How to Integrate PBAC with Flexprice¶

Target architecture¶

Use Policy Vault PBAC for “is this action allowed?” and Flexprice for “how much usage is left, what tier is this customer on, and what should be billed?” Flexprice can represent parent-child customer structures for consolidated billing and usage aggregation, which is useful when your PBAC hierarchy mirrors orgs, teams, projects, or workspaces.

A simple flow is:

Request hits your API.
Policy Vault evaluates identity, role, resource, action, and hierarchy context.
If allowed, the service queries Flexprice for remaining quota or credit balance.
If quota is sufficient, the action proceeds and usage is written to Flexprice.
Flexprice later produces invoices, overages, and spend summaries. flexprice

sequenceDiagram autonumber participant U as User / Client participant API as Your API participant PBAC as Policy Vault PBAC participant FP as Flexprice participant GW as Gateway / Quota Guard participant BILL as Billing Store / Invoice Job U->>API: Request AI action (org, team, project, model, units) API->>PBAC: Evaluate policy for actor + resource + action + hierarchy PBAC-->>API: Allow / Deny + scope (org/team/project) alt Deny API-->>U: 403 Forbidden else Allow API->>FP: Check quota / remaining credits for scope FP-->>API: Remaining balance + quota status alt Quota exceeded API-->>U: 429 Too Many Requests / quota exceeded else Quota available API->>GW: Authorize and forward request GW->>API: Begin processing API->>API: Execute AI workload API->>FP: Record usage event FP-->>API: Usage accepted + updated balance API-->>U: Success response FP->>BILL: Aggregate usage for invoice / overage / rollup BILL-->>FP: Billing finalized end end

How to map the hierarchy¶

Model the hierarchy in both systems, but with different responsibilities. In Policy Vault, store org → team → project → user relationships for authorization decisions, like who can create budgets, override limits, or view spend. In Flexprice, use customer hierarchy so usage from children rolls up to a parent for billing and consolidated quota consumption. docs.flexprice

Recommended mapping:

Policy Vault tenant / org → Flexprice parent customer.
Policy Vault team / workspace → Flexprice child customer.
Policy Vault user → request actor, not a billing object unless you bill per seat.
Policy resource → usage dimension or entitlements dimension in Flexprice, such as tokens, requests, GPU seconds, or model class. github

Quota decision pattern¶

Keep PBAC as the pre-check and Flexprice as the quota ledger. PBAC decides whether the caller may spend from a particular scope, such as “team admin can spend from team budget” or “project lead can consume within project quota,” while Flexprice tells you whether enough balance remains in that scope.

A robust pattern is:

Hard authorization in Policy Vault: user can access this model, endpoint, or budget scope.
Soft or hard quota check in Flexprice: remaining monthly tokens, credits, or request budget.
Final gate in your API gateway or service: deny, throttle, or degrade if quota is exhausted.

This split is important because PBAC is usually better at policy semantics, while Flexprice is better at live billing state and usage aggregation. flexprice

Integration steps¶

Define policy attributes in Policy Vault: org, team, project, role, budget_owner, billing_scope, model_type, and environment.
Create matching customers and hierarchy in Flexprice using parent-child relationships and billing scopes. docs.flexprice
Send usage events from your AI or API layer into Flexprice with the same hierarchy IDs you use in PBAC.
Add a quota-check endpoint in your application that first calls Policy Vault, then Flexprice for spend or balance validation.
Emit policy-aware events back into your observability stack so you can audit denied requests, near-limit warnings, and override actions.
Sync administrative changes such as budget increases, parent reassignment, or plan changes from Policy Vault to Flexprice through a small provisioning service. docs.flexprice