option here is to use derived roles. Suppose you're using a

user

role and you only want to allow access if they have a

verified

flag, then define a

verifiedUser

derived role which includes that condition, and use the derived role in your resource policies instead of

user

.

Got it, thanks!