System policies

System policies are used to regulate the configuration of the system. This is defining useridresolvers and realms, setting token defaults and defining system configuration.

If no system policy is defined, each administrator is allowed to do everything in the scope system.

Technically system policies controll if the administrator is able to write to the database table Config or if the administrator can use of the system_controller. System policies are checked using the method getAuthorization of the code_policy_class.

The user in the system policies refers to the administrator.


System policies do not make use of realms!


Creating policies is an act of writing the system configuration. So if you define admin policies and do not define system policies, every administrator can still change the policies! The recommended way is to create your admin policies and then create the system policies.

The following actions are available in the scope system:


type: bool

The administrator is allowed to read the system configuration. A token administrator might not be allowed to read system configuration to avoid letting him know which realms and userresolvers exist.


type: bool

The administrator is allowed to write system configuration.