Drupal 10.3 quietly introduced a powerful new tool for handling complex access control: the Access Policy API. And if you missed it, you’re not alone.
Roles have always been Drupal’s primary tool for granting permissions. But as projects grow more complex, teams often end up battling role explosion — creating more and more narrowly-defined roles just to capture specific business rules. And when roles aren’t enough, access logic gets scattered across hooks, services, and conditionals.
The Access Policy API gives developers a flexible alternative: a clean, centralized way to grant permissions based on real-world conditions — without overloading or multiplying roles, or scattering access logic throughout a codebase.
In this session, you’ll learn:
- What changed in Drupal core with the introduction of the Access Policy API
- The anatomy of an access policy — how policies are structured, how they work, and how to write your own
- How to decide when to use roles, policies, or both
- How access policies can save time for site administrators by reducing role clutter and simplifying permission management
- What documentation and community resources exist for understanding it
If you’ve ever struggled to model complex access rules cleanly in Drupal, this talk will give you new tools — and a new way to think about permissions.