Struct AccessDenied 

pub struct AccessDenied { /* private fields */ }

Error returned when authorization is explicitly denied.

This type is distinct from SDK errors (Error). It represents a successful authorization check that resulted in denial, not a failure to check.

When is AccessDenied Returned?

• check() returns Ok(false) for denial (not an error)
• require() returns Err(AccessDenied) for denial

use inferadb::VaultClient;

async fn example(vault: &VaultClient) -> Result<(), Box<dyn std::error::Error>> {
    // check() - denial is Ok(false), not an error
    let allowed = vault.check("user:alice", "view", "doc:secret").await?;
    if !allowed {
        println!("Access denied (but no error)");
    }

    // require() - denial IS an error (AccessDenied)
    vault.check("user:alice", "view", "doc:secret")
        .require()
        .await?; // Returns Err(AccessDenied) if denied

    Ok(())
}

Key Invariant

AccessDenied is NOT the same as ErrorKind::Forbidden:

Type	Meaning	Example
AccessDenied	Subject lacks permission to resource	Alice can’t view doc:secret
ErrorKind::Forbidden	API caller lacks control plane permission	Can’t manage vault

Rich Context

AccessDenied includes the authorization context for debugging:

use inferadb::AccessDenied;

fn handle_denied(denied: &AccessDenied) {
    println!("Subject: {}", denied.subject());
    println!("Permission: {}", denied.permission());
    println!("Resource: {}", denied.resource());

    if let Some(reason) = denied.reason() {
        println!("Reason: {}", reason);
    }
}

Implementations

impl AccessDenied

pub fn new( subject: impl Into<Cow<'static, str>>, permission: impl Into<Cow<'static, str>>, resource: impl Into<Cow<'static, str>>, ) -> Self

Creates a new AccessDenied error.

Arguments

• subject - The subject (e.g., “user:alice”) that was denied
• permission - The permission (e.g., “view”) that was checked
• resource - The resource (e.g., “document:readme”) that was checked

Example

use inferadb::AccessDenied;

let denied = AccessDenied::new("user:alice", "delete", "document:readme");
assert_eq!(denied.subject(), "user:alice");
assert_eq!(denied.permission(), "delete");
assert_eq!(denied.resource(), "document:readme");

pub fn subject(&self) -> &str

Returns the subject that was denied access.

This is typically in the format “type:id”, e.g., “user:alice” or “team:engineering”.

pub fn permission(&self) -> &str

Returns the permission that was checked.

For example: “view”, “edit”, “delete”, “admin”.

pub fn resource(&self) -> &str

Returns the resource that was checked.

This is typically in the format “type:id”, e.g., “document:readme” or “folder:reports”.

pub fn reason(&self) -> Option<&str>

Returns the denial reason, if available.

The reason provides additional context about why access was denied. This may include information about missing relationships or failed conditions.

pub fn request_id(&self) -> Option<&str>

Returns the request ID, if available.

Include this in logs for debugging and support correlation.

pub fn with_reason(self, reason: impl Into<Cow<'static, str>>) -> Self

Sets the denial reason.

pub fn with_request_id(self, request_id: impl Into<String>) -> Self

Sets the request ID.

pub fn to_log_string(&self) -> String

Returns a formatted string suitable for logging.

This includes all available context in a structured format.

Trait Implementations

impl Clone for AccessDenied

fn clone(&self) -> AccessDenied

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for AccessDenied

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl Display for AccessDenied

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl Error for AccessDenied

fn source(&self) -> Option<&(dyn Error + 'static)>

Returns the lower-level source of this error, if any.

fn description(&self) -> &str

👎Deprecated since 1.42.0: use the Display impl or to_string()

fn cause(&self) -> Option<&dyn Error>

👎Deprecated since 1.33.0: replaced by Error::source, which can support downcasting

fn provide<'a>(&'a self, request: &mut Request<'a>)

🔬This is a nightly-only experimental API. (error_generic_member_access)

Provides type-based access to context intended for error reports.

impl From<AccessDenied> for Error

Allows converting AccessDenied to the main Error type.

Note: This creates an Error with kind Forbidden, but AccessDenied and ErrorKind::Forbidden have different semantic meanings:

• AccessDenied: Subject lacks permission (data plane)
• ErrorKind::Forbidden: Caller lacks API permission (control plane)

fn from(denied: AccessDenied) -> Self

Converts to this type from the input type.