Hello, How can I know if the policy will be added or updated? In my case, I want to get -> modify -> update the policy. What is taken into account when determining the operation? Also why there are no separate methods for these operations?

Policies have unique identifiers, depending on their type. For example, a resource policy's identifier is

resource.${resource}.v${version}/${scope}

, like

resource.document.v1/acme

. If you change these "header" fields that form the unique identifier, you get a new policy (even if the "body" is the same) and that means an add operation. Changing only the "body" of the policy means the unique identifier is the same and it's an update. As for why they're one operation, it's because the update is a PUT not a PATCH; the policy you send is the full definition. This is usually a bit easier to work with because in most cases you don't care if the policy already exists in the store - you want to set this new definition regardless. So I think for your get>modify>update process, it should be fine as long as you don't modify those "header" fields.

thanks @Andrew Haines (Cerbos)