chore(docs): DSPX-2959 use shorthand enum names in subject mapping docs

marythought · claude · marythought · commit 2cc862d7a230 · 2026-04-27T11:12:57.000-07:00
Replace verbose proto enum names and numeric codes with readable shorthand aliases (IN, NOT_IN, IN_CONTAINS, AND, OR) throughout subject mapping documentation. The platform now accepts these via HTTP middleware (opentdf/platform#3401). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
diff --git a/docs/components/policy/subject_mappings.md b/docs/components/policy/subject_mappings.md
@@ -57,6 +57,10 @@ Subject Condition Sets can also optionally be associated with a namespace. See [
 
 ### Operators
 
+:::tip Shorthand enum names
+The API accepts readable shorthand names (e.g., `IN`, `AND`) in addition to full canonical proto names (e.g., `SUBJECT_MAPPING_OPERATOR_ENUM_IN`, `CONDITION_BOOLEAN_TYPE_ENUM_AND`). The examples below use shorthand names.
+:::
+
 #### Condition Operators
 
 Each Condition uses an operator to compare the entity's claim (extracted by the selector) against the list of expected values.
diff --git a/docs/guides/subject-mapping-guide.md b/docs/guides/subject-mapping-guide.md
@@ -157,18 +157,22 @@ The selector syntax depends on whether the token claim is a **string** or an **a
 
 ### Operators Explained
 
-| Operator | Value | Behavior | Example |
-|----------|-------|----------|---------|
-| **IN** | `1` | Exact match: value is IN list | `.role` IN `["admin", "editor"]` |
-| **NOT_IN** | `2` | Exclusion: value is NOT IN list | `.department` NOT_IN `["sales"]` |
-| **IN_CONTAINS** | `3` | Substring match | `.email` IN_CONTAINS `["@example.com"]` |
+| Operator | Behavior | Example |
+|----------|----------|---------|
+| **`IN`** | Exact match: value is IN list | `.role` IN `["admin", "editor"]` |
+| **`NOT_IN`** | Exclusion: value is NOT IN list | `.department` NOT_IN `["sales"]` |
+| **`IN_CONTAINS`** | Substring match | `.email` IN_CONTAINS `["@example.com"]` |
 
 ### Boolean Operators
 
-| Operator | Value | Behavior |
-|----------|-------|----------|
-| **AND** | `1` | All conditions must be TRUE |
-| **OR** | `2` | At least one condition must be TRUE |
+| Operator | Behavior |
+|----------|----------|
+| **`AND`** | All conditions must be TRUE |
+| **`OR`** | At least one condition must be TRUE |
+
+:::tip Shorthand enum names
+The API accepts readable shorthand names (`IN`, `NOT_IN`, `IN_CONTAINS`, `AND`, `OR`) as well as the full canonical proto names (e.g., `SUBJECT_MAPPING_OPERATOR_ENUM_IN`, `CONDITION_BOOLEAN_TYPE_ENUM_AND`). Numeric values (`1`, `2`, `3`) also work. The examples in this guide use shorthand names for readability.
+:::
 
 ### Example 1: Multiple Roles (OR)
 
@@ -178,16 +182,16 @@ The selector syntax depends on whether the token claim is a **string** or an **a
 {
   "subject_sets": [{
     "condition_groups": [{
-      "boolean_operator": 2,
+      "boolean_operator": "OR",
       "conditions": [
         {
           "subject_external_selector_value": ".role",
-          "operator": 1,
+          "operator": "IN",
           "subject_external_values": ["admin"]
         },
         {
           "subject_external_selector_value": ".role",
-          "operator": 1,
+          "operator": "IN",
           "subject_external_values": ["editor"]
         }
       ]
@@ -201,10 +205,10 @@ The selector syntax depends on whether the token claim is a **string** or an **a
 {
   "subject_sets": [{
     "condition_groups": [{
-      "boolean_operator": 1,
+      "boolean_operator": "AND",
       "conditions": [{
         "subject_external_selector_value": ".role",
-        "operator": 1,
+        "operator": "IN",
         "subject_external_values": ["admin", "editor"]
       }]
     }]
@@ -220,16 +224,16 @@ The selector syntax depends on whether the token claim is a **string** or an **a
 {
   "subject_sets": [{
     "condition_groups": [{
-      "boolean_operator": 1,
+      "boolean_operator": "AND",
       "conditions": [
         {
           "subject_external_selector_value": ".level",
-          "operator": 1,
+          "operator": "IN",
           "subject_external_values": ["senior", "staff", "principal"]
         },
         {
           "subject_external_selector_value": ".department",
-          "operator": 1,
+          "operator": "IN",
           "subject_external_values": ["engineering"]
         }
       ]
@@ -252,10 +256,10 @@ The selector syntax depends on whether the token claim is a **string** or an **a
 {
   "subject_sets": [{
     "condition_groups": [{
-      "boolean_operator": 1,
+      "boolean_operator": "AND",
       "conditions": [{
         "subject_external_selector_value": ".email",
-        "operator": 3,
+        "operator": "IN_CONTAINS",
         "subject_external_values": ["@example.com"]
       }]
     }]
@@ -279,26 +283,26 @@ The selector syntax depends on whether the token claim is a **string** or an **a
   "subject_sets": [
     {
       "condition_groups": [{
-        "boolean_operator": 1,
+        "boolean_operator": "AND",
         "conditions": [{
           "subject_external_selector_value": ".role",
-          "operator": 1,
+          "operator": "IN",
           "subject_external_values": ["ceo", "cfo", "cto", "vp"]
         }]
       }]
     },
     {
       "condition_groups": [{
-        "boolean_operator": 1,
+        "boolean_operator": "AND",
         "conditions": [
           {
             "subject_external_selector_value": ".level",
-            "operator": 1,
+            "operator": "IN",
             "subject_external_values": ["senior", "staff"]
           },
           {
             "subject_external_selector_value": ".department",
-            "operator": 1,
+            "operator": "IN",
             "subject_external_values": ["finance"]
           }
         ]
@@ -341,7 +345,7 @@ Subject Mapping 1 (linked to `department/value/finance`):
 ```json
 {
   "subject_external_selector_value": ".attributes.department[]",
-  "operator": 1,
+  "operator": "IN",
   "subject_external_values": ["Finance"]
 }
 ```
@@ -350,7 +354,7 @@ Subject Mapping 2 (linked to `country/value/us`):
 ```json
 {
   "subject_external_selector_value": ".attributes.country[]",
-  "operator": 1,
+  "operator": "IN",
   "subject_external_values": ["US"]
 }
 ```
@@ -380,10 +384,10 @@ All attribute values in OpenTDF must be explicitly created before they can be us
   "subject_condition_set": {
     "subject_sets": [{
       "condition_groups": [{
-        "boolean_operator": 1,
+        "boolean_operator": "AND",
         "conditions": [{
           "subject_external_selector_value": ".email",
-          "operator": 1,
+          "operator": "IN",
           "subject_external_values": ["alice@example.com"]
         }]
       }]
@@ -396,7 +400,7 @@ All attribute values in OpenTDF must be explicitly created before they can be us
 
 ### Recommended: Pattern-Based Access
 
-Use `IN_CONTAINS` (operator `3`) to match token claim substrings, covering many users with one Subject Mapping:
+Use `IN_CONTAINS` to match token claim substrings, covering many users with one Subject Mapping:
 
 ```json
 {
@@ -405,10 +409,10 @@ Use `IN_CONTAINS` (operator `3`) to match token claim substrings, covering many
   "subject_condition_set": {
     "subject_sets": [{
       "condition_groups": [{
-        "boolean_operator": 1,
+        "boolean_operator": "AND",
         "conditions": [{
           "subject_external_selector_value": ".email",
-          "operator": 3,
+          "operator": "IN_CONTAINS",
           "subject_external_values": ["@example.com"]
         }]
       }]
@@ -498,10 +502,10 @@ Attribute value FQN: `https://example.com/attr/clearance/value/confidential`
   "subject_condition_set": {
     "subject_sets": [{
       "condition_groups": [{
-        "boolean_operator": 1,
+        "boolean_operator": "AND",
         "conditions": [{
           "subject_external_selector_value": ".realm_access.roles[]",
-          "operator": 1,
+          "operator": "IN",
           "subject_external_values": ["admin"]
         }]
       }]
@@ -520,10 +524,10 @@ Attribute value FQN: `https://example.com/attr/clearance/value/confidential`
 {
   "subject_sets": [{
     "condition_groups": [{
-      "boolean_operator": 1,
+      "boolean_operator": "AND",
       "conditions": [{
         "subject_external_selector_value": ".groups[]",
-        "operator": 3,
+        "operator": "IN_CONTAINS",
         "subject_external_values": ["/finance/"]
       }]
     }]
@@ -548,16 +552,16 @@ The trailing slash in `/finance/` makes the `IN_CONTAINS` match more precise —
 {
   "subject_sets": [{
     "condition_groups": [{
-      "boolean_operator": 1,
+      "boolean_operator": "AND",
       "conditions": [
         {
           "subject_external_selector_value": ".groups[]",
-          "operator": 3,
+          "operator": "IN_CONTAINS",
           "subject_external_values": ["/finance/"]
         },
         {
           "subject_external_selector_value": ".realm_access.roles[]",
-          "operator": 1,
+          "operator": "IN",
           "subject_external_values": ["admin"]
         }
       ]
@@ -580,7 +584,7 @@ This walkthrough assumes basic familiarity with OpenTDF. If you haven't set up O
 
 ### Step 1: Create Subject Condition Set
 
-This example matches any user whose `.email` claim contains `@example.com`. The numeric values are enum codes — `boolean_operator: 1` = AND (all conditions must be true), `operator: 3` = IN_CONTAINS (substring match). See [Operators Explained](#operators-explained) for the full list.
+This example matches any user whose `.email` claim contains `@example.com`. `boolean_operator: "AND"` means all conditions must be true, and `operator: "IN_CONTAINS"` performs a substring match. See [Operators Explained](#operators-explained) for the full list.
 
 `subject_external_selector_value` is a path into the JWT your IdP issues — `.email` selects the top-level `email` claim. If your claim is named differently, use `otdfctl dev selectors generate --subject "<your-jwt>"` to see all available selectors. See [Selectors: String vs. Array Claims](#selectors-string-vs-array-claims) for the full syntax.
 
@@ -591,10 +595,10 @@ otdfctl policy subject-condition-sets create \
   --subject-sets '[
     {
       "condition_groups": [{
-        "boolean_operator": 1,
+        "boolean_operator": "AND",
         "conditions": [{
           "subject_external_selector_value": ".email",
-          "operator": 3,
+          "operator": "IN_CONTAINS",
           "subject_external_values": ["@example.com"]
         }]
       }]
@@ -762,7 +766,7 @@ Use `.groups[]` (not `.groups`) to match each element:
 ```json
 {
   "subject_external_selector_value": ".groups[]",
-  "operator": 1,
+  "operator": "IN",
   "subject_external_values": ["admin"]
 }
 ```
@@ -799,10 +803,10 @@ otdfctl policy subject-condition-sets create \
   --subject-sets '[
     {
       "condition_groups": [{
-        "boolean_operator": 1,
+        "boolean_operator": "AND",
         "conditions": [{
           "subject_external_selector_value": ".clientId",
-          "operator": 1,
+          "operator": "IN",
           "subject_external_values": ["my-service-account-client-id"]
         }]
       }]
@@ -874,10 +878,10 @@ otdfctl policy subject-condition-sets create \
   --subject-sets '[
     {
       "condition_groups": [{
-        "boolean_operator": 1,
+        "boolean_operator": "AND",
         "conditions": [{
           "subject_external_selector_value": ".department",
-          "operator": 1,
+          "operator": "IN",
           "subject_external_values": ["engineering"]
         }]
       }]
diff --git a/docs/sdks/policy.mdx b/docs/sdks/policy.mdx
@@ -903,7 +903,7 @@ await platform.v1.attributes.listAttributeValues({ ... })
 | Parameter | Type | Required | Description |
 |-----------|------|----------|-------------|
 | `attributeId` | `string` (UUID) | Yes | The parent attribute ID. |
-| `state` | `string` | No | Filter by state: `ACTIVE_STATE_ENUM_ACTIVE` (default), `ACTIVE_STATE_ENUM_INACTIVE`, or `ACTIVE_STATE_ENUM_ANY`. |
+| `state` | `string` | No | Filter by state: `ACTIVE` (default), `INACTIVE`, or `ANY`. Full canonical names (e.g., `ACTIVE_STATE_ENUM_ACTIVE`) are also accepted. |
 
 **Example**
 
@@ -1365,7 +1365,7 @@ Empty response. The value is soft-deleted and will no longer appear in listings
 | `id` | `string` (UUID) | Unique identifier, generated by the platform. |
 | `name` | `string` | The attribute name (e.g., `department`, `clearance`). |
 | `fqn` | `string` | Fully qualified name, e.g., `https://opentdf.io/attr/department`. |
-| `rule` | `string` | Access rule: `ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF`, `ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF`, or `ATTRIBUTE_RULE_TYPE_ENUM_HIERARCHY`. |
+| `rule` | `string` | Access rule: `ALL_OF`, `ANY_OF`, or `HIERARCHY`. Full canonical names (e.g., `ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF`) are also accepted. |
 | `values` | `[]Value` | The [attribute values](#attribute-value-object) defined under this attribute. |
 | `namespace` | `Namespace` | The parent [Namespace](#namespace-object). |
 | `active` | `bool` | `true` until explicitly deactivated. |
@@ -1947,7 +1947,7 @@ SubjectConditionSet
 
 | Field | Type | Description |
 |-------|------|-------------|
-| `booleanOperator` | `string` | How to combine conditions: `CONDITION_BOOLEAN_TYPE_ENUM_AND` or `CONDITION_BOOLEAN_TYPE_ENUM_OR`. |
+| `booleanOperator` | `string` | How to combine conditions: `AND` or `OR`. Full canonical names (e.g., `CONDITION_BOOLEAN_TYPE_ENUM_AND`) are also accepted. |
 | `conditions` | `[]Condition` | One or more [conditions](#condition) to evaluate. |
 
 ### Condition
@@ -1964,9 +1964,11 @@ A single claim match against an entity's token.
 
 | Operator | Description |
 |----------|-------------|
-| `SUBJECT_MAPPING_OPERATOR_ENUM_IN` | The claim value must exactly match one of the `subjectExternalValues`. |
-| `SUBJECT_MAPPING_OPERATOR_ENUM_NOT_IN` | The claim value must not match any of the `subjectExternalValues`. |
-| `SUBJECT_MAPPING_OPERATOR_ENUM_IN_CONTAINS` | The claim value must contain (substring match) one of the `subjectExternalValues`. |
+| `IN` | The claim value must exactly match one of the `subjectExternalValues`. |
+| `NOT_IN` | The claim value must not match any of the `subjectExternalValues`. |
+| `IN_CONTAINS` | The claim value must contain (substring match) one of the `subjectExternalValues`. |
+
+Full canonical names (e.g., `SUBJECT_MAPPING_OPERATOR_ENUM_IN`) are also accepted.
 
 **Example:** "Match entities whose `.clientId` is `my-service` AND whose `.realm_access.roles` contains `developer`":
 
@@ -1976,16 +1978,16 @@ A single claim match against an entity's token.
     {
       "conditionGroups": [
         {
-          "booleanOperator": "CONDITION_BOOLEAN_TYPE_ENUM_AND",
+          "booleanOperator": "AND",
           "conditions": [
             {
               "subjectExternalSelectorValue": ".clientId",
-              "operator": "SUBJECT_MAPPING_OPERATOR_ENUM_IN",
+              "operator": "IN",
               "subjectExternalValues": ["my-service"]
             },
             {
               "subjectExternalSelectorValue": ".realm_access.roles",
-              "operator": "SUBJECT_MAPPING_OPERATOR_ENUM_IN_CONTAINS",
+              "operator": "IN_CONTAINS",
               "subjectExternalValues": ["developer"]
             }
           ]
