janus-idp
diff --git a/‎plugins/rbac-backend/docs/conditions.md
Lines changed: 38 additions & 2 deletions b/‎plugins/rbac-backend/docs/conditions.md
Lines changed: 38 additions & 2 deletions
diff --git a/‎plugins/rbac-backend/package.json
Lines changed: 3 additions & 2 deletions b/‎plugins/rbac-backend/package.json
Lines changed: 3 additions & 2 deletions
@@ -274,13 +274,49 @@ To utilize this condition to the RBAC REST api you need to wrap it with more inf
 }
 ```
 
+## Conditional Policy Aliases
+
+The RBAC-backend plugin allows for the use of aliases in the conditional policy rule parameters. These aliases are dynamically replaced with corresponding values during the policy evaluation process. Each alias is prefixed with a `$` sign to denote its special function.
+
+### Supported Aliases
+
+1. **`$currentUser`**:
+
+   - **Description**: This alias is replaced with the user entity reference for the user currently requesting access to the resource.
+   - **Example**: If the user "Tom" from the "default" namespace is requesting access, `$currentUser` will be replaced with `user:default/tom`.
+
+2. **`$ownerRefs`**:
+   - **Description**: This alias is replaced with ownership references, typically in the form of an array. The array usually contains the user entity reference and the user's parent group entity reference.
+   - **Example**: For a user "Tom" who belongs to "team-a", `$ownerRefs` will be replaced with `['user:default/tom', 'group:default/team-a']`.
+
+### Example of a Conditional Policy Object with Alias
+
+This condition should allow members of the `role:default/developer` to delete only their own catalogs and no others:
+
+```json
+{
+  "result": "CONDITIONAL",
+  "roleEntityRef": "role:default/developer",
+  "pluginId": "catalog",
+  "resourceType": "catalog-entity",
+  "permissionMapping": ["delete"],
+  "conditions": {
+    "rule": "IS_ENTITY_OWNER",
+    "resourceType": "catalog-entity",
+    "params": {
+      "claims": ["$currentUser"]
+    }
+  }
+}
+```
+
 ## Examples of Conditional Policies
 
 Below are a few examples that can be used on some of the Janus IDP plugins. These can help in determining how based to define conditional policies
 
 ### Keycloak plugin
 
-```JSON
+```json
 {
   "result": "CONDITIONAL",
   "roleEntityRef": "role:default/developer",
@@ -303,7 +339,7 @@ Notice the use of the annotation `keycloak.org/realm` requires the value of `<YO
 
 ### Quay Actions
 
-```JSON
+```json
 {
   "result": "CONDITIONAL",
   "roleEntityRef": "role:default/developer",
 
@@ -42,10 +42,11 @@
     "@backstage/plugin-permission-backend": "^0.5.46",
     "@backstage/plugin-permission-common": "^0.8.0",
     "@backstage/plugin-permission-node": "^0.8.0",
+    "@backstage/types": "^1.1.1",
     "@dagrejs/graphlib": "^2.1.13",
+    "@janus-idp/backstage-plugin-audit-log-node": "1.4.0",
     "@janus-idp/backstage-plugin-rbac-common": "1.8.1",
     "@janus-idp/backstage-plugin-rbac-node": "1.4.0",
-    "@janus-idp/backstage-plugin-audit-log-node": "1.4.0",
     "casbin": "^5.27.1",
     "chokidar": "^3.6.0",
     "csv-parse": "^5.5.5",
@@ -58,8 +59,8 @@
     "yn": "^4.0.0"
   },
   "devDependencies": {
-    "@backstage/cli": "0.26.11",
     "@backstage/backend-test-utils": "0.4.4",
+    "@backstage/cli": "0.26.11",
     "@types/express": "4.17.21",
     "@types/node": "18.19.34",
     "@types/supertest": "2.0.16",