PayMongo HomeGuidesAPI ReferenceStart Building
Guides
Start typing to search…

Policies Evaluation

When Are Policies Evaluated?

Policies are evaluated every time an action is performed on a supported resource.

For example:

  • When a wallet transfer is initiated
  • When a specific operation (like transfer) is executed on a resource (like wallet)

Before the action is completed, the system checks your active policies to decide whether the action should be allowed or blocked.


What Happens During Policy Evaluation?

When an operation is requested, the following steps occur:

1. The action is prepared

  • PayMongo collects all required data (e.g., accounts, limits, roles, transaction details).
  • The core business process (like executing a transfer) is ready but not yet finalized.

2. Relevant policies are identified

  • The system finds all active policies that match:
    • The resource (e.g. wallet)
    • The operation (e.g. transfer)

3. Policies are evaluated

  • Each policy is evaluated against the request data.
  • Policies return either:
    • Allow → rule passed
    • Deny → rule violated

4. Final decision is made

  • If all applicable policies allow the action → the operation proceeds.
  • If any policy denies the action → the operation is blocked.

Policy Priority and Order

There are three levels of policies, evaluated together:

  1. Merchant Policy Policies you create for your own organization.
  2. Parent Merchant Policy Policies defined by your parent account (if applicable).
  3. Global Policy Default platform policy defined and maintained by PayMongo that applies when no other policies exist.

Think of it as an AND rule:

Merchant Policy AND Parent Policy AND Global Policy must all allow the action.

⚠️

Important rule

All policy levels must pass. If any policy at any level fails, the action is denied.


Policy Status: Draft vs Active

Policies have two states:

  • Deactivated (Draft)
    • Default state when a policy is created
    • Not evaluated during operations
    • Safe for testing and iteration
  • Activated
    • Actively evaluated during runtime
    • Affects live operations immediately

⚠️ Only activated policies are used during evaluation.


Policy Evaluation Result

When policies are evaluated, the system produces a clear result:

  • "allow": true → the operation continues
  • "allow": false → the operation is blocked, with reasons provided

Example response:

{
  "allow": false,
  "violations": [
    "Destination account is not permitted"
  ]
}

This makes it easier to understand why an action was blocked.

Updated 21 days ago