[#55 ] router: Inmemory implementation should take empty name for "root"

Signed-off-by: Airat Arifullin <aarifullin@yadro.com>
[#54 ] morph: Introduce ContractStorageReader
2024-03-04 18:12:11 +03:00 · 2024-03-01 08:05:25 +00:00 · 2024-03-01 08:05:25 +00:00 · 2024-02-26 12:42:15 +03:00 · 2024-02-06 14:12:36 +03:00 · 2024-02-06 12:58:42 +03:00
36 changed files with 4606 additions and 506 deletions
--- a/.forgejo/workflows/dco.yml
+++ b/.forgejo/workflows/dco.yml
@ -16,6 +16,6 @@ jobs:
          go-version: '1.21'

      - name: Run commit format checker
-        uses: https://git.frostfs.info/TrueCloudLab/dco-go@v2
+        uses: https://git.frostfs.info/TrueCloudLab/dco-go@v3
        with:
          from: 'origin/${{ github.event.pull_request.base.ref }}'
--- a/.gitattributes
+++ b/.gitattributes
@ -1,2 +1,4 @@
 /**/*.pb.go -diff -merge
 /**/*.pb.go linguist-generated=true
+/**/*_easyjson.go -diff -merge
+/**/*_easyjson.go linguist-generated=true
--- a/14
+++ b/14
@ -5,6 +5,8 @@ TMP_DIR := .cache
 OUTPUT_LINT_DIR ?= $(shell pwd)/bin
 LINT_VERSION ?= 1.55.1
 LINT_DIR = $(OUTPUT_LINT_DIR)/golangci-lint-$(LINT_VERSION)-v$(TRUECLOUDLAB_LINT_VERSION)
+EASYJSON_VERSION ?= $(shell go list -f '{{.Version}}' -m github.com/mailru/easyjson)
+EASYJSON_DIR ?= $(shell pwd)/bin/easyjson-$(EASYJSON_VERSION)

 # Run all code formatters
 fmts: fmt imports
@ -60,3 +62,15 @@ staticcheck-install:
 # Run staticcheck
 staticcheck-run:
 	@staticcheck ./...
+
+easyjson-install:
+	@rm -rf $(EASYJSON_DIR)
+	@mkdir -p $(EASYJSON_DIR)
+	@GOBIN=$(EASYJSON_DIR) go install github.com/mailru/easyjson/...@$(EASYJSON_VERSION)
+
+generate:
+	@if [ ! -d "$(EASYJSON_DIR)" ]; then \
+		make easyjson-install; \
+	fi
+	find ./ -name "_easyjson.go" -exec rm -rf {} \;
+	$(EASYJSON_DIR)/easyjson ./pkg/chain/chain.go
--- a/docs/resource.md
+++ b/docs/resource.md
@ -0,0 +1,20 @@
+# Resource
+
+From the point of the access policy engine, a resource is an object to which a request is being performed. 
+This can be an object in a container within a namespace, or all objects in a container,
+or all containers within the root namespace etc.
+
+A resource can be viewed from two sides:
+ - As part of a [request](../pkg/resource/resource.go). In this case a resource has a name and properties.
+ - As part of rule [chain](../pkg/chain/chain.go): a resource has just a name.
+
+## Resource name
+
+A resource name must have a such format that can be processed by a chain router that matches a request
+either with local overrides or with rules within policy contract to get if this request is allowed to be performed.
+The main idea of this format is for the chain router to match by full name (`native:object//cnrID/objID`) or
+wildcard (`native:object//cnrID/*`).
+
+Check out formats that are defined in the schema: [native formats](../schema/native/consts.go), [s3 formats](../schema/s3/consts.go).
+You should validate a resource name using [util](../schema/native/util/validation.go) before instantiating a request or
+before putting it to either to local override storage or the policy contract storage.
--- a/go.mod
+++ b/go.mod
@ -2,10 +2,27 @@ module git.frostfs.info/TrueCloudLab/policy-engine

 go 1.20

-require github.com/stretchr/testify v1.8.1
+require (
+	git.frostfs.info/TrueCloudLab/frostfs-contract v0.18.1-0.20231129062201-a1b61d394958
+	github.com/google/uuid v1.3.0
+	github.com/mailru/easyjson v0.7.7
+	github.com/nspcc-dev/neo-go v0.103.0
+	github.com/stretchr/testify v1.8.4
+	golang.org/x/exp v0.0.0-20230817173708-d852ddb80c63
+)

 require (
 	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.0.1 // indirect
+	github.com/hashicorp/golang-lru v0.6.0 // indirect
+	github.com/josharian/intern v1.0.0 // indirect
+	github.com/mr-tron/base58 v1.2.0 // indirect
+	github.com/nspcc-dev/go-ordered-json v0.0.0-20220111165707-25110be27d22 // indirect
+	github.com/nspcc-dev/neo-go/pkg/interop v0.0.0-20231020160724-c3955f87d1b5 // indirect
+	github.com/nspcc-dev/rfc6979 v0.2.0 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
+	golang.org/x/crypto v0.14.0 // indirect
+	golang.org/x/sync v0.3.0 // indirect
+	golang.org/x/text v0.13.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
--- a/go.sum
+++ b/go.sum
@ -1,17 +1,49 @@
-github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+git.frostfs.info/TrueCloudLab/frostfs-contract v0.18.1-0.20231129062201-a1b61d394958 h1:X9yPizADIhD3K/gdKVCthlAnf9aQ3UJJGnZgIwwixRQ=
+git.frostfs.info/TrueCloudLab/frostfs-contract v0.18.1-0.20231129062201-a1b61d394958/go.mod h1:rQWdsG18NaiFvkJpMguJev913KD/yleHaniRBkUyt0o=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/decred/dcrd/crypto/blake256 v1.0.0/go.mod h1:sQl2p6Y26YV+ZOcSTP6thNdn47hh8kt6rqSlvmrXFAc=
+github.com/decred/dcrd/dcrec/secp256k1/v4 v4.0.1 h1:YLtO71vCjJRCBcrPMtQ9nqBsqpA1m5sE92cU+pd5Mcc=
+github.com/decred/dcrd/dcrec/secp256k1/v4 v4.0.1/go.mod h1:hyedUtir6IdtD/7lIxGeCxkaw7y45JueMRL4DIyJDKs=
+github.com/golang/snappy v0.0.1 h1:Qgr9rKW7uDUkrbSmQeiDsGa8SjGyCOGtuasMWwvp2P4=
+github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
+github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/gorilla/websocket v1.4.2 h1:+/TMaTYc4QFitKJxsQ7Yye35DkWvkdLcvGKqM+x0Ufc=
+github.com/hashicorp/golang-lru v0.6.0 h1:uL2shRDx7RTrOrTCUZEGP/wJUFiUI8QT6E7z5o8jga4=
+github.com/hashicorp/golang-lru v0.6.0/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4=
+github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
+github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
+github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
+github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
+github.com/mr-tron/base58 v1.2.0 h1:T/HDJBh4ZCPbU39/+c3rRvE0uKBQlU27+QI8LJ4t64o=
+github.com/mr-tron/base58 v1.2.0/go.mod h1:BinMc/sQntlIE1frQmRFPUoPA1Zkr8VRgBdjWI2mNwc=
+github.com/nspcc-dev/go-ordered-json v0.0.0-20220111165707-25110be27d22 h1:n4ZaFCKt1pQJd7PXoMJabZWK9ejjbLOVrkl/lOUmshg=
+github.com/nspcc-dev/go-ordered-json v0.0.0-20220111165707-25110be27d22/go.mod h1:79bEUDEviBHJMFV6Iq6in57FEOCMcRhfQnfaf0ETA5U=
+github.com/nspcc-dev/neo-go v0.103.0 h1:UVyWPhzZdfYFG35ORP3FRDLh8J/raRQ6m8SptDdlgfM=
+github.com/nspcc-dev/neo-go v0.103.0/go.mod h1:x+wmcYqpZYJwLp1l/pHZrqNp3RSWlkMymWGDij3/OPo=
+github.com/nspcc-dev/neo-go/pkg/interop v0.0.0-20231020160724-c3955f87d1b5 h1:09CpI5uwsxb1EeFPIKQRwwWlfCmDD/Dwwh01lPiQScM=
+github.com/nspcc-dev/neo-go/pkg/interop v0.0.0-20231020160724-c3955f87d1b5/go.mod h1:J/Mk6+nKeKSW4wygkZQFLQ6SkLOSGX5Ga0RuuuktEag=
+github.com/nspcc-dev/rfc6979 v0.2.0 h1:3e1WNxrN60/6N0DW7+UYisLeZJyfqZTNOjeV/toYvOE=
+github.com/nspcc-dev/rfc6979 v0.2.0/go.mod h1:exhIh1PdpDC5vQmyEsGvc4YDM/lyQp/452QxGq/UEso=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
-github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
-github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
-github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk=
-github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
+github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
+github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
+github.com/syndtr/goleveldb v1.0.1-0.20210305035536-64b5b1c73954 h1:xQdMZ1WLrgkkvOZ/LDQxjVxMLdby7osSh4ZEVa5sIjs=
+github.com/virtuald/go-ordered-json v0.0.0-20170621173500-b18e6e673d74 h1:JwtAtbp7r/7QSyGz8mKUbYJBg2+6Cd7OjM8o/GNOcVo=
+github.com/virtuald/go-ordered-json v0.0.0-20170621173500-b18e6e673d74/go.mod h1:RmMWU37GKR2s6pgrIEB4ixgpVCt/cf7dnJv3fuH1J1c=
+go.etcd.io/bbolt v1.3.7 h1:j+zJOnnEjF/kyHlDDgGnVL/AIqIJPq8UoB2GSNfkUfQ=
+golang.org/x/crypto v0.14.0 h1:wBqGXzWJW6m1XrIKlAH0Hs1JJ7+9KBwnIO8v66Q9cHc=
+golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4=
+golang.org/x/exp v0.0.0-20230817173708-d852ddb80c63 h1:m64FZMko/V45gv0bNmrNYoDEq8U5YUhetc9cBWKS1TQ=
+golang.org/x/exp v0.0.0-20230817173708-d852ddb80c63/go.mod h1:0v4NqG35kSWCMzLaMeX+IQrlSnVE/bqGSyC2cz/9Le8=
+golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.3.0 h1:ftCYgMx6zT/asHUrPw8BLLscYtGznsLAnjq5RH9P66E=
+golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
+golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE=
+golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k=
+golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
--- a/iam/converter.go
+++ b/iam/converter.go
@ -1,17 +1,17 @@
 package iam

 import (
+	"errors"
 	"fmt"
 	"strconv"
 	"strings"
 	"time"
+	"unicode/utf8"

 	"git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
 )

-const (
-	RequestOwnerProperty = "Owner"
-)
+const condKeyAWSPrincipalARN = "aws:PrincipalArn"

 const (
 	// String condition operators.
@ -50,170 +50,158 @@ const (
 	CondArnLike      string = "ArnLike"
 	CondArnNotEquals string = "ArnNotEquals"
 	CondArnNotLike   string = "ArnNotLike"
+
+	// Custom condition operators.
+	CondSliceContains string = "SliceContains"
 )

-func (p Policy) ToChain() (*chain.Chain, error) {
-	if err := p.Validate(GeneralPolicyType); err != nil {
+const (
+	arnIAMPrefix     = "arn:aws:iam::"
+	s3ResourcePrefix = "arn:aws:s3:::"
+	s3ActionPrefix   = "s3:"
+	iamActionPrefix  = "iam:"
+)
+
+var (
+	// ErrInvalidPrincipalFormat occurs when principal has unknown/unsupported format.
+	ErrInvalidPrincipalFormat = errors.New("invalid principal format")
+
+	// ErrInvalidResourceFormat occurs when resource has unknown/unsupported format.
+	ErrInvalidResourceFormat = errors.New("invalid resource format")
+
+	// ErrInvalidActionFormat occurs when action has unknown/unsupported format.
+	ErrInvalidActionFormat = errors.New("invalid action format")
+
+	// ErrActionsNotApplicable occurs when failed to convert any actions.
+	ErrActionsNotApplicable = errors.New("actions not applicable")
+)
+
+type formPrincipalConditionFunc func(string) chain.Condition
+
+type transformConditionFunc func(gr GroupedConditions) (GroupedConditions, error)
+
+func convertToChainConditions(c Conditions, transformer transformConditionFunc) ([]GroupedConditions, error) {
+	conditions, err := convertToChainCondition(c)
+	if err != nil {
 		return nil, err
 	}

-	var ch chain.Chain
-
-	for _, statement := range p.Statement {
-		status := chain.AccessDenied
-		if statement.Effect == AllowEffect {
-			status = chain.Allow
+	for i := range conditions {
+		if conditions[i], err = transformer(conditions[i]); err != nil {
+			return nil, fmt.Errorf("transform condition: %w", err)
 		}
+	}

-		var principals []string
-		var op chain.ConditionType
-		statementPrincipal, inverted := statement.principal()
-		if _, ok := statementPrincipal[Wildcard]; ok { // this can be true only if 'inverted' false
-			principals = []string{Wildcard}
-			op = chain.CondStringLike
-		} else {
-			for _, principal := range statementPrincipal {
-				principals = append(principals, principal...)
-			}
+	return conditions, nil
+}

-			op = chain.CondStringEquals
-			if inverted {
-				op = chain.CondStringNotEquals
-			}
-		}
+type GroupedConditions struct {
+	Conditions []chain.Condition
+	Any        bool
+}

-		var conditions []chain.Condition
-		for _, principal := range principals {
-			conditions = append(conditions, chain.Condition{
-				Op:     op,
-				Object: chain.ObjectRequest,
-				Key:    RequestOwnerProperty,
-				Value:  principal,
-			})
-		}
+func convertToChainCondition(c Conditions) ([]GroupedConditions, error) {
+	var grouped []GroupedConditions

-		conds, err := statement.Conditions.ToChainCondition()
+	for op, KVs := range c {
+		condType, convertValue, err := getConditionTypeAndConverter(op)
 		if err != nil {
 			return nil, err
 		}
-		conditions = append(conditions, conds...)
-
-		action, actionInverted := statement.action()
-		ruleAction := chain.Actions{Inverted: actionInverted, Names: action}
-
-		resource, resourceInverted := statement.resource()
-		ruleResource := chain.Resources{Inverted: resourceInverted, Names: resource}
-
-		r := chain.Rule{
-			Status:    status,
-			Actions:   ruleAction,
-			Resources: ruleResource,
-			Any:       true,
-			Condition: conditions,
-		}
-		ch.Rules = append(ch.Rules, r)
-	}
-
-	return &ch, nil
-}
-
-//nolint:funlen
-func (c Conditions) ToChainCondition() ([]chain.Condition, error) {
-	var conditions []chain.Condition
-
-	var convertValue convertFunction
-
-	for op, KVs := range c {
-		var condType chain.ConditionType
-
-		switch {
-		case strings.HasPrefix(op, "String"):
-			convertValue = noConvertFunction
-			switch op {
-			case CondStringEquals:
-				condType = chain.CondStringEquals
-			case CondStringNotEquals:
-				condType = chain.CondStringNotEquals
-			case CondStringEqualsIgnoreCase:
-				condType = chain.CondStringEqualsIgnoreCase
-			case CondStringNotEqualsIgnoreCase:
-				condType = chain.CondStringNotEqualsIgnoreCase
-			case CondStringLike:
-				condType = chain.CondStringLike
-			case CondStringNotLike:
-				condType = chain.CondStringNotLike
-			default:
-				return nil, fmt.Errorf("unsupported condition operator: '%s'", op)
-			}
-		case strings.HasPrefix(op, "Arn"):
-			convertValue = noConvertFunction
-			switch op {
-			case CondArnEquals:
-				condType = chain.CondStringEquals
-			case CondArnNotEquals:
-				condType = chain.CondStringNotEquals
-			case CondArnLike:
-				condType = chain.CondStringLike
-			case CondArnNotLike:
-				condType = chain.CondStringNotLike
-			default:
-				return nil, fmt.Errorf("unsupported condition operator: '%s'", op)
-			}
-		case strings.HasPrefix(op, "Numeric"):
-			// TODO
-		case strings.HasPrefix(op, "Date"):
-			convertValue = dateConvertFunction
-			switch op {
-			case CondDateEquals:
-				condType = chain.CondStringEquals
-			case CondDateNotEquals:
-				condType = chain.CondStringNotEquals
-			case CondDateLessThan:
-				condType = chain.CondStringLessThan
-			case CondDateLessThanEquals:
-				condType = chain.CondStringLessThanEquals
-			case CondDateGreaterThan:
-				condType = chain.CondStringGreaterThan
-			case CondDateGreaterThanEquals:
-				condType = chain.CondStringGreaterThanEquals
-			default:
-				return nil, fmt.Errorf("unsupported condition operator: '%s'", op)
-			}
-		case op == CondBool:
-			convertValue = noConvertFunction
-			condType = chain.CondStringEqualsIgnoreCase
-		case op == CondIPAddress:
-			// todo consider using converters
-			//  "203.0.113.0/24" -> "203.0.113.*",
-			//  "2001:DB8:1234:5678::/64" -> "2001:DB8:1234:5678:*"
-			//  or having specific condition type for IP
-			convertValue = noConvertFunction
-			condType = chain.CondStringLike
-		case op == CondNotIPAddress:
-			convertValue = noConvertFunction
-			condType = chain.CondStringNotLike
-		default:
-			return nil, fmt.Errorf("unsupported condition operator: '%s'", op)
-		}

 		for key, values := range KVs {
-			for _, val := range values {
+			group := GroupedConditions{
+				Conditions: make([]chain.Condition, len(values)),
+				Any:        len(values) > 1,
+			}
+
+			for i, val := range values {
 				converted, err := convertValue(val)
 				if err != nil {
 					return nil, err
 				}

-				conditions = append(conditions, chain.Condition{
+				group.Conditions[i] = chain.Condition{
 					Op:     condType,
 					Object: chain.ObjectRequest,
 					Key:    key,
 					Value:  converted,
-				})
+				}
 			}
+			grouped = append(grouped, group)
 		}
 	}

-	return conditions, nil
+	return grouped, nil
+}
+
+func getConditionTypeAndConverter(op string) (chain.ConditionType, convertFunction, error) {
+	switch {
+	case strings.HasPrefix(op, "String"):
+		switch op {
+		case CondStringEquals:
+			return chain.CondStringEquals, noConvertFunction, nil
+		case CondStringNotEquals:
+			return chain.CondStringNotEquals, noConvertFunction, nil
+		case CondStringEqualsIgnoreCase:
+			return chain.CondStringEqualsIgnoreCase, noConvertFunction, nil
+		case CondStringNotEqualsIgnoreCase:
+			return chain.CondStringNotEqualsIgnoreCase, noConvertFunction, nil
+		case CondStringLike:
+			return chain.CondStringLike, noConvertFunction, nil
+		case CondStringNotLike:
+			return chain.CondStringNotLike, noConvertFunction, nil
+		default:
+			return 0, nil, fmt.Errorf("unsupported condition operator: '%s'", op)
+		}
+	case strings.HasPrefix(op, "Arn"):
+		switch op {
+		case CondArnEquals:
+			return chain.CondStringEquals, noConvertFunction, nil
+		case CondArnNotEquals:
+			return chain.CondStringNotEquals, noConvertFunction, nil
+		case CondArnLike:
+			return chain.CondStringLike, noConvertFunction, nil
+		case CondArnNotLike:
+			return chain.CondStringNotLike, noConvertFunction, nil
+		default:
+			return 0, nil, fmt.Errorf("unsupported condition operator: '%s'", op)
+		}
+	case strings.HasPrefix(op, "Numeric"):
+		// TODO
+		return 0, nil, fmt.Errorf("currently nummeric conditions unsupported: '%s'", op)
+	case strings.HasPrefix(op, "Date"):
+		switch op {
+		case CondDateEquals:
+			return chain.CondStringEquals, dateConvertFunction, nil
+		case CondDateNotEquals:
+			return chain.CondStringNotEquals, dateConvertFunction, nil
+		case CondDateLessThan:
+			return chain.CondStringLessThan, dateConvertFunction, nil
+		case CondDateLessThanEquals:
+			return chain.CondStringLessThanEquals, dateConvertFunction, nil
+		case CondDateGreaterThan:
+			return chain.CondStringGreaterThan, dateConvertFunction, nil
+		case CondDateGreaterThanEquals:
+			return chain.CondStringGreaterThanEquals, dateConvertFunction, nil
+		default:
+			return 0, nil, fmt.Errorf("unsupported condition operator: '%s'", op)
+		}
+	case op == CondBool:
+		return chain.CondStringEqualsIgnoreCase, noConvertFunction, nil
+	case op == CondIPAddress:
+		// todo consider using converters
+		//  "203.0.113.0/24" -> "203.0.113.*",
+		//  "2001:DB8:1234:5678::/64" -> "2001:DB8:1234:5678:*"
+		//  or having specific condition type for IP
+		return chain.CondStringLike, noConvertFunction, nil
+	case op == CondNotIPAddress:
+		return chain.CondStringNotLike, noConvertFunction, nil
+	case op == CondSliceContains:
+		return chain.CondSliceContains, noConvertFunction, nil
+	default:
+		return 0, nil, fmt.Errorf("unsupported condition operator: '%s'", op)
+	}
 }

 type convertFunction func(string) (string, error)
@ -234,3 +222,98 @@ func dateConvertFunction(val string) (string, error) {

 	return strconv.FormatInt(parsed.UTC().Unix(), 10), nil
 }
+
+func parsePrincipalAsIAMUser(principal string) (account string, user string, err error) {
+	if !strings.HasPrefix(principal, arnIAMPrefix) {
+		return "", "", ErrInvalidPrincipalFormat
+	}
+
+	// iam arn format arn:aws:iam::<account>:user/<user-name-with-path>
+	iamResource := strings.TrimPrefix(principal, arnIAMPrefix)
+	sepIndex := strings.Index(iamResource, ":user/")
+	if sepIndex < 0 {
+		return "", "", ErrInvalidPrincipalFormat
+	}
+
+	account = iamResource[:sepIndex]
+	user = iamResource[sepIndex+6:]
+	if len(user) == 0 {
+		return "", "", ErrInvalidPrincipalFormat
+	}
+
+	userNameIndex := strings.LastIndexByte(user, '/')
+	if userNameIndex > -1 {
+		user = user[userNameIndex+1:]
+		if len(user) == 0 {
+			return "", "", ErrInvalidPrincipalFormat
+		}
+	}
+
+	return account, user, nil
+}
+
+func validateResource(resource string) error {
+	if resource == Wildcard {
+		return nil
+	}
+
+	if !strings.HasPrefix(resource, s3ResourcePrefix) && !strings.HasPrefix(resource, arnIAMPrefix) {
+		return ErrInvalidResourceFormat
+	}
+
+	index := strings.IndexByte(resource, Wildcard[0])
+	if index != -1 && index != utf8.RuneCountInString(resource)-1 {
+		return ErrInvalidResourceFormat
+	}
+
+	return nil
+}
+
+func validateAction(action string) error {
+	if action == Wildcard {
+		return nil
+	}
+
+	if !strings.HasPrefix(action, s3ActionPrefix) && !strings.HasPrefix(action, iamActionPrefix) {
+		return ErrInvalidActionFormat
+	}
+
+	index := strings.IndexByte(action, Wildcard[0])
+	if index != -1 && index != utf8.RuneCountInString(action)-1 {
+		return ErrInvalidActionFormat
+	}
+
+	return nil
+}
+
+func splitGroupedConditions(groupedConditions []GroupedConditions) [][]chain.Condition {
+	var orConditions []chain.Condition
+	commonConditions := make([]chain.Condition, 0, len(groupedConditions))
+	for _, grouped := range groupedConditions {
+		if grouped.Any {
+			orConditions = append(orConditions, grouped.Conditions...)
+		} else {
+			commonConditions = append(commonConditions, grouped.Conditions...)
+		}
+	}
+
+	if len(orConditions) == 0 {
+		return [][]chain.Condition{commonConditions}
+	}
+
+	res := make([][]chain.Condition, len(orConditions))
+	for i, condition := range orConditions {
+		res[i] = append([]chain.Condition{condition}, commonConditions...)
+	}
+
+	return res
+}
+
+func formStatus(statement Statement) chain.Status {
+	status := chain.AccessDenied
+	if statement.Effect == AllowEffect {
+		status = chain.Allow
+	}
+
+	return status
+}
--- a/iam/converter_native.go
+++ b/iam/converter_native.go
@ -0,0 +1,355 @@
+package iam
+
+import (
+	"fmt"
+	"strings"
+
+	"git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
+	"git.frostfs.info/TrueCloudLab/policy-engine/schema/native"
+)
+
+const PropertyKeyFilePath = "FilePath"
+
+var supportedActionToNativeOpMap = map[string][]string{
+	supportedS3NativeActionDeleteObject: {native.MethodDeleteObject, native.MethodHeadObject},
+	supportedS3NativeActionHeadObject:   {native.MethodHeadObject},
+	supportedS3NativeActionGetObject:    {native.MethodGetObject, native.MethodHeadObject, native.MethodSearchObject, native.MethodRangeObject, native.MethodHashObject},
+	supportedS3NativeActionPutObject:    {native.MethodPutObject},
+	supportedS3NativeActionListBucket:   {native.MethodGetContainer, native.MethodGetObject, native.MethodHeadObject, native.MethodSearchObject, native.MethodRangeObject, native.MethodHashObject},
+
+	supportedS3NativeActionCreateBucket:    {native.MethodPutContainer},
+	supportedS3NativeActionDeleteBucket:    {native.MethodDeleteContainer},
+	supportedS3NativeActionListAllMyBucket: {native.MethodListContainers},
+	supportedS3NativeActionPutBucketACL:    {native.MethodSetContainerEACL},
+	supportedS3NativeActionGetBucketACL:    {native.MethodGetContainerEACL},
+}
+
+var containerNativeOperations = map[string]struct{}{
+	native.MethodPutContainer:     {},
+	native.MethodDeleteContainer:  {},
+	native.MethodGetContainer:     {},
+	native.MethodListContainers:   {},
+	native.MethodSetContainerEACL: {},
+	native.MethodGetContainerEACL: {},
+}
+
+var objectNativeOperations = map[string]struct{}{
+	native.MethodGetObject:    {},
+	native.MethodPutObject:    {},
+	native.MethodHeadObject:   {},
+	native.MethodDeleteObject: {},
+	native.MethodSearchObject: {},
+	native.MethodRangeObject:  {},
+	native.MethodHashObject:   {},
+}
+
+const (
+	supportedS3NativeActionDeleteObject = "s3:DeleteObject"
+	supportedS3NativeActionGetObject    = "s3:GetObject"
+	supportedS3NativeActionHeadObject   = "s3:HeadObject"
+	supportedS3NativeActionPutObject    = "s3:PutObject"
+	supportedS3NativeActionListBucket   = "s3:ListBucket"
+
+	supportedS3NativeActionCreateBucket    = "s3:CreateBucket"
+	supportedS3NativeActionDeleteBucket    = "s3:DeleteBucket"
+	supportedS3NativeActionListAllMyBucket = "s3:ListAllMyBuckets"
+	supportedS3NativeActionPutBucketACL    = "s3:PutBucketAcl"
+	supportedS3NativeActionGetBucketACL    = "s3:GetBucketAcl"
+)
+
+type NativeResolver interface {
+	GetUserKey(account, name string) (string, error)
+	GetBucketInfo(bucket string) (*BucketInfo, error)
+}
+
+type BucketInfo struct {
+	Namespace string
+	Container string
+}
+
+func ConvertToNativeChain(p Policy, resolver NativeResolver) (*chain.Chain, error) {
+	if err := p.Validate(ResourceBasedPolicyType); err != nil {
+		return nil, err
+	}
+
+	var engineChain chain.Chain
+
+	for _, statement := range p.Statement {
+		status := formStatus(statement)
+
+		action, actionInverted := statement.action()
+		nativeActions, err := formNativeActionNames(action)
+		if err != nil {
+			return nil, err
+		}
+		ruleAction := chain.Actions{Inverted: actionInverted, Names: nativeActions}
+		if len(ruleAction.Names) == 0 {
+			continue
+		}
+
+		resource, resourceInverted := statement.resource()
+		groupedResources, err := formNativeResourceNamesAndConditions(resource, resolver, getActionTypes(nativeActions))
+		if err != nil {
+			return nil, err
+		}
+
+		groupedConditions, err := convertToNativeChainCondition(statement.Conditions, resolver)
+		if err != nil {
+			return nil, err
+		}
+		splitConditions := splitGroupedConditions(groupedConditions)
+
+		principals, principalCondFn, err := getNativePrincipalsAndConditionFunc(statement, resolver)
+		if err != nil {
+			return nil, err
+		}
+
+		for _, groupedResource := range groupedResources {
+			for _, principal := range principals {
+				for _, conditions := range splitConditions {
+					var principalCondition []chain.Condition
+					if principal != Wildcard {
+						principalCondition = []chain.Condition{principalCondFn(principal)}
+					}
+
+					ruleConditions := append(principalCondition, groupedResource.Conditions...)
+
+					r := chain.Rule{
+						Status:  status,
+						Actions: ruleAction,
+						Resources: chain.Resources{
+							Inverted: resourceInverted,
+							Names:    groupedResource.Names,
+						},
+						Condition: append(ruleConditions, conditions...),
+					}
+					engineChain.Rules = append(engineChain.Rules, r)
+				}
+			}
+		}
+	}
+
+	if len(engineChain.Rules) == 0 {
+		return nil, ErrActionsNotApplicable
+	}
+
+	return &engineChain, nil
+}
+
+func getActionTypes(nativeActions []string) ActionTypes {
+	var res ActionTypes
+	for _, action := range nativeActions {
+		if res.Object && res.Container {
+			break
+		}
+
+		_, isObj := objectNativeOperations[action]
+		_, isCnr := containerNativeOperations[action]
+
+		res.Object = isObj || action == Wildcard
+		res.Container = isCnr || action == Wildcard
+	}
+
+	return res
+}
+
+func getNativePrincipalsAndConditionFunc(statement Statement, resolver NativeResolver) ([]string, formPrincipalConditionFunc, error) {
+	var principals []string
+	var op chain.ConditionType
+	statementPrincipal, inverted := statement.principal()
+	if _, ok := statementPrincipal[Wildcard]; ok { // this can be true only if 'inverted' false
+		principals = []string{Wildcard}
+		op = chain.CondStringLike
+	} else {
+		for principalType, principal := range statementPrincipal {
+			if principalType != AWSPrincipalType {
+				return nil, nil, fmt.Errorf("unsupported principal type '%s'", principalType)
+			}
+			parsedPrincipal, err := formNativePrincipal(principal, resolver)
+			if err != nil {
+				return nil, nil, fmt.Errorf("parse principal: %w", err)
+			}
+			principals = append(principals, parsedPrincipal...)
+		}
+
+		op = chain.CondStringEquals
+		if inverted {
+			op = chain.CondStringNotEquals
+		}
+	}
+
+	return principals, func(principal string) chain.Condition {
+		return chain.Condition{
+			Op:     op,
+			Object: chain.ObjectRequest,
+			Key:    native.PropertyKeyActorPublicKey,
+			Value:  principal,
+		}
+	}, nil
+}
+
+func convertToNativeChainCondition(c Conditions, resolver NativeResolver) ([]GroupedConditions, error) {
+	return convertToChainConditions(c, func(gr GroupedConditions) (GroupedConditions, error) {
+		for i := range gr.Conditions {
+			if gr.Conditions[i].Key == condKeyAWSPrincipalARN {
+				gr.Conditions[i].Key = native.PropertyKeyActorPublicKey
+				val, err := formPrincipalKey(gr.Conditions[i].Value, resolver)
+				if err != nil {
+					return GroupedConditions{}, err
+				}
+				gr.Conditions[i].Value = val
+			}
+		}
+
+		return gr, nil
+	})
+}
+
+type GroupedResources struct {
+	Names      []string
+	Conditions []chain.Condition
+}
+
+type ActionTypes struct {
+	Object    bool
+	Container bool
+}
+
+func formNativeResourceNamesAndConditions(names []string, resolver NativeResolver, actionTypes ActionTypes) ([]GroupedResources, error) {
+	if !actionTypes.Object && !actionTypes.Container {
+		return nil, ErrActionsNotApplicable
+	}
+
+	res := make([]GroupedResources, 0, len(names))
+
+	var combined []string
+
+	for _, resource := range names {
+		if err := validateResource(resource); err != nil {
+			return nil, err
+		}
+
+		if resource == Wildcard {
+			res = res[:0]
+			return append(res, formWildcardNativeResource(actionTypes)), nil
+		}
+
+		if !strings.HasPrefix(resource, s3ResourcePrefix) {
+			continue
+		}
+
+		var bkt, obj string
+		s3Resource := strings.TrimPrefix(resource, s3ResourcePrefix)
+		if s3Resource == Wildcard {
+			res = res[:0]
+			return append(res, formWildcardNativeResource(actionTypes)), nil
+		}
+
+		if sepIndex := strings.Index(s3Resource, "/"); sepIndex < 0 {
+			bkt = s3Resource
+		} else {
+			bkt = s3Resource[:sepIndex]
+			obj = s3Resource[sepIndex+1:]
+			if len(obj) == 0 {
+				obj = Wildcard
+			}
+		}
+
+		bktInfo, err := resolver.GetBucketInfo(bkt)
+		if err != nil {
+			return nil, err
+		}
+
+		if obj == Wildcard && actionTypes.Object { // this corresponds to arn:aws:s3:::BUCKET/ or arn:aws:s3:::BUCKET/*
+			combined = append(combined, fmt.Sprintf(native.ResourceFormatNamespaceContainerObjects, bktInfo.Namespace, bktInfo.Container))
+			continue
+		}
+		if obj == "" && actionTypes.Container { // this corresponds to arn:aws:s3:::BUCKET
+			combined = append(combined, fmt.Sprintf(native.ResourceFormatNamespaceContainer, bktInfo.Namespace, bktInfo.Container))
+			continue
+		}
+
+		res = append(res, GroupedResources{
+			Names: []string{fmt.Sprintf(native.ResourceFormatNamespaceContainerObjects, bktInfo.Namespace, bktInfo.Container)},
+			Conditions: []chain.Condition{
+				{
+					Op:     chain.CondStringLike,
+					Object: chain.ObjectResource,
+					Key:    PropertyKeyFilePath,
+					Value:  obj,
+				},
+			},
+		})
+	}
+
+	if len(combined) != 0 {
+		res = append(res, GroupedResources{Names: combined})
+	}
+
+	return res, nil
+}
+
+func formWildcardNativeResource(actionTypes ActionTypes) GroupedResources {
+	groupedNames := make([]string, 0, 2)
+	if actionTypes.Object {
+		groupedNames = append(groupedNames, native.ResourceFormatAllObjects)
+	}
+	if actionTypes.Container {
+		groupedNames = append(groupedNames, native.ResourceFormatAllContainers)
+	}
+
+	return GroupedResources{Names: groupedNames}
+}
+
+func formNativePrincipal(principal []string, resolver NativeResolver) ([]string, error) {
+	res := make([]string, len(principal))
+
+	var err error
+	for i := range principal {
+		if res[i], err = formPrincipalKey(principal[i], resolver); err != nil {
+			return nil, err
+		}
+	}
+
+	return res, nil
+}
+
+func formPrincipalKey(principal string, resolver NativeResolver) (string, error) {
+	account, user, err := parsePrincipalAsIAMUser(principal)
+	if err != nil {
+		return "", err
+	}
+
+	key, err := resolver.GetUserKey(account, user)
+	if err != nil {
+		return "", fmt.Errorf("get user key: %w", err)
+	}
+
+	return key, nil
+}
+
+func formNativeActionNames(names []string) ([]string, error) {
+	res := make([]string, 0, len(names))
+
+	for _, action := range names {
+		if err := validateAction(action); err != nil {
+			return nil, err
+		}
+
+		if action == Wildcard {
+			return []string{Wildcard}, nil
+		}
+
+		if !strings.HasPrefix(action, s3ActionPrefix) {
+			continue
+		}
+
+		if strings.TrimPrefix(action, s3ActionPrefix) == Wildcard {
+			return []string{Wildcard}, nil
+		}
+
+		res = append(res, supportedActionToNativeOpMap[action]...)
+	}
+
+	return res, nil
+}
--- a/iam/converter_s3.go
+++ b/iam/converter_s3.go
@ -0,0 +1,255 @@
+package iam
+
+import (
+	"fmt"
+
+	"git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
+	"git.frostfs.info/TrueCloudLab/policy-engine/schema/s3"
+)
+
+var specialActionToS3OpMap = map[string][]string{
+	specialS3ActionsListAllMyBuckets:                 {"s3:ListBuckets"},
+	specialS3ActionsListBucket:                       {"s3:HeadBucket", "s3:GetBucketLocation", "s3:ListObjectsV1", "s3:ListObjectsV2"},
+	specialS3ActionsListBucketVersions:               {"s3:ListBucketObjectVersions"},
+	specialS3ActionsListBucketMultipartUploads:       {"s3:ListMultipartUploads"},
+	specialS3ActionsGetBucketObjectLockConfiguration: {"s3:GetBucketObjectLockConfig"},
+	specialS3ActionsGetEncryptionConfiguration:       {"s3:GetBucketEncryption"},
+	specialS3ActionsGetLifecycleConfiguration:        {"s3:GetBucketLifecycle"},
+	specialS3ActionsGetBucketACL:                     {"s3:GetBucketACL"},
+	specialS3ActionsGetBucketCORS:                    {"s3:GetBucketCors"},
+	specialS3ActionsPutBucketTagging:                 {"s3:PutBucketTagging", "s3:DeleteBucketTagging"},
+	specialS3ActionsPutBucketObjectLockConfiguration: {"s3:PutBucketObjectLockConfig"},
+	specialS3ActionsPutEncryptionConfiguration:       {"s3:PutBucketEncryption", "s3:DeleteBucketEncryption"},
+	specialS3ActionsPutLifecycleConfiguration:        {"s3:PutBucketLifecycle", "s3:DeleteBucketLifecycle"},
+	specialS3ActionsPutBucketACL:                     {"s3:PutBucketACL"},
+	specialS3ActionsPutBucketCORS:                    {"s3:PutBucketCors", "s3:DeleteBucketCors"},
+	specialS3ActionsDeleteBucketCORS:                 {"s3:DeleteBucketCors"},
+
+	specialS3ActionsListMultipartUploadParts:   {"s3:ListParts"},
+	specialS3ActionsGetObjectACL:               {"s3:GetObjectACL"},
+	specialS3ActionsGetObject:                  {"s3:GetObject", "s3:HeadObject"},
+	specialS3ActionsGetObjectVersion:           {"s3:GetObject", "s3:HeadObject"},
+	specialS3ActionsGetObjectVersionACL:        {"s3:GetObjectACL"},
+	specialS3ActionsGetObjectVersionAttributes: {"s3:GetObjectAttributes"},
+	specialS3ActionsGetObjectVersionTagging:    {"s3:GetObjectTagging"},
+	specialS3ActionsPutObjectACL:               {"s3:PutObjectACL"},
+	specialS3ActionsPutObjectVersionACL:        {"s3:PutObjectACL"},
+	specialS3ActionsPutObjectVersionTagging:    {"s3:PutObjectTagging"},
+	specialS3ActionsPutObject: {
+		"s3:PutObject", "s3:PostObject", "s3:CopyObject",
+		"s3:UploadPart", "s3:UploadPartCopy", "s3:CreateMultipartUpload", "s3:CompleteMultipartUpload",
+	},
+	specialS3ActionsDeleteObjectVersionTagging: {"s3:DeleteObjectTagging"},
+	specialS3ActionsDeleteObject:               {"s3:DeleteObject", "s3:DeleteMultipleObjects"},
+	specialS3ActionsDeleteObjectVersion:        {"s3:DeleteObject", "s3:DeleteMultipleObjects"},
+}
+
+const (
+	specialS3ActionsListAllMyBuckets                 = "s3:ListAllMyBuckets"
+	specialS3ActionsListBucket                       = "s3:ListBucket"
+	specialS3ActionsListBucketVersions               = "s3:ListBucketVersions"
+	specialS3ActionsListBucketMultipartUploads       = "s3:ListBucketMultipartUploads"
+	specialS3ActionsGetBucketObjectLockConfiguration = "s3:GetBucketObjectLockConfiguration"
+	specialS3ActionsGetEncryptionConfiguration       = "s3:GetEncryptionConfiguration"
+	specialS3ActionsGetLifecycleConfiguration        = "s3:GetLifecycleConfiguration"
+	specialS3ActionsGetBucketACL                     = "s3:GetBucketAcl"
+	specialS3ActionsGetBucketCORS                    = "s3:GetBucketCORS"
+	specialS3ActionsPutBucketTagging                 = "s3:PutBucketTagging"
+	specialS3ActionsPutBucketObjectLockConfiguration = "s3:PutBucketObjectLockConfiguration"
+	specialS3ActionsPutEncryptionConfiguration       = "s3:PutEncryptionConfiguration"
+	specialS3ActionsPutLifecycleConfiguration        = "s3:PutLifecycleConfiguration"
+	specialS3ActionsPutBucketACL                     = "s3:PutBucketAcl"
+	specialS3ActionsPutBucketCORS                    = "s3:PutBucketCORS"
+	specialS3ActionsDeleteBucketCORS                 = "s3:DeleteBucketCORS"
+	specialS3ActionsListMultipartUploadParts         = "s3:ListMultipartUploadParts"
+	specialS3ActionsGetObjectACL                     = "s3:GetObjectAcl"
+	specialS3ActionsGetObject                        = "s3:GetObject"
+	specialS3ActionsGetObjectVersion                 = "s3:GetObjectVersion"
+	specialS3ActionsGetObjectVersionACL              = "s3:GetObjectVersionAcl"
+	specialS3ActionsGetObjectVersionAttributes       = "s3:GetObjectVersionAttributes"
+	specialS3ActionsGetObjectVersionTagging          = "s3:GetObjectVersionTagging"
+	specialS3ActionsPutObjectACL                     = "s3:PutObjectAcl"
+	specialS3ActionsPutObjectVersionACL              = "s3:PutObjectVersionAcl"
+	specialS3ActionsPutObjectVersionTagging          = "s3:PutObjectVersionTagging"
+	specialS3ActionsPutObject                        = "s3:PutObject"
+	specialS3ActionsDeleteObjectVersionTagging       = "s3:DeleteObjectVersionTagging"
+	specialS3ActionsDeleteObject                     = "s3:DeleteObject"
+	specialS3ActionsDeleteObjectVersion              = "s3:DeleteObjectVersion"
+)
+
+type S3Resolver interface {
+	GetUserAddress(account, user string) (string, error)
+}
+
+func ConvertToS3Chain(p Policy, resolver S3Resolver) (*chain.Chain, error) {
+	if err := p.Validate(ResourceBasedPolicyType); err != nil {
+		return nil, err
+	}
+
+	var engineChain chain.Chain
+
+	for _, statement := range p.Statement {
+		status := formStatus(statement)
+
+		actions, actionInverted := statement.action()
+		s3Actions, err := formS3ActionNames(actions)
+		if err != nil {
+			return nil, err
+		}
+		ruleAction := chain.Actions{Inverted: actionInverted, Names: s3Actions}
+		if len(ruleAction.Names) == 0 {
+			continue
+		}
+
+		resources, resourceInverted := statement.resource()
+		if err := validateS3ResourceNames(resources); err != nil {
+			return nil, err
+		}
+		ruleResource := chain.Resources{Inverted: resourceInverted, Names: resources}
+
+		groupedConditions, err := convertToS3ChainCondition(statement.Conditions, resolver)
+		if err != nil {
+			return nil, err
+		}
+		splitConditions := splitGroupedConditions(groupedConditions)
+
+		principals, principalCondFn, err := getS3PrincipalsAndConditionFunc(statement, resolver)
+		if err != nil {
+			return nil, err
+		}
+
+		for _, principal := range principals {
+			for _, conditions := range splitConditions {
+				var principalCondition []chain.Condition
+				if principal != Wildcard {
+					principalCondition = []chain.Condition{principalCondFn(principal)}
+				}
+
+				r := chain.Rule{
+					Status:    status,
+					Actions:   ruleAction,
+					Resources: ruleResource,
+					Condition: append(principalCondition, conditions...),
+				}
+				engineChain.Rules = append(engineChain.Rules, r)
+			}
+		}
+	}
+
+	if len(engineChain.Rules) == 0 {
+		return nil, ErrActionsNotApplicable
+	}
+
+	return &engineChain, nil
+}
+
+func getS3PrincipalsAndConditionFunc(statement Statement, resolver S3Resolver) ([]string, formPrincipalConditionFunc, error) {
+	var principals []string
+	var op chain.ConditionType
+	statementPrincipal, inverted := statement.principal()
+	if _, ok := statementPrincipal[Wildcard]; ok { // this can be true only if 'inverted' false
+		principals = []string{Wildcard}
+		op = chain.CondStringLike
+	} else {
+		for principalType, principal := range statementPrincipal {
+			if principalType != AWSPrincipalType {
+				return nil, nil, fmt.Errorf("unsupported principal type '%s'", principalType)
+			}
+			parsedPrincipal, err := formS3Principal(principal, resolver)
+			if err != nil {
+				return nil, nil, fmt.Errorf("parse principal: %w", err)
+			}
+			principals = append(principals, parsedPrincipal...)
+		}
+
+		op = chain.CondStringEquals
+		if inverted {
+			op = chain.CondStringNotEquals
+		}
+	}
+
+	return principals, func(principal string) chain.Condition {
+		return chain.Condition{
+			Op:     op,
+			Object: chain.ObjectRequest,
+			Key:    s3.PropertyKeyOwner,
+			Value:  principal,
+		}
+	}, nil
+}
+
+func convertToS3ChainCondition(c Conditions, resolver S3Resolver) ([]GroupedConditions, error) {
+	return convertToChainConditions(c, func(gr GroupedConditions) (GroupedConditions, error) {
+		for i := range gr.Conditions {
+			if gr.Conditions[i].Key == condKeyAWSPrincipalARN {
+				gr.Conditions[i].Key = s3.PropertyKeyOwner
+				val, err := formPrincipalOwner(gr.Conditions[i].Value, resolver)
+				if err != nil {
+					return GroupedConditions{}, err
+				}
+				gr.Conditions[i].Value = val
+			}
+		}
+
+		return gr, nil
+	})
+}
+
+func formS3Principal(principal []string, resolver S3Resolver) ([]string, error) {
+	res := make([]string, len(principal))
+
+	var err error
+	for i := range principal {
+		if res[i], err = formPrincipalOwner(principal[i], resolver); err != nil {
+			return nil, err
+		}
+	}
+
+	return res, nil
+}
+
+func formPrincipalOwner(principal string, resolver S3Resolver) (string, error) {
+	account, user, err := parsePrincipalAsIAMUser(principal)
+	if err != nil {
+		return "", err
+	}
+
+	address, err := resolver.GetUserAddress(account, user)
+	if err != nil {
+		return "", fmt.Errorf("get user address: %w", err)
+	}
+
+	return address, nil
+}
+
+func validateS3ResourceNames(names []string) error {
+	for i := range names {
+		if err := validateResource(names[i]); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func formS3ActionNames(names []string) ([]string, error) {
+	res := make([]string, 0, len(names))
+
+	for _, action := range names {
+		if err := validateAction(action); err != nil {
+			return nil, err
+		}
+
+		if action == Wildcard {
+			return []string{Wildcard}, nil
+		}
+
+		if actions, ok := specialActionToS3OpMap[action]; ok {
+			res = append(res, actions...)
+		} else {
+			res = append(res, action)
+		}
+	}
+
+	return res, nil
+}
--- a/iam/converter_test.go
+++ b/iam/converter_test.go
--- a/iam/policy.go
+++ b/iam/policy.go
@ -222,6 +222,10 @@ func (p Policy) Validate(typ PolicyType) error {
 }

 func (p Policy) validate() error {
+	if len(p.Statement) == 0 {
+		return errors.New("'Statement' is missing")
+	}
+
 	for _, statement := range p.Statement {
 		if !statement.Effect.IsValid() {
 			return fmt.Errorf("unknown effect: '%s'", statement.Effect)
--- a/iam/policy_test.go
+++ b/iam/policy_test.go
@ -2,8 +2,14 @@ package iam

 import (
 	"encoding/json"
+	"fmt"
 	"testing"

+	"git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
+	"git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine"
+	"git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine/inmemory"
+	"git.frostfs.info/TrueCloudLab/policy-engine/pkg/resource/testutil"
+	"git.frostfs.info/TrueCloudLab/policy-engine/schema/native"
 	"github.com/stretchr/testify/require"
 )

@ -320,6 +326,12 @@ func TestValidatePolicies(t *testing.T) {
 			typ:     GeneralPolicyType,
 			isValid: false,
 		},
+		{
+			name:    "missing statement block",
+			policy:  Policy{},
+			typ:     GeneralPolicyType,
+			isValid: false,
+		},
 		{
 			name: "identity based valid",
 			policy: Policy{
@ -422,3 +434,70 @@ func TestValidatePolicies(t *testing.T) {
 		})
 	}
 }
+
+func TestProcessDenyFirst(t *testing.T) {
+	identityBasedPolicyStr := `
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+			"Principal": {
+				"AWS": [ "arn:aws:iam::root:user/user-name" ]
+			},
+            "Action": ["s3:PutObject" ],
+            "Resource": "arn:aws:s3:::*"
+        }
+    ]
+}
+`
+
+	resourceBasedPolicyStr := `
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Deny",
+            "Principal": "*",
+            "Action": "s3:*",
+            "Resource": [ "arn:aws:s3:::test-bucket/*" ]
+        }
+    ]
+}
+`
+
+	var identityPolicy Policy
+	err := json.Unmarshal([]byte(identityBasedPolicyStr), &identityPolicy)
+	require.NoError(t, err)
+
+	var resourcePolicy Policy
+	err = json.Unmarshal([]byte(resourceBasedPolicyStr), &resourcePolicy)
+	require.NoError(t, err)
+
+	mockResolver := newMockUserResolver([]string{"root/user-name"}, []string{"test-bucket"}, "")
+
+	identityNativePolicy, err := ConvertToNativeChain(identityPolicy, mockResolver)
+	require.NoError(t, err)
+	identityNativePolicy.MatchType = chain.MatchTypeFirstMatch
+
+	resourceNativePolicy, err := ConvertToNativeChain(resourcePolicy, mockResolver)
+	require.NoError(t, err)
+
+	s := inmemory.NewInMemory()
+
+	target := engine.NamespaceTarget("ns")
+
+	_, _, err = s.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, target, identityNativePolicy)
+	require.NoError(t, err)
+
+	_, _, err = s.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, target, resourceNativePolicy)
+	require.NoError(t, err)
+
+	resource := testutil.NewResource(fmt.Sprintf(native.ResourceFormatRootContainerObjects, mockResolver.containers["test-bucket"]), nil)
+	request := testutil.NewRequest("PutObject", resource, map[string]string{native.PropertyKeyActorPublicKey: mockResolver.users["root/user-name"]})
+
+	status, found, err := s.IsAllowed(chain.Ingress, engine.NewRequestTarget("ns", ""), request)
+	require.NoError(t, err)
+	require.True(t, found)
+	require.Equal(t, chain.AccessDenied, status)
+}
--- a/pkg/chain/chain.go
+++ b/pkg/chain/chain.go
@ -1,25 +1,38 @@
 package chain

 import (
-	"encoding/json"
 	"fmt"
 	"strings"

 	"git.frostfs.info/TrueCloudLab/policy-engine/pkg/resource"
 	"git.frostfs.info/TrueCloudLab/policy-engine/util"
+	"golang.org/x/exp/slices"
 )

 // ID is the ID of rule chain.
-type ID string
+type ID []byte

+// MatchType is the match type for chain rules.
+type MatchType uint8
+
+const (
+	// MatchTypeDenyPriority rejects the request if any `Deny` is specified.
+	MatchTypeDenyPriority MatchType = 0
+	// MatchTypeFirstMatch returns the first rule action matched to the request.
+	MatchTypeFirstMatch MatchType = 1
+)
+
+//easyjson:json
 type Chain struct {
 	ID ID

 	Rules []Rule
+
+	MatchType MatchType
 }

 func (c *Chain) Bytes() []byte {
-	data, err := json.Marshal(c)
+	data, err := c.MarshalBinary()
 	if err != nil {
 		panic(err)
 	}
@ -27,7 +40,7 @@ func (c *Chain) Bytes() []byte {
 }

 func (c *Chain) DecodeBytes(b []byte) error {
-	return json.Unmarshal(b, c)
+	return c.UnmarshalBinary(b)
 }

 type Rule struct {
@ -64,6 +77,8 @@ type ObjectType byte
 const (
 	ObjectResource ObjectType = iota
 	ObjectRequest
+	ContainerResource
+	ContainerRequest
 )

 type ConditionType byte
@ -91,45 +106,48 @@ const (
 	CondNumericLessThanEquals
 	CondNumericGreaterThan
 	CondNumericGreaterThanEquals
+
+	CondSliceContains
 )

+var condToStr = []struct {
+	ct  ConditionType
+	str string
+}{
+	{CondStringEquals, "StringEquals"},
+	{CondStringNotEquals, "StringNotEquals"},
+	{CondStringEqualsIgnoreCase, "StringEqualsIgnoreCase"},
+	{CondStringNotEqualsIgnoreCase, "StringNotEqualsIgnoreCase"},
+	{CondStringLike, "StringLike"},
+	{CondStringNotLike, "StringNotLike"},
+	{CondStringLessThan, "StringLessThan"},
+	{CondStringLessThanEquals, "StringLessThanEquals"},
+	{CondStringGreaterThan, "StringGreaterThan"},
+	{CondStringGreaterThanEquals, "StringGreaterThanEquals"},
+	{CondNumericEquals, "NumericEquals"},
+	{CondNumericNotEquals, "NumericNotEquals"},
+	{CondNumericLessThan, "NumericLessThan"},
+	{CondNumericLessThanEquals, "NumericLessThanEquals"},
+	{CondNumericGreaterThan, "NumericGreaterThan"},
+	{CondNumericGreaterThanEquals, "NumericGreaterThanEquals"},
+	{CondSliceContains, "SliceContains"},
+}
+
 func (c ConditionType) String() string {
-	switch c {
-	case CondStringEquals:
-		return "StringEquals"
-	case CondStringNotEquals:
-		return "StringNotEquals"
-	case CondStringEqualsIgnoreCase:
-		return "StringEqualsIgnoreCase"
-	case CondStringNotEqualsIgnoreCase:
-		return "StringNotEqualsIgnoreCase"
-	case CondStringLike:
-		return "StringLike"
-	case CondStringNotLike:
-		return "StringNotLike"
-	case CondStringLessThan:
-		return "StringLessThan"
-	case CondStringLessThanEquals:
-		return "StringLessThanEquals"
-	case CondStringGreaterThan:
-		return "StringGreaterThan"
-	case CondStringGreaterThanEquals:
-		return "StringGreaterThanEquals"
-	case CondNumericEquals:
-		return "NumericEquals"
-	case CondNumericNotEquals:
-		return "NumericNotEquals"
-	case CondNumericLessThan:
-		return "NumericLessThan"
-	case CondNumericLessThanEquals:
-		return "NumericLessThanEquals"
-	case CondNumericGreaterThan:
-		return "NumericGreaterThan"
-	case CondNumericGreaterThanEquals:
-		return "NumericGreaterThanEquals"
-	default:
-		return "unknown condition type"
+	for _, v := range condToStr {
+		if v.ct == c {
+			return v.str
+		}
 	}
+	return "unknown condition type"
+}
+
+const condSliceContainsDelimiter = "\x00"
+
+// FormCondSliceContainsValue builds value for ObjectResource or ObjectRequest property
+// that can be matched by CondSliceContains condition.
+func FormCondSliceContainsValue(values []string) string {
+	return strings.Join(values, condSliceContainsDelimiter)
 }

 func (c *Condition) Match(req resource.Request) bool {
@ -166,6 +184,8 @@ func (c *Condition) Match(req resource.Request) bool {
 		return val > c.Value
 	case CondStringGreaterThanEquals:
 		return val >= c.Value
+	case CondSliceContains:
+		return slices.Contains(strings.Split(val, condSliceContainsDelimiter), c.Value)
 	}
 }

@ -214,6 +234,17 @@ func (r *Rule) matchAll(obj resource.Request) (status Status, matched bool) {
 }

 func (c *Chain) Match(req resource.Request) (status Status, matched bool) {
+	switch c.MatchType {
+	case MatchTypeDenyPriority:
+		return c.denyPriority(req)
+	case MatchTypeFirstMatch:
+		return c.firstMatch(req)
+	default:
+		panic(fmt.Sprintf("unknown MatchType %d", c.MatchType))
+	}
+}
+
+func (c *Chain) firstMatch(req resource.Request) (status Status, matched bool) {
 	for i := range c.Rules {
 		status, matched := c.Rules[i].Match(req)
 		if matched {
@ -222,3 +253,21 @@ func (c *Chain) Match(req resource.Request) (status Status, matched bool) {
 	}
 	return NoRuleFound, false
 }
+
+func (c *Chain) denyPriority(req resource.Request) (status Status, matched bool) {
+	var allowFound bool
+	for i := range c.Rules {
+		status, matched := c.Rules[i].Match(req)
+		if !matched {
+			continue
+		}
+		if status != Allow {
+			return status, true
+		}
+		allowFound = true
+	}
+	if allowFound {
+		return Allow, true
+	}
+	return NoRuleFound, false
+}
--- a/pkg/chain/chain_easyjson.go
+++ b/pkg/chain/chain_easyjson.go
--- a/pkg/chain/chain_names.go
+++ b/pkg/chain/chain_names.go
@ -7,4 +7,7 @@ const (
 	// Ingress represents chains applied when crossing user/storage network boundary.
 	// It is not applied when talking between nodes.
 	Ingress Name = "ingress"
+
+	// S3 represents chains applied when crossing user/s3 network boundary.
+	S3 Name = "s3"
 )
--- a/pkg/chain/chain_test.go
+++ b/pkg/chain/chain_test.go
@ -3,11 +3,28 @@ package chain
 import (
 	"testing"

+	"git.frostfs.info/TrueCloudLab/policy-engine/pkg/resource/testutil"
+	"git.frostfs.info/TrueCloudLab/policy-engine/schema/common"
+	"git.frostfs.info/TrueCloudLab/policy-engine/schema/native"
 	"github.com/stretchr/testify/require"
 )

+func TestChainIDSerialization(t *testing.T) {
+	chainIDBytes := []byte{93, 236, 80, 138, 168, 3, 144, 92, 173, 141, 16, 42, 249, 90, 97, 109, 211, 169, 54, 163}
+
+	chain1 := &Chain{ID: ID(chainIDBytes)}
+	data := chain1.Bytes()
+
+	var chain2 Chain
+	err := chain2.DecodeBytes(data)
+	require.NoError(t, err)
+
+	require.Equal(t, chain1.ID, chain2.ID)
+}
+
 func TestEncodeDecode(t *testing.T) {
 	expected := Chain{
+		MatchType: MatchTypeFirstMatch,
 		Rules: []Rule{
 			{
 				Status: Allow,
@ -31,3 +48,104 @@ func TestEncodeDecode(t *testing.T) {
 	require.NoError(t, actual.DecodeBytes(data))
 	require.Equal(t, expected, actual)
 }
+
+func TestReturnFirstMatch(t *testing.T) {
+	ch := Chain{
+		Rules: []Rule{
+			{
+				Status: Allow,
+				Actions: Actions{Names: []string{
+					native.MethodPutObject,
+				}},
+				Resources: Resources{Names: []string{native.ResourceFormatRootContainers}},
+				Condition: []Condition{},
+			},
+			{
+				Status: AccessDenied,
+				Actions: Actions{Names: []string{
+					native.MethodPutObject,
+				}},
+				Resources: Resources{Names: []string{native.ResourceFormatRootContainers}},
+				Condition: []Condition{},
+			},
+		},
+	}
+
+	resource := testutil.NewResource(native.ResourceFormatRootContainers, nil)
+	request := testutil.NewRequest(native.MethodPutObject, resource, nil)
+
+	t.Run("default match", func(t *testing.T) {
+		st, found := ch.Match(request)
+		require.True(t, found)
+		require.Equal(t, AccessDenied, st)
+	})
+
+	t.Run("return first match", func(t *testing.T) {
+		ch.MatchType = MatchTypeFirstMatch
+		st, found := ch.Match(request)
+		require.True(t, found)
+		require.Equal(t, Allow, st)
+	})
+}
+
+func TestCondSliceContainsMatch(t *testing.T) {
+	propKey := common.PropertyKeyFrostFSIDGroupID
+	groupID := "1"
+
+	ch := Chain{Rules: []Rule{{
+		Status:    Allow,
+		Actions:   Actions{Names: []string{native.MethodPutObject}},
+		Resources: Resources{Names: []string{native.ResourceFormatRootContainers}},
+		Condition: []Condition{{
+			Op:     CondSliceContains,
+			Object: ObjectRequest,
+			Key:    propKey,
+			Value:  groupID,
+		}},
+	}}}
+
+	for _, tc := range []struct {
+		name   string
+		value  string
+		status Status
+	}{
+		{
+			name:   "simple value",
+			value:  groupID,
+			status: Allow,
+		},
+		{
+			name:   "simple value by func",
+			value:  FormCondSliceContainsValue([]string{groupID}),
+			status: Allow,
+		},
+		{
+			name:   "multiple values by func",
+			value:  FormCondSliceContainsValue([]string{groupID, "2", "3"}),
+			status: Allow,
+		},
+		{
+			name:   "simple mismatched",
+			value:  "3",
+			status: NoRuleFound,
+		},
+		{
+			name:   "multiple mismatched",
+			value:  FormCondSliceContainsValue([]string{"11", "12"}),
+			status: NoRuleFound,
+		},
+		{
+			name:   "comma correct handling mismatched",
+			value:  "1,11",
+			status: NoRuleFound,
+		},
+	} {
+		t.Run(tc.name, func(t *testing.T) {
+			resource := testutil.NewResource(native.ResourceFormatRootContainers, nil)
+			request := testutil.NewRequest(native.MethodPutObject, resource, map[string]string{propKey: tc.value})
+
+			st, _ := ch.Match(request)
+			require.Equal(t, tc.status.String(), st.String())
+		})
+	}
+}
--- a/pkg/chain/marshal_binary.go
+++ b/pkg/chain/marshal_binary.go
@ -0,0 +1,257 @@
+package chain
+
+import (
+	"encoding"
+	"fmt"
+
+	"git.frostfs.info/TrueCloudLab/policy-engine/pkg/marshal"
+)
+
+const (
+	ChainMarshalVersion uint8 = 0 // increase if breaking change
+)
+
+var (
+	_ encoding.BinaryMarshaler   = (*Chain)(nil)
+	_ encoding.BinaryUnmarshaler = (*Chain)(nil)
+)
+
+func (c *Chain) MarshalBinary() ([]byte, error) {
+	s := marshal.UInt8Size // Marshaller version
+	s += marshal.UInt8Size // Chain version
+	s += marshal.SliceSize(c.ID, func(byte) int { return marshal.ByteSize })
+	s += marshal.SliceSize(c.Rules, ruleSize)
+	s += marshal.UInt8Size // MatchType
+
+	buf := make([]byte, s)
+	var offset int
+	var err error
+	offset, err = marshal.UInt8Marshal(buf, offset, marshal.Version)
+	if err != nil {
+		return nil, err
+	}
+	offset, err = marshal.UInt8Marshal(buf, offset, ChainMarshalVersion)
+	if err != nil {
+		return nil, err
+	}
+	offset, err = marshal.SliceMarshal(buf, offset, c.ID, marshal.ByteMarshal)
+	if err != nil {
+		return nil, err
+	}
+	offset, err = marshal.SliceMarshal(buf, offset, c.Rules, marshalRule)
+	if err != nil {
+		return nil, err
+	}
+	offset, err = marshal.UInt8Marshal(buf, offset, uint8(c.MatchType))
+	if err != nil {
+		return nil, err
+	}
+
+	if err := marshal.VerifyMarshal(buf, offset); err != nil {
+		return nil, err
+	}
+	return buf, nil
+}
+
+func (c *Chain) UnmarshalBinary(data []byte) error {
+	var offset int
+
+	marshallerVersion, offset, err := marshal.UInt8Unmarshal(data, offset)
+	if err != nil {
+		return err
+	}
+	if marshallerVersion != marshal.Version {
+		return fmt.Errorf("unsupported marshaller version %d", marshallerVersion)
+	}
+
+	chainVersion, offset, err := marshal.UInt8Unmarshal(data, offset)
+	if err != nil {
+		return err
+	}
+	if chainVersion != ChainMarshalVersion {
+		return fmt.Errorf("unsupported chain version %d", chainVersion)
+	}
+
+	idBytes, offset, err := marshal.SliceUnmarshal(data, offset, marshal.ByteUnmarshal)
+	if err != nil {
+		return err
+	}
+	c.ID = ID(idBytes)
+
+	c.Rules, offset, err = marshal.SliceUnmarshal(data, offset, unmarshalRule)
+	if err != nil {
+		return err
+	}
+
+	matchTypeV, offset, err := marshal.UInt8Unmarshal(data, offset)
+	if err != nil {
+		return err
+	}
+	c.MatchType = MatchType(matchTypeV)
+
+	return marshal.VerifyUnmarshal(data, offset)
+}
+
+func ruleSize(r Rule) int {
+	s := marshal.ByteSize // Status
+	s += actionsSize(r.Actions)
+	s += resourcesSize(r.Resources)
+	s += marshal.BoolSize // Any
+	s += marshal.SliceSize(r.Condition, conditionSize)
+	return s
+}
+
+func marshalRule(buf []byte, offset int, r Rule) (int, error) {
+	offset, err := marshal.ByteMarshal(buf, offset, byte(r.Status))
+	if err != nil {
+		return 0, err
+	}
+	offset, err = marshalActions(buf, offset, r.Actions)
+	if err != nil {
+		return 0, err
+	}
+	offset, err = marshalResources(buf, offset, r.Resources)
+	if err != nil {
+		return 0, err
+	}
+	offset, err = marshal.BoolMarshal(buf, offset, r.Any)
+	if err != nil {
+		return 0, err
+	}
+	return marshal.SliceMarshal(buf, offset, r.Condition, marshalCondition)
+}
+
+func unmarshalRule(buf []byte, offset int) (Rule, int, error) {
+	var r Rule
+	statusV, offset, err := marshal.ByteUnmarshal(buf, offset)
+	if err != nil {
+		return Rule{}, 0, err
+	}
+	r.Status = Status(statusV)
+
+	r.Actions, offset, err = unmarshalActions(buf, offset)
+	if err != nil {
+		return Rule{}, 0, err
+	}
+
+	r.Resources, offset, err = unmarshalResources(buf, offset)
+	if err != nil {
+		return Rule{}, 0, err
+	}
+
+	r.Any, offset, err = marshal.BoolUnmarshal(buf, offset)
+	if err != nil {
+		return Rule{}, 0, err
+	}
+
+	r.Condition, offset, err = marshal.SliceUnmarshal(buf, offset, unmarshalCondition)
+	if err != nil {
+		return Rule{}, 0, err
+	}
+
+	return r, offset, nil
+}
+
+func actionsSize(a Actions) int {
+	return marshal.BoolSize + // Inverted
+		marshal.SliceSize(a.Names, marshal.StringSize)
+}
+
+func marshalActions(buf []byte, offset int, a Actions) (int, error) {
+	offset, err := marshal.BoolMarshal(buf, offset, a.Inverted)
+	if err != nil {
+		return 0, err
+	}
+	return marshal.SliceMarshal(buf, offset, a.Names, marshal.StringMarshal)
+}
+
+func unmarshalActions(buf []byte, offset int) (Actions, int, error) {
+	var a Actions
+	var err error
+	a.Inverted, offset, err = marshal.BoolUnmarshal(buf, offset)
+	if err != nil {
+		return Actions{}, 0, err
+	}
+	a.Names, offset, err = marshal.SliceUnmarshal(buf, offset, marshal.StringUnmarshal)
+	if err != nil {
+		return Actions{}, 0, err
+	}
+	return a, offset, nil
+}
+
+func resourcesSize(r Resources) int {
+	return marshal.BoolSize + // Inverted
+		marshal.SliceSize(r.Names, marshal.StringSize)
+}
+
+func marshalResources(buf []byte, offset int, r Resources) (int, error) {
+	offset, err := marshal.BoolMarshal(buf, offset, r.Inverted)
+	if err != nil {
+		return 0, err
+	}
+	return marshal.SliceMarshal(buf, offset, r.Names, marshal.StringMarshal)
+}
+
+func unmarshalResources(buf []byte, offset int) (Resources, int, error) {
+	var r Resources
+	var err error
+	r.Inverted, offset, err = marshal.BoolUnmarshal(buf, offset)
+	if err != nil {
+		return Resources{}, 0, err
+	}
+	r.Names, offset, err = marshal.SliceUnmarshal(buf, offset, marshal.StringUnmarshal)
+	if err != nil {
+		return Resources{}, 0, err
+	}
+	return r, offset, nil
+}
+
+func conditionSize(c Condition) int {
+	return marshal.ByteSize + // Op
+		marshal.ByteSize + // Object
+		marshal.StringSize(c.Key) +
+		marshal.StringSize(c.Value)
+}
+
+func marshalCondition(buf []byte, offset int, c Condition) (int, error) {
+	offset, err := marshal.ByteMarshal(buf, offset, byte(c.Op))
+	if err != nil {
+		return 0, err
+	}
+	offset, err = marshal.ByteMarshal(buf, offset, byte(c.Object))
+	if err != nil {
+		return 0, err
+	}
+	offset, err = marshal.StringMarshal(buf, offset, c.Key)
+	if err != nil {
+		return 0, err
+	}
+	return marshal.StringMarshal(buf, offset, c.Value)
+}
+
+func unmarshalCondition(buf []byte, offset int) (Condition, int, error) {
+	var c Condition
+	opV, offset, err := marshal.ByteUnmarshal(buf, offset)
+	if err != nil {
+		return Condition{}, 0, err
+	}
+	c.Op = ConditionType(opV)
+
+	obV, offset, err := marshal.ByteUnmarshal(buf, offset)
+	if err != nil {
+		return Condition{}, 0, err
+	}
+	c.Object = ObjectType(obV)
+
+	c.Key, offset, err = marshal.StringUnmarshal(buf, offset)
+	if err != nil {
+		return Condition{}, 0, err
+	}
+
+	c.Value, offset, err = marshal.StringUnmarshal(buf, offset)
+	if err != nil {
+		return Condition{}, 0, err
+	}
+
+	return c, offset, nil
+}
--- a/pkg/chain/marshal_binary_test.go
+++ b/pkg/chain/marshal_binary_test.go
@ -0,0 +1,272 @@
+package chain
+
+import (
+	"fmt"
+	"testing"
+
+	"git.frostfs.info/TrueCloudLab/policy-engine/schema/native"
+	"github.com/google/uuid"
+	"github.com/stretchr/testify/require"
+)
+
+func TestChainMarshalling(t *testing.T) {
+	t.Parallel()
+	for _, id := range generateTestIDs() {
+		for _, rules := range generateTestRules() {
+			for _, matchType := range generateTestMatchTypes() {
+				performMarshalTest(t, id, rules, matchType)
+			}
+		}
+	}
+}
+
+func TestInvalidChainData(t *testing.T) {
+	var ch Chain
+	require.Error(t, ch.UnmarshalBinary(nil))
+	require.Error(t, ch.UnmarshalBinary([]byte{}))
+	require.Error(t, ch.UnmarshalBinary([]byte{1, 2, 3}))
+	require.Error(t, ch.UnmarshalBinary([]byte("\x00\x00:aws:iam::namespace:group/so\x82\x82\x82\x82\x82\x82u\x82")))
+}
+
+func FuzzUnmarshal(f *testing.F) {
+	for _, id := range generateTestIDs() {
+		for _, rules := range generateTestRules() {
+			for _, matchType := range generateTestMatchTypes() {
+
+				chain := Chain{
+					ID:        id,
+					Rules:     rules,
+					MatchType: matchType,
+				}
+				data, err := chain.MarshalBinary()
+				require.NoError(f, err)
+				f.Add(data)
+			}
+		}
+	}
+
+	f.Fuzz(func(t *testing.T, data []byte) {
+		var ch Chain
+		require.NotPanics(t, func() {
+			_ = ch.UnmarshalBinary(data)
+		})
+	})
+}
+
+func performMarshalTest(t *testing.T, id ID, r []Rule, mt MatchType) {
+	chain := Chain{
+		ID:        id,
+		Rules:     r,
+		MatchType: mt,
+	}
+	data, err := chain.MarshalBinary()
+	require.NoError(t, err)
+
+	var unmarshalledChain Chain
+	require.NoError(t, unmarshalledChain.UnmarshalBinary(data))
+
+	require.Equal(t, chain, unmarshalledChain)
+}
+
+func generateTestIDs() []ID {
+	return []ID{
+		ID(""),
+		ID(uuid.New().String()),
+		ID("*::/"),
+		ID("avada kedavra"),
+		ID("arn:aws:iam::namespace:group/some_group"),
+		ID("$Object:homomorphicHash"),
+		ID("native:container/ns/9LPLUFZpEmfidG4n44vi2cjXKXSqWT492tCvLJiJ8W1J"),
+	}
+}
+
+func generateTestRules() [][]Rule {
+	result := [][]Rule{
+		nil,
+		{},
+		{},
+	}
+
+	for _, st := range generateTestStatuses() {
+		for _, act := range generateTestActions() {
+			for _, res := range generateTestResources() {
+				for _, cond := range generateTestConditions() {
+					result[2] = append(result[2], Rule{
+						Status:    st,
+						Actions:   act,
+						Resources: res,
+						Condition: cond,
+						Any:       true,
+					})
+					result[2] = append(result[2], Rule{
+						Status:    st,
+						Actions:   act,
+						Resources: res,
+						Condition: cond,
+					})
+				}
+			}
+		}
+	}
+
+	return result
+}
+
+func generateTestStatuses() []Status {
+	return []Status{
+		Allow,
+		NoRuleFound,
+		AccessDenied,
+		QuotaLimitReached,
+	}
+}
+
+func generateTestActions() []Actions {
+	return []Actions{
+		{
+			Inverted: true,
+			Names:    nil,
+		},
+		{
+			Names: nil,
+		},
+		{
+			Inverted: true,
+			Names:    []string{},
+		},
+		{
+			Names: []string{},
+		},
+		{
+			Inverted: true,
+			Names:    []string{native.MethodPutObject},
+		},
+		{
+			Names: []string{native.MethodPutObject},
+		},
+		{
+			Inverted: true,
+			Names:    []string{native.MethodPutObject, native.MethodDeleteContainer, native.MethodDeleteObject},
+		},
+		{
+			Names: []string{native.MethodPutObject, native.MethodDeleteContainer, native.MethodDeleteObject},
+		},
+	}
+}
+
+func generateTestResources() []Resources {
+	return []Resources{
+		{
+			Inverted: true,
+			Names:    nil,
+		},
+		{
+			Names: nil,
+		},
+		{
+			Inverted: true,
+			Names:    []string{},
+		},
+		{
+			Names: []string{},
+		},
+		{
+			Inverted: true,
+			Names:    []string{native.ResourceFormatAllObjects},
+		},
+		{
+			Names: []string{native.ResourceFormatAllObjects},
+		},
+		{
+			Inverted: true,
+			Names: []string{
+				native.ResourceFormatAllObjects,
+				fmt.Sprintf(native.ResourceFormatRootContainer, "9LPLUFZpEmfidG4n44vi2cjXKXSqWT492tCvLJiJ8W1J"),
+			},
+		},
+		{
+			Names: []string{
+				native.ResourceFormatAllObjects,
+				fmt.Sprintf(native.ResourceFormatRootContainer, "9LPLUFZpEmfidG4n44vi2cjXKXSqWT492tCvLJiJ8W1J"),
+			},
+		},
+	}
+}
+
+func generateTestConditions() [][]Condition {
+	result := [][]Condition{
+		nil,
+		{},
+		{},
+	}
+
+	for _, ct := range generateTestConditionTypes() {
+		for _, ot := range generateObjectTypes() {
+			result[2] = append(result[2], Condition{
+				Op:     ct,
+				Object: ot,
+				Key:    "",
+				Value:  "",
+			})
+
+			result[2] = append(result[2], Condition{
+				Op:     ct,
+				Object: ot,
+				Key:    "key",
+				Value:  "",
+			})
+
+			result[2] = append(result[2], Condition{
+				Op:     ct,
+				Object: ot,
+				Key:    "",
+				Value:  "value",
+			})
+
+			result[2] = append(result[2], Condition{
+				Op:     ct,
+				Object: ot,
+				Key:    "key",
+				Value:  "value",
+			})
+		}
+	}
+
+	return result
+}
+
+func generateTestConditionTypes() []ConditionType {
+	return []ConditionType{
+		CondStringEquals,
+		CondStringNotEquals,
+		CondStringEqualsIgnoreCase,
+		CondStringNotEqualsIgnoreCase,
+		CondStringLike,
+		CondStringNotLike,
+		CondStringLessThan,
+		CondStringLessThanEquals,
+		CondStringGreaterThan,
+		CondStringGreaterThanEquals,
+		CondNumericEquals,
+		CondNumericNotEquals,
+		CondNumericLessThan,
+		CondNumericLessThanEquals,
+		CondNumericGreaterThan,
+		CondNumericGreaterThanEquals,
+		CondSliceContains,
+	}
+}
+
+func generateObjectTypes() []ObjectType {
+	return []ObjectType{
+		ObjectResource,
+		ObjectRequest,
+	}
+}
+
+func generateTestMatchTypes() []MatchType {
+	return []MatchType{
+		MatchTypeDenyPriority,
+		MatchTypeFirstMatch,
+	}
+}
--- a/pkg/chain/marshal_json.go
+++ b/pkg/chain/marshal_json.go
@ -0,0 +1,145 @@
+package chain
+
+import (
+	"fmt"
+	"strconv"
+
+	jlexer "github.com/mailru/easyjson/jlexer"
+	jwriter "github.com/mailru/easyjson/jwriter"
+)
+
+// Run `make generate`` if types added or changed
+
+var matchTypeToJSONValue = []struct {
+	mt  MatchType
+	str string
+}{
+	{MatchTypeDenyPriority, "DenyPriority"},
+	{MatchTypeFirstMatch, "FirstMatch"},
+}
+
+var statusToJSONValue = []struct {
+	s   Status
+	str string
+}{
+	{Allow, "Allow"},
+	{NoRuleFound, "NoRuleFound"},
+	{AccessDenied, "AccessDenied"},
+	{QuotaLimitReached, "QuotaLimitReached"},
+}
+
+var objectTypeToJSONValue = []struct {
+	t   ObjectType
+	str string
+}{
+	{ObjectRequest, "Request"},
+	{ObjectResource, "Resource"},
+}
+
+func (mt MatchType) MarshalEasyJSON(w *jwriter.Writer) {
+	for _, p := range matchTypeToJSONValue {
+		if p.mt == mt {
+			w.String(p.str)
+			return
+		}
+	}
+	w.String(strconv.FormatUint(uint64(mt), 10))
+}
+
+func (mt *MatchType) UnmarshalEasyJSON(l *jlexer.Lexer) {
+	str := l.String()
+	for _, p := range matchTypeToJSONValue {
+		if p.str == str {
+			*mt = p.mt
+			return
+		}
+	}
+
+	v, err := strconv.ParseUint(str, 10, 8)
+	if err != nil {
+		l.AddError(fmt.Errorf("failed to parse match type: %w", err))
+		return
+	}
+	*mt = MatchType(v)
+}
+
+func (st Status) MarshalEasyJSON(w *jwriter.Writer) {
+	for _, p := range statusToJSONValue {
+		if p.s == st {
+			w.String(p.str)
+			return
+		}
+	}
+	w.String(strconv.FormatUint(uint64(st), 10))
+}
+
+func (st *Status) UnmarshalEasyJSON(l *jlexer.Lexer) {
+	str := l.String()
+	for _, p := range statusToJSONValue {
+		if p.str == str {
+			*st = p.s
+			return
+		}
+	}
+
+	v, err := strconv.ParseUint(str, 10, 8)
+	if err != nil {
+		l.AddError(fmt.Errorf("failed to parse status: %w", err))
+		return
+	}
+	*st = Status(v)
+}
+
+func (ot ObjectType) MarshalEasyJSON(w *jwriter.Writer) {
+	for _, p := range objectTypeToJSONValue {
+		if p.t == ot {
+			w.String(p.str)
+			return
+		}
+	}
+	w.String(strconv.FormatUint(uint64(ot), 10))
+}
+
+func (ot *ObjectType) UnmarshalEasyJSON(l *jlexer.Lexer) {
+	str := l.String()
+	for _, p := range objectTypeToJSONValue {
+		if p.str == str {
+			*ot = p.t
+			return
+		}
+	}
+
+	v, err := strconv.ParseUint(str, 10, 8)
+	if err != nil {
+		l.AddError(fmt.Errorf("failed to parse object type: %w", err))
+		return
+	}
+	*ot = ObjectType(v)
+}
+
+func (ct ConditionType) MarshalEasyJSON(w *jwriter.Writer) {
+	for _, p := range condToStr {
+		if p.ct == ct {
+			w.String(p.str)
+			return
+		}
+	}
+	w.String(strconv.FormatUint(uint64(ct), 10))
+}
+
+func (ct *ConditionType) UnmarshalEasyJSON(l *jlexer.Lexer) {
+	str := l.String()
+	for _, p := range condToStr {
+		if p.str == str {
+			*ct = p.ct
+			return
+		}
+	}
+
+	v, err := strconv.ParseUint(str, 10, 8)
+	if err != nil {
+		l.AddError(fmt.Errorf("failed to parse condition type: %w", err))
+		return
+	}
+	*ct = ConditionType(v)
+}
--- a/pkg/chain/marshal_json_test.go
+++ b/pkg/chain/marshal_json_test.go
@ -0,0 +1,121 @@
+package chain
+
+import (
+	"fmt"
+	"os"
+	"testing"
+
+	"git.frostfs.info/TrueCloudLab/policy-engine/schema/native"
+	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
+	"github.com/stretchr/testify/require"
+)
+
+func TestID(t *testing.T) {
+	key, err := keys.NewPrivateKeyFromWIF("L5eVx6HcHaFpQpvjQ3fy29uKDZ8rQ34bfMVx4XfZMm52EqafpNMg") // s3-gw key
+	require.NoError(t, err)
+
+	chain1 := &Chain{ID: ID(key.PublicKey().GetScriptHash().BytesBE())}
+	data := chain1.Bytes()
+
+	var chain2 Chain
+	require.NoError(t, chain2.DecodeBytes(data))
+
+	require.Equal(t, chain1.ID, chain2.ID)
+
+	data, err = chain1.MarshalJSON()
+	require.NoError(t, err)
+
+	require.NoError(t, chain2.UnmarshalJSON(data))
+
+	require.Equal(t, chain1.ID, chain2.ID)
+}
+
+func TestMatchTypeJson(t *testing.T) {
+	for _, mt := range []MatchType{MatchTypeDenyPriority, MatchTypeFirstMatch, MatchType(100)} {
+		var chain Chain
+		chain.MatchType = mt
+
+		data, err := chain.MarshalJSON()
+		require.NoError(t, err)
+		if mt == MatchTypeDenyPriority {
+			require.Equal(t, []byte("{\"ID\":null,\"Rules\":null,\"MatchType\":\"DenyPriority\"}"), data)
+		} else if mt == MatchTypeFirstMatch {
+			require.Equal(t, []byte("{\"ID\":null,\"Rules\":null,\"MatchType\":\"FirstMatch\"}"), data)
+		} else {
+			require.Equal(t, []byte(fmt.Sprintf("{\"ID\":null,\"Rules\":null,\"MatchType\":\"%d\"}", mt)), data)
+		}
+
+		var parsed Chain
+		require.NoError(t, parsed.UnmarshalJSON(data))
+		require.Equal(t, chain, parsed)
+
+		require.Error(t, parsed.UnmarshalJSON([]byte("{\"ID\":\"\",\"Rules\":null,\"MatchType\":\"NotValid\"}")))
+	}
+}
+
+func TestJsonEnums(t *testing.T) {
+	chain := Chain{
+		ID:        []byte("2cca5ae7-cee8-428d-b45f-567fb1d03f01"), // will be encoded to base64
+		MatchType: MatchTypeFirstMatch,
+		Rules: []Rule{
+			{
+				Status: AccessDenied,
+				Actions: Actions{
+					Names: []string{native.MethodDeleteObject, native.MethodGetContainer},
+				},
+				Resources: Resources{
+					Names: []string{native.ResourceFormatAllObjects},
+				},
+				Condition: []Condition{
+					{
+						Op:     CondStringEquals,
+						Object: ObjectRequest,
+						Key:    native.PropertyKeyActorRole,
+						Value:  native.PropertyValueContainerRoleOthers,
+					},
+				},
+			},
+			{
+				Status: QuotaLimitReached,
+				Actions: Actions{
+					Inverted: true,
+					Names:    []string{native.MethodPutObject},
+				},
+				Resources: Resources{
+					Names: []string{fmt.Sprintf(native.ResourceFormatRootContainerObjects, "9LPLUFZpEmfidG4n44vi2cjXKXSqWT492tCvLJiJ8W1J")},
+				},
+				Any: true,
+				Condition: []Condition{
+					{
+						Op:     CondStringNotLike,
+						Object: ObjectResource,
+						Key:    native.PropertyKeyObjectType,
+						Value:  "regular",
+					},
+				},
+			},
+			{
+				Status: Status(100),
+				Condition: []Condition{
+					{
+						Op:     ConditionType(255),
+						Object: ObjectType(128),
+					},
+				},
+			},
+		},
+	}
+
+	data, err := chain.MarshalJSON()
+	require.NoError(t, err)
+
+	var parsed Chain
+	require.NoError(t, parsed.UnmarshalJSON(data))
+	require.Equal(t, chain, parsed)
+
+	expected, err := os.ReadFile("./testdata/test_status_json.json")
+	require.NoError(t, err)
+
+	require.NoError(t, parsed.UnmarshalJSON(expected))
+	require.Equal(t, chain, parsed)
+}
--- a/pkg/chain/testdata/test_status_json.json
+++ b/pkg/chain/testdata/test_status_json.json
@ -0,0 +1,75 @@
+{
+    "ID": "MmNjYTVhZTctY2VlOC00MjhkLWI0NWYtNTY3ZmIxZDAzZjAx",
+    "Rules": [
+        {
+            "Status": "AccessDenied",
+            "Actions": {
+                "Inverted": false,
+                "Names": [
+                    "DeleteObject",
+                    "GetContainer"
+                ]
+            },
+            "Resources": {
+                "Inverted": false,
+                "Names": [
+                    "native:object/*"
+                ]
+            },
+            "Any": false,
+            "Condition": [
+                {
+                    "Op": "StringEquals",
+                    "Object": "Request",
+                    "Key": "$Actor:role",
+                    "Value": "others"
+                }
+            ]
+        },
+        {
+            "Status": "QuotaLimitReached",
+            "Actions": {
+                "Inverted": true,
+                "Names": [
+                    "PutObject"
+                ]
+            },
+            "Resources": {
+                "Inverted": false,
+                "Names": [
+                    "native:object//9LPLUFZpEmfidG4n44vi2cjXKXSqWT492tCvLJiJ8W1J/*"
+                ]
+            },
+            "Any": true,
+            "Condition": [
+                {
+                    "Op": "StringNotLike",
+                    "Object": "Resource",
+                    "Key": "$Object:objectType",
+                    "Value": "regular"
+                }
+            ]
+        },
+        {
+            "Status": "100",
+            "Actions": {
+                "Inverted": false,
+                "Names": null
+            },
+            "Resources": {
+                "Inverted": false,
+                "Names": null
+            },
+            "Any": false,
+            "Condition": [
+                {
+                    "Op": "255",
+                    "Object": "128",
+                    "Key": "",
+                    "Value": ""
+                }
+            ]
+        }
+    ],
+    "MatchType": "FirstMatch"
+}
--- a/pkg/engine/chain_router.go
+++ b/pkg/engine/chain_router.go
@ -6,96 +6,111 @@ import (
 )

 type defaultChainRouter struct {
-	morph MorphRuleChainStorage
+	morph MorphRuleChainStorageReader

 	local LocalOverrideStorage
 }

-func NewDefaultChainRouter(morph MorphRuleChainStorage) ChainRouter {
+func NewDefaultChainRouter(morph MorphRuleChainStorageReader) ChainRouter {
 	return &defaultChainRouter{
 		morph: morph,
 	}
 }

-func NewDefaultChainRouterWithLocalOverrides(morph MorphRuleChainStorage, local LocalOverrideStorage) ChainRouter {
+func NewDefaultChainRouterWithLocalOverrides(morph MorphRuleChainStorageReader, local LocalOverrideStorage) ChainRouter {
 	return &defaultChainRouter{
 		morph: morph,
 		local: local,
 	}
 }

-func (dr *defaultChainRouter) IsAllowed(name chain.Name, namespace string, r resource.Request) (status chain.Status, ruleFound bool, err error) {
-	if dr.local != nil {
-		var localRuleFound bool
-		status, localRuleFound, err = dr.checkLocalOverrides(name, r)
-		if err != nil {
-			return chain.NoRuleFound, false, err
-		} else if localRuleFound {
-			ruleFound = true
+func (dr *defaultChainRouter) IsAllowed(name chain.Name, rt RequestTarget, r resource.Request) (status chain.Status, ruleFound bool, err error) {
+	status, ruleFound, err = dr.checkLocal(name, rt, r)
+	if err != nil {
+		return chain.NoRuleFound, false, err
+	} else if ruleFound {
+		// The local overrides have the highest priority and thus
+		// morph rules are not considered if a local one is found.
+		return
+	}
+
+	status, ruleFound, err = dr.checkMorph(name, rt, r)
+	return
+}
+
+func (dr *defaultChainRouter) checkLocal(name chain.Name, rt RequestTarget, r resource.Request) (status chain.Status, ruleFound bool, err error) {
+	if dr.local == nil {
+		return
+	}
+	var ruleFounds []bool
+	for _, target := range rt.Targets() {
+		status, ruleFound, err = dr.matchLocalOverrides(name, target, r)
+		if err != nil || ruleFound && status != chain.Allow {
 			return
 		}
-	}
-
-	var namespaceRuleFound bool
-	status, namespaceRuleFound, err = dr.checkNamespaceChains(name, namespace, r)
-	if err != nil {
-		return
-	} else if namespaceRuleFound && status != chain.Allow {
-		ruleFound = true
-		return
-	}
-
-	var cnrRuleFound bool
-	status, cnrRuleFound, err = dr.checkContainerChains(name, r.Resource().Name(), r)
-	if err != nil {
-		return
-	} else if cnrRuleFound && status != chain.Allow {
-		ruleFound = true
-		return
+		ruleFounds = append(ruleFounds, ruleFound)
 	}

 	status = chain.NoRuleFound
-	if ruleFound = namespaceRuleFound || cnrRuleFound; ruleFound {
-		status = chain.Allow
-	}
-	return
-}
-
-func (dr *defaultChainRouter) checkLocalOverrides(name chain.Name, r resource.Request) (status chain.Status, ruleFound bool, err error) {
-	localOverrides, err := dr.local.ListOverrides(name, r.Resource().Name())
-	if err != nil {
-		return
-	}
-	for _, c := range localOverrides {
-		if status, ruleFound = c.Match(r); ruleFound && status != chain.Allow {
-			return
+	for _, ruleFound = range ruleFounds {
+		if ruleFound {
+			status = chain.Allow
+			break
 		}
 	}
 	return
 }

-func (dr *defaultChainRouter) checkNamespaceChains(name chain.Name, namespace string, r resource.Request) (status chain.Status, ruleFound bool, err error) {
-	namespaceChains, err := dr.morph.ListMorphRuleChains(name, NamespaceTarget(namespace))
-	if err != nil {
-		return
-	}
-	for _, c := range namespaceChains {
-		if status, ruleFound = c.Match(r); ruleFound {
+func (dr *defaultChainRouter) checkMorph(name chain.Name, rt RequestTarget, r resource.Request) (status chain.Status, ruleFound bool, err error) {
+	var ruleFounds []bool
+	for _, target := range rt.Targets() {
+		status, ruleFound, err = dr.matchMorphRuleChains(name, target, r)
+		if err != nil || ruleFound && status != chain.Allow {
 			return
 		}
+		ruleFounds = append(ruleFounds, ruleFound)
+	}
+
+	status = chain.NoRuleFound
+	for _, ruleFound = range ruleFounds {
+		if ruleFound {
+			status = chain.Allow
+			break
+		}
 	}
 	return
 }

-func (dr *defaultChainRouter) checkContainerChains(name chain.Name, container string, r resource.Request) (status chain.Status, ruleFound bool, err error) {
-	containerChains, err := dr.morph.ListMorphRuleChains(name, ContainerTarget(container))
+func (dr *defaultChainRouter) matchLocalOverrides(name chain.Name, target Target, r resource.Request) (status chain.Status, ruleFound bool, err error) {
+	localOverrides, err := dr.local.ListOverrides(name, target)
 	if err != nil {
 		return
 	}
-	for _, c := range containerChains {
-		if status, ruleFound = c.Match(r); ruleFound {
-			return
-		}
-	}
+	status, ruleFound = dr.getStatusFromChains(localOverrides, r)
 	return
 }
+
+func (dr *defaultChainRouter) matchMorphRuleChains(name chain.Name, target Target, r resource.Request) (status chain.Status, ruleFound bool, err error) {
+	namespaceChains, err := dr.morph.ListMorphRuleChains(name, target)
+	if err != nil {
+		return chain.NoRuleFound, false, err
+	}
+	status, ruleFound = dr.getStatusFromChains(namespaceChains, r)
+	return
+}
+
+func (dr *defaultChainRouter) getStatusFromChains(chains []*chain.Chain, r resource.Request) (chain.Status, bool) {
+	var allow bool
+	for _, c := range chains {
+		if status, found := c.Match(r); found {
+			if status != chain.Allow {
+				return status, true
+			}
+			allow = true
+		}
+	}
+	if allow {
+		return chain.Allow, true
+	}
+	return chain.NoRuleFound, false
+}
--- a/pkg/engine/inmemory/inmemory.go
+++ b/pkg/engine/inmemory/inmemory.go
@ -43,6 +43,6 @@ func (im *inmemory) MorphRuleChainStorage() engine.MorphRuleChainStorage {
 	return im.morph
 }

-func (im *inmemory) IsAllowed(name chain.Name, namespace string, r resource.Request) (status chain.Status, ruleFound bool, err error) {
-	return im.router.IsAllowed(name, namespace, r)
+func (im *inmemory) IsAllowed(name chain.Name, rt engine.RequestTarget, r resource.Request) (status chain.Status, ruleFound bool, err error) {
+	return im.router.IsAllowed(name, rt, r)
 }
--- a/pkg/engine/inmemory/inmemory_test.go
+++ b/pkg/engine/inmemory/inmemory_test.go
@ -29,7 +29,7 @@ func TestInmemory(t *testing.T) {
 		"Actor":    actor1,
 	})

-	status, ok, _ := s.IsAllowed(chain.Ingress, namespace, reqGood)
+	status, ok, _ := s.IsAllowed(chain.Ingress, engine.NewRequestTargetWithNamespace(namespace), reqGood)
 	require.Equal(t, chain.NoRuleFound, status)
 	require.False(t, ok)

@ -103,7 +103,7 @@ func TestInmemory(t *testing.T) {
 			"SourceIP": "10.122.1.20",
 			"Actor":    actor1,
 		})
-		status, ok, _ := s.IsAllowed(chain.Ingress, namespace, reqBadIP)
+		status, ok, _ := s.IsAllowed(chain.Ingress, engine.NewRequestTarget(namespace, container), reqBadIP)
 		require.Equal(t, chain.AccessDenied, status)
 		require.True(t, ok)
 	})
@ -113,7 +113,7 @@ func TestInmemory(t *testing.T) {
 			"SourceIP": "10.1.1.13",
 			"Actor":    actor2,
 		})
-		status, ok, _ := s.IsAllowed(chain.Ingress, namespace, reqBadActor)
+		status, ok, _ := s.IsAllowed(chain.Ingress, engine.NewRequestTarget(namespace, container), reqBadActor)
 		require.Equal(t, chain.AccessDenied, status)
 		require.True(t, ok)
 	})
@ -121,14 +121,14 @@ func TestInmemory(t *testing.T) {
 		objGood := resourcetest.NewResource("native::object::abc/id1", map[string]string{"Department": "HR"})
 		objBadAttr := resourcetest.NewResource("native::object::abc/id2", map[string]string{"Department": "Support"})

-		status, ok, _ := s.IsAllowed(chain.Ingress, namespace, resourcetest.NewRequest("native::object::get", objGood, map[string]string{
+		status, ok, _ := s.IsAllowed(chain.Ingress, engine.NewRequestTarget(namespace, container), resourcetest.NewRequest("native::object::get", objGood, map[string]string{
 			"SourceIP": "10.1.1.14",
 			"Actor":    actor2,
 		}))
 		require.Equal(t, chain.Allow, status)
 		require.True(t, ok)

-		status, ok, _ = s.IsAllowed(chain.Ingress, namespace, resourcetest.NewRequest("native::object::get", objBadAttr, map[string]string{
+		status, ok, _ = s.IsAllowed(chain.Ingress, engine.NewRequestTarget(namespace, container), resourcetest.NewRequest("native::object::get", objBadAttr, map[string]string{
 			"SourceIP": "10.1.1.14",
 			"Actor":    actor2,
 		}))
@ -141,33 +141,33 @@ func TestInmemory(t *testing.T) {
 			"SourceIP": "10.1.1.12",
 			"Actor":    actor1,
 		})
-		status, ok, _ := s.IsAllowed(chain.Ingress, namespace, reqBadOperation)
+		status, ok, _ := s.IsAllowed(chain.Ingress, engine.NewRequestTarget(namespace, container), reqBadOperation)
 		require.Equal(t, chain.AccessDenied, status)
 		require.True(t, ok)
 	})
 	t.Run("inverted rules", func(t *testing.T) {
 		req := resourcetest.NewRequest("native::object::put", resourcetest.NewResource(object, nil), nil)
-		status, ok, _ = s.IsAllowed(chain.Ingress, namespace2, req)
+		status, ok, _ = s.IsAllowed(chain.Ingress, engine.NewRequestTarget(namespace2, container), req)
 		require.Equal(t, chain.NoRuleFound, status)
 		require.False(t, ok)

 		req = resourcetest.NewRequest("native::object::put", resourcetest.NewResource("native::object::cba/def", nil), nil)
-		status, ok, _ = s.IsAllowed(chain.Ingress, namespace2, req)
+		status, ok, _ = s.IsAllowed(chain.Ingress, engine.NewRequestTarget(namespace2, container), req)
 		require.Equal(t, chain.AccessDenied, status)
 		require.True(t, ok)

 		req = resourcetest.NewRequest("native::object::get", resourcetest.NewResource("native::object::cba/def", nil), nil)
-		status, ok, _ = s.IsAllowed(chain.Ingress, namespace2, req)
+		status, ok, _ = s.IsAllowed(chain.Ingress, engine.NewRequestTarget(namespace2, container), req)
 		require.Equal(t, chain.NoRuleFound, status)
 		require.False(t, ok)
 	})
 	t.Run("good", func(t *testing.T) {
-		status, ok, _ = s.IsAllowed(chain.Ingress, namespace, reqGood)
+		status, ok, _ = s.IsAllowed(chain.Ingress, engine.NewRequestTarget(namespace, container), reqGood)
 		require.Equal(t, chain.NoRuleFound, status)
 		require.False(t, ok)

 		t.Run("quota on a different container", func(t *testing.T) {
-			s.LocalStorage().AddOverride(chain.Ingress, container, &chain.Chain{
+			s.LocalStorage().AddOverride(chain.Ingress, engine.ContainerTarget(container), &chain.Chain{
 				Rules: []chain.Rule{{
 					Status:    chain.QuotaLimitReached,
 					Actions:   chain.Actions{Names: []string{"native::object::put"}},
@ -175,14 +175,14 @@ func TestInmemory(t *testing.T) {
 				}},
 			})

-			status, ok, _ = s.IsAllowed(chain.Ingress, namespace, reqGood)
+			status, ok, _ = s.IsAllowed(chain.Ingress, engine.NewRequestTarget(namespace, container), reqGood)
 			require.Equal(t, chain.NoRuleFound, status)
 			require.False(t, ok)
 		})

 		var quotaRuleChainID chain.ID
 		t.Run("quota on the request container", func(t *testing.T) {
-			quotaRuleChainID, _ = s.LocalStorage().AddOverride(chain.Ingress, container, &chain.Chain{
+			quotaRuleChainID, _ = s.LocalStorage().AddOverride(chain.Ingress, engine.ContainerTarget(container), &chain.Chain{
 				Rules: []chain.Rule{{
 					Status:    chain.QuotaLimitReached,
 					Actions:   chain.Actions{Names: []string{"native::object::put"}},
@ -190,15 +190,15 @@ func TestInmemory(t *testing.T) {
 				}},
 			})

-			status, ok, _ = s.IsAllowed(chain.Ingress, namespace, reqGood)
+			status, ok, _ = s.IsAllowed(chain.Ingress, engine.NewRequestTarget(namespace, container), reqGood)
 			require.Equal(t, chain.QuotaLimitReached, status)
 			require.True(t, ok)
 		})
 		t.Run("removed quota on the request container", func(t *testing.T) {
-			err := s.LocalStorage().RemoveOverride(chain.Ingress, container, quotaRuleChainID)
+			err := s.LocalStorage().RemoveOverride(chain.Ingress, engine.ContainerTarget(container), quotaRuleChainID)
 			require.NoError(t, err)

-			status, ok, _ = s.IsAllowed(chain.Ingress, namespace, reqGood)
+			status, ok, _ = s.IsAllowed(chain.Ingress, engine.NewRequestTarget(namespace, container), reqGood)
 			require.Equal(t, chain.NoRuleFound, status)
 			require.False(t, ok)
 		})
--- a/pkg/engine/inmemory/local_storage.go
+++ b/pkg/engine/inmemory/local_storage.go
@ -1,101 +1,136 @@
 package inmemory

 import (
+	"bytes"
 	"fmt"
 	"math/rand"
 	"strings"
+	"sync"

 	"git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
 	"git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine"
 	"git.frostfs.info/TrueCloudLab/policy-engine/util"
 )

-type targetToChain map[string][]*chain.Chain
+type targetToChain map[engine.Target][]*chain.Chain

 type inmemoryLocalStorage struct {
-	usedChainID          map[chain.ID]struct{}
+	usedChainID          map[string]struct{}
 	nameToResourceChains map[chain.Name]targetToChain
+	guard                *sync.RWMutex
 }

 func NewInmemoryLocalStorage() engine.LocalOverrideStorage {
 	return &inmemoryLocalStorage{
-		usedChainID:          map[chain.ID]struct{}{},
+		usedChainID:          map[string]struct{}{},
 		nameToResourceChains: make(map[chain.Name]targetToChain),
+		guard:                &sync.RWMutex{},
 	}
 }

-func (s *inmemoryLocalStorage) generateChainID(name chain.Name, resource string) chain.ID {
+func (s *inmemoryLocalStorage) generateChainID(name chain.Name, target engine.Target) chain.ID {
 	var id chain.ID
 	for {
 		suffix := rand.Uint32() % 100
-		sid := fmt.Sprintf("%s:%s/%d", name, resource, suffix)
+		sid := fmt.Sprintf("%s:%s/%d", name, target.Name, suffix)
 		sid = strings.ReplaceAll(sid, "*", "")
 		sid = strings.ReplaceAll(sid, "/", ":")
 		sid = strings.ReplaceAll(sid, "::", ":")
-		id = chain.ID(sid)
-		_, ok := s.usedChainID[id]
+		_, ok := s.usedChainID[sid]
 		if ok {
 			continue
 		}
-		s.usedChainID[id] = struct{}{}
+		s.usedChainID[sid] = struct{}{}
+
+		id = chain.ID(sid)
 		break
 	}
 	return id
 }

-func (s *inmemoryLocalStorage) AddOverride(name chain.Name, resource string, c *chain.Chain) (chain.ID, error) {
+func (s *inmemoryLocalStorage) AddOverride(name chain.Name, target engine.Target, c *chain.Chain) (chain.ID, error) {
+	s.guard.Lock()
+	defer s.guard.Unlock()
+
 	// AddOverride assigns generated chain ID if it has not been assigned.
-	if c.ID == "" {
-		c.ID = s.generateChainID(name, resource)
+	if len(c.ID) == 0 {
+		c.ID = s.generateChainID(name, target)
 	}
 	if s.nameToResourceChains[name] == nil {
 		s.nameToResourceChains[name] = make(targetToChain)
 	}
 	rc := s.nameToResourceChains[name]
-	rc[resource] = append(rc[resource], c)
+	for i := range rc[target] {
+		if bytes.Equal(rc[target][i].ID, c.ID) {
+			rc[target][i] = c
+			return c.ID, nil
+		}
+	}
+	rc[target] = append(rc[target], c)
 	return c.ID, nil
 }

-func (s *inmemoryLocalStorage) GetOverride(name chain.Name, resource string, chainID chain.ID) (*chain.Chain, error) {
+func (s *inmemoryLocalStorage) GetOverride(name chain.Name, target engine.Target, chainID chain.ID) (*chain.Chain, error) {
+	s.guard.RLock()
+	defer s.guard.RUnlock()
+
 	if _, ok := s.nameToResourceChains[name]; !ok {
 		return nil, engine.ErrChainNameNotFound
 	}
-	chains, ok := s.nameToResourceChains[name][resource]
+	if target.Name == "" {
+		target.Name = "root"
+	}
+	chains, ok := s.nameToResourceChains[name][target]
 	if !ok {
 		return nil, engine.ErrResourceNotFound
 	}
 	for _, c := range chains {
-		if c.ID == chainID {
+		if bytes.Equal(c.ID, chainID) {
 			return c, nil
 		}
 	}
 	return nil, engine.ErrChainNotFound
 }

-func (s *inmemoryLocalStorage) RemoveOverride(name chain.Name, resource string, chainID chain.ID) error {
+func (s *inmemoryLocalStorage) RemoveOverride(name chain.Name, target engine.Target, chainID chain.ID) error {
+	s.guard.Lock()
+	defer s.guard.Unlock()
+
 	if _, ok := s.nameToResourceChains[name]; !ok {
 		return engine.ErrChainNameNotFound
 	}
-	chains, ok := s.nameToResourceChains[name][resource]
+	if target.Name == "" {
+		target.Name = "root"
+	}
+	chains, ok := s.nameToResourceChains[name][target]
 	if !ok {
 		return engine.ErrResourceNotFound
 	}
 	for i, c := range chains {
-		if c.ID == chainID {
-			s.nameToResourceChains[name][resource] = append(chains[:i], chains[i+1:]...)
+		if bytes.Equal(c.ID, chainID) {
+			s.nameToResourceChains[name][target] = append(chains[:i], chains[i+1:]...)
 			return nil
 		}
 	}
 	return engine.ErrChainNotFound
 }

-func (s *inmemoryLocalStorage) ListOverrides(name chain.Name, resource string) ([]*chain.Chain, error) {
+func (s *inmemoryLocalStorage) ListOverrides(name chain.Name, target engine.Target) ([]*chain.Chain, error) {
+	s.guard.RLock()
+	defer s.guard.RUnlock()
+
 	rcs, ok := s.nameToResourceChains[name]
 	if !ok {
 		return []*chain.Chain{}, nil
 	}
-	for container, chains := range rcs {
-		if !util.GlobMatch(resource, container) {
+	if target.Name == "" {
+		target.Name = "root"
+	}
+	for t, chains := range rcs {
+		if t.Type != target.Type {
+			continue
+		}
+		if !util.GlobMatch(target.Name, t.Name) {
 			continue
 		}
 		return chains, nil
@ -104,6 +139,20 @@ func (s *inmemoryLocalStorage) ListOverrides(name chain.Name, resource string) (
 }

 func (s *inmemoryLocalStorage) DropAllOverrides(name chain.Name) error {
+	s.guard.Lock()
+	defer s.guard.Unlock()
+
 	s.nameToResourceChains[name] = make(targetToChain)
 	return nil
 }
+
+func (s *inmemoryLocalStorage) ListOverrideDefinedTargets(name chain.Name) ([]engine.Target, error) {
+	s.guard.RLock()
+	defer s.guard.RUnlock()
+	ttc := s.nameToResourceChains[name]
+	var keys []engine.Target
+	for k := range ttc {
+		keys = append(keys, k)
+	}
+	return keys, nil
+}
--- a/pkg/engine/inmemory/local_storage_test.go
+++ b/pkg/engine/inmemory/local_storage_test.go
@ -9,11 +9,13 @@ import (
 )

 const (
-	resrc           = "native:::object/ExYw/*"
+	container       = "native:::object/ExYw/*"
 	chainID         = "ingress:ExYw"
 	nonExistChainId = "ingress:LxGyWyL"
 )

+var resrc = engine.ContainerTarget(container)
+
 func testInmemLocalStorage() *inmemoryLocalStorage {
 	return NewInmemoryLocalStorage().(*inmemoryLocalStorage)
 }
@ -182,6 +184,9 @@ func TestListOverrides(t *testing.T) {
 		inmem.AddOverride(chain.Ingress, resrc, addChain)
 		l, _ := inmem.ListOverrides(chain.Ingress, resrc)
 		require.Len(t, l, 1)
+		targets, err := inmem.ListOverrideDefinedTargets(chain.Ingress)
+		require.NoError(t, err)
+		require.Equal(t, []engine.Target{resrc}, targets)
 	})

 	t.Run("list after drop", func(t *testing.T) {
@ -206,12 +211,12 @@ func TestGenerateID(t *testing.T) {
 }

 func hasDuplicates(ids []chain.ID) bool {
-	seen := make(map[chain.ID]bool)
+	seen := make(map[string]bool)
 	for _, id := range ids {
-		if seen[id] {
+		if seen[string(id)] {
 			return true
 		}
-		seen[id] = true
+		seen[string(id)] = true
 	}
 	return false
 }
--- a/pkg/engine/inmemory/morph_storage.go
+++ b/pkg/engine/inmemory/morph_storage.go
@ -3,6 +3,7 @@ package inmemory
 import (
 	"git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
 	"git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine"
+	"github.com/nspcc-dev/neo-go/pkg/util"
 )

 type inmemoryMorphRuleChainStorage struct {
@ -17,36 +18,45 @@ func NewInmemoryMorphRuleChainStorage() engine.MorphRuleChainStorage {
 	}
 }

-func (s *inmemoryMorphRuleChainStorage) AddMorphRuleChain(name chain.Name, target engine.Target, c *chain.Chain) (err error) {
+func (s *inmemoryMorphRuleChainStorage) AddMorphRuleChain(name chain.Name, target engine.Target, c *chain.Chain) (_ util.Uint256, _ uint32, err error) {
 	switch target.Type {
 	case engine.Namespace:
-		_, err = s.nameToNamespaceChains.AddOverride(name, target.Name, c)
+		_, err = s.nameToNamespaceChains.AddOverride(name, target, c)
 	case engine.Container:
-		_, err = s.nameToContainerChains.AddOverride(name, target.Name, c)
+		_, err = s.nameToContainerChains.AddOverride(name, target, c)
 	default:
 		err = engine.ErrUnknownTarget
 	}
 	return
 }

-func (s *inmemoryMorphRuleChainStorage) RemoveMorphRuleChain(name chain.Name, target engine.Target, chainID chain.ID) error {
+func (s *inmemoryMorphRuleChainStorage) RemoveMorphRuleChain(name chain.Name, target engine.Target, chainID chain.ID) (_ util.Uint256, _ uint32, err error) {
 	switch target.Type {
 	case engine.Namespace:
-		return s.nameToNamespaceChains.RemoveOverride(name, target.Name, chainID)
+		err = s.nameToNamespaceChains.RemoveOverride(name, target, chainID)
 	case engine.Container:
-		return s.nameToContainerChains.RemoveOverride(name, target.Name, chainID)
+		err = s.nameToContainerChains.RemoveOverride(name, target, chainID)
 	default:
-		return engine.ErrUnknownTarget
+		err = engine.ErrUnknownTarget
 	}
+	return
 }

 func (s *inmemoryMorphRuleChainStorage) ListMorphRuleChains(name chain.Name, target engine.Target) ([]*chain.Chain, error) {
 	switch target.Type {
 	case engine.Namespace:
-		return s.nameToNamespaceChains.ListOverrides(name, target.Name)
+		return s.nameToNamespaceChains.ListOverrides(name, target)
 	case engine.Container:
-		return s.nameToContainerChains.ListOverrides(name, target.Name)
+		return s.nameToContainerChains.ListOverrides(name, target)
 	default:
 	}
 	return nil, engine.ErrUnknownTarget
 }
+
+func (s *inmemoryMorphRuleChainStorage) GetAdmin() (util.Uint160, error) {
+	panic("not implemented")
+}
+
+func (s *inmemoryMorphRuleChainStorage) SetAdmin(_ util.Uint160) (util.Uint256, uint32, error) {
+	panic("not implemented")
+}
--- a/pkg/engine/interface.go
+++ b/pkg/engine/interface.go
@ -3,26 +3,29 @@ package engine
 import (
 	"git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
 	"git.frostfs.info/TrueCloudLab/policy-engine/pkg/resource"
+	"github.com/nspcc-dev/neo-go/pkg/util"
 )

 type ChainRouter interface {
 	// IsAllowed returns status for the operation after all checks.
 	// The second return value signifies whether a matching rule was found.
-	IsAllowed(name chain.Name, target string, r resource.Request) (status chain.Status, found bool, err error)
+	IsAllowed(name chain.Name, reqTarget RequestTarget, r resource.Request) (status chain.Status, found bool, err error)
 }

 // LocalOverrideStorage is the interface to manage local overrides defined
 // for a node. Local overrides have a higher priority than chains got from morph storage.
 type LocalOverrideStorage interface {
-	AddOverride(name chain.Name, resource string, c *chain.Chain) (chain.ID, error)
+	AddOverride(name chain.Name, target Target, c *chain.Chain) (chain.ID, error)

-	GetOverride(name chain.Name, resource string, chainID chain.ID) (*chain.Chain, error)
+	GetOverride(name chain.Name, target Target, chainID chain.ID) (*chain.Chain, error)

-	RemoveOverride(name chain.Name, resource string, chainID chain.ID) error
+	RemoveOverride(name chain.Name, target Target, chainID chain.ID) error

-	ListOverrides(name chain.Name, resource string) ([]*chain.Chain, error)
+	ListOverrides(name chain.Name, target Target) ([]*chain.Chain, error)

 	DropAllOverrides(name chain.Name) error
+
+	ListOverrideDefinedTargets(name chain.Name) ([]Target, error)
 }

 type TargetType rune
@ -37,6 +40,45 @@ type Target struct {
 	Name string
 }

+// RequestTarget combines several targets on which the request is performed.
+type RequestTarget struct {
+	Namespace *Target
+	Container *Target
+}
+
+func NewRequestTargetWithNamespace(namespace string) RequestTarget {
+	nt := NamespaceTarget(namespace)
+	return RequestTarget{
+		Namespace: &nt,
+	}
+}
+
+func NewRequestTargetWithContainer(container string) RequestTarget {
+	ct := ContainerTarget(container)
+	return RequestTarget{
+		Container: &ct,
+	}
+}
+
+func NewRequestTarget(namespace, container string) RequestTarget {
+	nt := NamespaceTarget(namespace)
+	ct := ContainerTarget(container)
+	return RequestTarget{
+		Namespace: &nt,
+		Container: &ct,
+	}
+}
+
+func (rt *RequestTarget) Targets() (targets []Target) {
+	if rt.Namespace != nil {
+		targets = append(targets, *rt.Namespace)
+	}
+	if rt.Container != nil {
+		targets = append(targets, *rt.Container)
+	}
+	return
+}
+
 func NamespaceTarget(namespace string) Target {
 	return Target{
 		Type: Namespace,
@ -51,14 +93,27 @@ func ContainerTarget(container string) Target {
 	}
 }

-// MorphRuleChainStorage is the interface to manage chains from the chain storage.
+// MorphRuleChainStorageReader is the interface that provides read-only methods to receive
+// data like chains, target or admin from a chain storage.
+type MorphRuleChainStorageReader interface {
+	// ListMorphRuleChains just lists deserialized chains.
+	ListMorphRuleChains(name chain.Name, target Target) ([]*chain.Chain, error)
+
+	GetAdmin() (util.Uint160, error)
+}
+
+// MorphRuleChainStorage is the interface to read and manage data within a chain storage.
 // Basically, this implies that the storage manages rules stored in policy contract.
 type MorphRuleChainStorage interface {
-	AddMorphRuleChain(name chain.Name, target Target, c *chain.Chain) error
+	MorphRuleChainStorageReader

-	RemoveMorphRuleChain(name chain.Name, target Target, chainID chain.ID) error
+	// AddMorphRuleChain adds a chain rule to the policy contract and returns transaction hash, VUB and error.
+	AddMorphRuleChain(name chain.Name, target Target, c *chain.Chain) (util.Uint256, uint32, error)

-	ListMorphRuleChains(name chain.Name, target Target) ([]*chain.Chain, error)
+	// RemoveMorphRuleChain removes a chain rule to the policy contract and returns transaction hash, VUB and error.
+	RemoveMorphRuleChain(name chain.Name, target Target, chainID chain.ID) (util.Uint256, uint32, error)
+
+	SetAdmin(addr util.Uint160) (util.Uint256, uint32, error)
 }

 // Engine is the interface that provides methods to check request permissions checking
--- a/pkg/marshal/marshal.go
+++ b/pkg/marshal/marshal.go
@ -0,0 +1,267 @@
+package marshal
+
+import (
+	"encoding/binary"
+	"fmt"
+)
+
+const (
+	Version byte = 0 // increase if breaking change
+
+	ByteSize  int = 1
+	UInt8Size int = ByteSize
+	BoolSize  int = ByteSize
+
+	nilSlice     int64 = -1
+	nilSliceSize int   = 1
+
+	byteTrue  uint8 = 1
+	byteFalse uint8 = 0
+
+	// maxSliceLen taken from https://github.com/neo-project/neo/blob/38218bbee5bbe8b33cd8f9453465a19381c9a547/src/Neo/IO/Helper.cs#L77
+	maxSliceLen = 0x1000000
+)
+
+type MarshallerError struct {
+	errMsg string
+	offset int
+}
+
+func (e *MarshallerError) Error() string {
+	if e == nil {
+		return ""
+	}
+	if e.offset < 0 {
+		return e.errMsg
+	}
+	return fmt.Sprintf("%s (offset: %d)", e.errMsg, e.offset)
+}
+
+func errBufTooSmall(t string, marshal bool, offset int) error {
+	action := "unmarshal"
+	if marshal {
+		action = "marshal"
+	}
+	return &MarshallerError{
+		errMsg: fmt.Sprintf("not enough bytes left to %s value of type '%s'", action, t),
+		offset: offset,
+	}
+}
+
+func VerifyMarshal(buf []byte, lastOffset int) error {
+	if len(buf) != lastOffset {
+		return &MarshallerError{
+			errMsg: "actual data size differs from expected",
+			offset: -1,
+		}
+	}
+	return nil
+}
+
+func VerifyUnmarshal(buf []byte, lastOffset int) error {
+	if len(buf) != lastOffset {
+		return &MarshallerError{
+			errMsg: "unmarshalled bytes left",
+		}
+	}
+	return nil
+}
+
+func SliceSize[T any](slice []T, sizeOf func(T) int) int {
+	if slice == nil {
+		return nilSliceSize
+	}
+	s := Int64Size(int64(len(slice)))
+	for _, v := range slice {
+		s += sizeOf(v)
+	}
+	return s
+}
+
+func SliceMarshal[T any](buf []byte, offset int, slice []T, marshalT func([]byte, int, T) (int, error)) (int, error) {
+	if slice == nil {
+		return Int64Marshal(buf, offset, nilSlice)
+	}
+	if len(slice) > maxSliceLen {
+		return 0, &MarshallerError{
+			errMsg: fmt.Sprintf("slice size if too big: '%d'", len(slice)),
+			offset: offset,
+		}
+	}
+	offset, err := Int64Marshal(buf, offset, int64(len(slice)))
+	if err != nil {
+		return 0, err
+	}
+	for _, v := range slice {
+		offset, err = marshalT(buf, offset, v)
+		if err != nil {
+			return 0, err
+		}
+	}
+	return offset, nil
+}
+
+func SliceUnmarshal[T any](buf []byte, offset int, unmarshalT func(buf []byte, offset int) (T, int, error)) ([]T, int, error) {
+	size, offset, err := Int64Unmarshal(buf, offset)
+	if err != nil {
+		return nil, 0, err
+	}
+	if size == nilSlice {
+		return nil, offset, nil
+	}
+	if size > maxSliceLen {
+		return nil, 0, &MarshallerError{
+			errMsg: fmt.Sprintf("slice size if too big: '%d'", size),
+			offset: offset,
+		}
+	}
+	if size < 0 {
+		return nil, 0, &MarshallerError{
+			errMsg: fmt.Sprintf("invalid slice size: '%d'", size),
+			offset: offset,
+		}
+	}
+	result := make([]T, size)
+	for idx := 0; idx < len(result); idx++ {
+		result[idx], offset, err = unmarshalT(buf, offset)
+		if err != nil {
+			return nil, 0, err
+		}
+	}
+	return result, offset, nil
+}
+
+func Int64Size(v int64) int {
+	// https://cs.opensource.google/go/go/+/master:src/encoding/binary/varint.go;l=92;drc=dac9b9ddbd5160c5f4552410f5f8281bd5eed38c
+	// and
+	// https://cs.opensource.google/go/go/+/master:src/encoding/binary/varint.go;l=41;drc=dac9b9ddbd5160c5f4552410f5f8281bd5eed38c
+	ux := uint64(v) << 1
+	if v < 0 {
+		ux = ^ux
+	}
+	s := 0
+	for ux >= 0x80 {
+		s++
+		ux >>= 7
+	}
+	return s + 1
+}
+
+func Int64Marshal(buf []byte, offset int, v int64) (int, error) {
+	if len(buf)-offset < Int64Size(v) {
+		return 0, errBufTooSmall("int64", true, offset)
+	}
+	return offset + binary.PutVarint(buf[offset:], v), nil
+}
+
+func Int64Unmarshal(buf []byte, offset int) (int64, int, error) {
+	v, read := binary.Varint(buf[offset:])
+	if read == 0 {
+		return 0, 0, errBufTooSmall("int64", false, offset)
+	}
+	if read < 0 {
+		return 0, 0, &MarshallerError{
+			errMsg: "int64 unmarshal overflow",
+			offset: offset,
+		}
+	}
+	return v, offset + read, nil
+}
+
+func StringSize(s string) int {
+	return Int64Size(int64(len(s))) + len(s)
+}
+
+func StringMarshal(buf []byte, offset int, s string) (int, error) {
+	if len(s) > maxSliceLen {
+		return 0, &MarshallerError{
+			errMsg: fmt.Sprintf("string is too long: '%d'", len(s)),
+			offset: offset,
+		}
+	}
+	if len(buf)-offset < Int64Size(int64(len(s)))+len(s) {
+		return 0, errBufTooSmall("string", true, offset)
+	}
+
+	offset, err := Int64Marshal(buf, offset, int64(len(s)))
+	if err != nil {
+		return 0, err
+	}
+	if s == "" {
+		return offset, nil
+	}
+	return offset + copy(buf[offset:], s), nil
+}
+
+func StringUnmarshal(buf []byte, offset int) (string, int, error) {
+	size, offset, err := Int64Unmarshal(buf, offset)
+	if err != nil {
+		return "", 0, err
+	}
+	if size == 0 {
+		return "", offset, nil
+	}
+	if size > maxSliceLen {
+		return "", 0, &MarshallerError{
+			errMsg: fmt.Sprintf("string is too long: '%d'", size),
+			offset: offset,
+		}
+	}
+	if size < 0 {
+		return "", 0, &MarshallerError{
+			errMsg: fmt.Sprintf("invalid string size: '%d'", size),
+			offset: offset,
+		}
+	}
+	if len(buf)-offset < int(size) {
+		return "", 0, errBufTooSmall("string", false, offset)
+	}
+	return string(buf[offset : offset+int(size)]), offset + int(size), nil
+}
+
+func UInt8Marshal(buf []byte, offset int, value uint8) (int, error) {
+	if len(buf)-offset < 1 {
+		return 0, errBufTooSmall("uint8", true, offset)
+	}
+	buf[offset] = value
+	return offset + 1, nil
+}
+
+func UInt8Unmarshal(buf []byte, offset int) (uint8, int, error) {
+	if len(buf)-offset < 1 {
+		return 0, 0, errBufTooSmall("uint8", false, offset)
+	}
+	return buf[offset], offset + 1, nil
+}
+
+func ByteMarshal(buf []byte, offset int, value byte) (int, error) {
+	return UInt8Marshal(buf, offset, value)
+}
+
+func ByteUnmarshal(buf []byte, offset int) (byte, int, error) {
+	return UInt8Unmarshal(buf, offset)
+}
+
+func BoolMarshal(buf []byte, offset int, value bool) (int, error) {
+	if value {
+		return UInt8Marshal(buf, offset, byteTrue)
+	}
+	return UInt8Marshal(buf, offset, byteFalse)
+}
+
+func BoolUnmarshal(buf []byte, offset int) (bool, int, error) {
+	v, offset, err := UInt8Unmarshal(buf, offset)
+	if err != nil {
+		return false, 0, err
+	}
+	if v == byteTrue {
+		return true, offset, nil
+	}
+	if v == byteFalse {
+		return false, offset, nil
+	}
+	return false, 0, &MarshallerError{
+		errMsg: fmt.Sprintf("invalid marshalled value for bool: %d", v),
+		offset: offset - BoolSize,
+	}
+}
--- a/pkg/marshal/marshal_test.go
+++ b/pkg/marshal/marshal_test.go
@ -0,0 +1,313 @@
+package marshal
+
+import (
+	"encoding/binary"
+	"math"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestMarshalling(t *testing.T) {
+	t.Parallel()
+	t.Run("slice", func(t *testing.T) {
+		t.Parallel()
+		t.Run("nil slice", func(t *testing.T) {
+			t.Parallel()
+
+			var int64s []int64
+			expectedSize := SliceSize(int64s, Int64Size)
+			require.Equal(t, 1, expectedSize)
+			buf := make([]byte, expectedSize)
+			offset, err := SliceMarshal(buf, 0, int64s, Int64Marshal)
+			require.NoError(t, err)
+			require.NoError(t, VerifyMarshal(buf, offset))
+
+			result, offset, err := SliceUnmarshal(buf, 0, Int64Unmarshal)
+			require.NoError(t, err)
+			require.NoError(t, VerifyUnmarshal(buf, offset))
+			require.Nil(t, result)
+		})
+
+		t.Run("empty slice", func(t *testing.T) {
+			t.Parallel()
+
+			int64s := make([]int64, 0)
+			expectedSize := SliceSize(int64s, Int64Size)
+			require.Equal(t, 1, expectedSize)
+			buf := make([]byte, expectedSize)
+			offset, err := SliceMarshal(buf, 0, int64s, Int64Marshal)
+			require.NoError(t, err)
+			require.NoError(t, VerifyMarshal(buf, offset))
+
+			result, offset, err := SliceUnmarshal(buf, 0, Int64Unmarshal)
+			require.NoError(t, err)
+			require.NoError(t, VerifyUnmarshal(buf, offset))
+			require.NotNil(t, result)
+			require.Len(t, result, 0)
+		})
+
+		t.Run("non empty slice", func(t *testing.T) {
+			t.Parallel()
+
+			int64s := make([]int64, 100)
+			for i := range int64s {
+				int64s[i] = int64(i)
+			}
+			expectedSize := SliceSize(int64s, Int64Size)
+			buf := make([]byte, expectedSize)
+			offset, err := SliceMarshal(buf, 0, int64s, Int64Marshal)
+			require.NoError(t, err)
+			require.NoError(t, VerifyMarshal(buf, offset))
+
+			result, offset, err := SliceUnmarshal(buf, 0, Int64Unmarshal)
+			require.NoError(t, err)
+			require.NoError(t, VerifyUnmarshal(buf, offset))
+			require.Equal(t, int64s, result)
+		})
+
+		t.Run("corrupted slice size", func(t *testing.T) {
+			t.Parallel()
+
+			int64s := make([]int64, 100)
+			for i := range int64s {
+				int64s[i] = int64(i)
+			}
+			expectedSize := SliceSize(int64s, Int64Size)
+			buf := make([]byte, expectedSize)
+			offset, err := SliceMarshal(buf, 0, int64s, Int64Marshal)
+			require.NoError(t, err)
+			require.NoError(t, VerifyMarshal(buf, offset))
+
+			for i := 0; i < binary.MaxVarintLen64; i++ {
+				buf[i] = 129
+			}
+
+			_, _, err = SliceUnmarshal(buf, 0, Int64Unmarshal)
+			var mErr *MarshallerError
+			require.ErrorAs(t, err, &mErr)
+
+			for i := 0; i < binary.MaxVarintLen64; i++ {
+				buf[i] = 127
+			}
+			_, _, err = SliceUnmarshal(buf, 0, Int64Unmarshal)
+			require.ErrorAs(t, err, &mErr)
+		})
+
+		t.Run("corrupted slice item", func(t *testing.T) {
+			t.Parallel()
+
+			int64s := make([]int64, 100)
+			for i := range int64s {
+				int64s[i] = int64(i)
+			}
+			expectedSize := SliceSize(int64s, Int64Size)
+			buf := make([]byte, expectedSize)
+			offset, err := SliceMarshal(buf, 0, int64s, Int64Marshal)
+			require.NoError(t, err)
+			require.NoError(t, VerifyMarshal(buf, offset))
+
+			for i := 2; i < binary.MaxVarintLen64+2; i++ {
+				buf[i] = 129
+			}
+
+			_, _, err = SliceUnmarshal(buf, 0, Int64Unmarshal)
+			var mErr *MarshallerError
+			require.ErrorAs(t, err, &mErr)
+		})
+
+		t.Run("small buffer", func(t *testing.T) {
+			t.Parallel()
+
+			int64s := make([]int64, 100)
+			for i := range int64s {
+				int64s[i] = int64(i)
+			}
+			buf := make([]byte, 1)
+			_, err := SliceMarshal(buf, 0, int64s, Int64Marshal)
+			var mErr *MarshallerError
+			require.ErrorAs(t, err, &mErr)
+
+			buf = make([]byte, 10)
+			_, err = SliceMarshal(buf, 0, int64s, Int64Marshal)
+			require.ErrorAs(t, err, &mErr)
+		})
+	})
+
+	t.Run("int64", func(t *testing.T) {
+		t.Parallel()
+
+		t.Run("success", func(t *testing.T) {
+			t.Parallel()
+
+			require.Equal(t, 1, Int64Size(0))
+			require.Equal(t, binary.MaxVarintLen64, Int64Size(math.MaxInt64))
+			require.Equal(t, binary.MaxVarintLen64, Int64Size(math.MinInt64))
+
+			for _, v := range []int64{0, math.MinInt64, math.MaxInt64} {
+				size := Int64Size(v)
+				buf := make([]byte, size)
+				offset, err := Int64Marshal(buf, 0, v)
+				require.NoError(t, err)
+				require.NoError(t, VerifyMarshal(buf, offset))
+
+				uv, offset, err := Int64Unmarshal(buf, 0)
+				require.NoError(t, err)
+				require.NoError(t, VerifyUnmarshal(buf, offset))
+				require.Equal(t, v, uv)
+			}
+		})
+
+		t.Run("invalid buffer", func(t *testing.T) {
+			t.Parallel()
+
+			var mErr *MarshallerError
+
+			_, err := Int64Marshal([]byte{}, 0, 100500)
+			require.ErrorAs(t, err, &mErr)
+
+			_, _, err = Int64Unmarshal(nil, 0)
+			require.ErrorAs(t, err, &mErr)
+		})
+
+		t.Run("overflow", func(t *testing.T) {
+			t.Parallel()
+
+			var mErr *MarshallerError
+
+			var v int64 = math.MaxInt64
+			buf := make([]byte, Int64Size(v))
+			_, err := Int64Marshal(buf, 0, v)
+			require.NoError(t, err)
+
+			buf[9] = 2
+
+			_, _, err = Int64Unmarshal(buf, 0)
+			require.ErrorAs(t, err, &mErr)
+		})
+	})
+
+	t.Run("string", func(t *testing.T) {
+		t.Parallel()
+
+		t.Run("success", func(t *testing.T) {
+			t.Parallel()
+			for _, v := range []string{
+				"", "arn:aws:iam::namespace:group/some_group", "$Object:homomorphicHash",
+				"native:container/ns/9LPLUFZpEmfidG4n44vi2cjXKXSqWT492tCvLJiJ8W1J",
+			} {
+				size := StringSize(v)
+				buf := make([]byte, size)
+				offset, err := StringMarshal(buf, 0, v)
+				require.NoError(t, err)
+				require.NoError(t, VerifyMarshal(buf, offset))
+
+				uv, offset, err := StringUnmarshal(buf, 0)
+				require.NoError(t, err)
+				require.NoError(t, VerifyUnmarshal(buf, offset))
+				require.Equal(t, v, uv)
+			}
+		})
+
+		t.Run("invalid buffer", func(t *testing.T) {
+			t.Parallel()
+
+			str := "avada kedavra"
+
+			var mErr *MarshallerError
+			_, err := StringMarshal(nil, 0, str)
+			require.ErrorAs(t, err, &mErr)
+
+			_, _, err = StringUnmarshal(nil, 0)
+			require.ErrorAs(t, err, &mErr)
+
+			buf := make([]byte, StringSize(str))
+			offset, err := StringMarshal(buf, 0, str)
+			require.NoError(t, err)
+			require.NoError(t, VerifyMarshal(buf, offset))
+			buf = buf[:len(buf)-1]
+			_, _, err = StringUnmarshal(buf, 0)
+			require.ErrorAs(t, err, &mErr)
+		})
+	})
+
+	t.Run("uint8, byte", func(t *testing.T) {
+		t.Parallel()
+
+		for _, v := range []byte{0, 8, 16, 32, 64, 128, 255} {
+			buf := make([]byte, ByteSize)
+			offset, err := ByteMarshal(buf, 0, v)
+			require.NoError(t, err)
+			require.NoError(t, VerifyMarshal(buf, offset))
+
+			ub, offset, err := ByteUnmarshal(buf, 0)
+			require.NoError(t, err)
+			require.NoError(t, VerifyUnmarshal(buf, offset))
+			require.Equal(t, v, ub)
+
+			buf = make([]byte, UInt8Size)
+			offset, err = UInt8Marshal(buf, 0, v)
+			require.NoError(t, err)
+			require.NoError(t, VerifyMarshal(buf, offset))
+
+			uu, offset, err := UInt8Unmarshal(buf, 0)
+			require.NoError(t, err)
+			require.NoError(t, VerifyUnmarshal(buf, offset))
+			require.Equal(t, v, uu)
+		}
+	})
+
+	t.Run("bool", func(t *testing.T) {
+		t.Parallel()
+
+		t.Run("success", func(t *testing.T) {
+			t.Parallel()
+			for _, v := range []bool{false, true} {
+				buf := make([]byte, BoolSize)
+				offset, err := BoolMarshal(buf, 0, v)
+				require.NoError(t, err)
+				require.NoError(t, VerifyMarshal(buf, offset))
+
+				ub, offset, err := BoolUnmarshal(buf, 0)
+				require.NoError(t, err)
+				require.NoError(t, VerifyUnmarshal(buf, offset))
+				require.Equal(t, v, ub)
+			}
+		})
+
+		t.Run("invalid value", func(t *testing.T) {
+			t.Parallel()
+			buf := make([]byte, BoolSize)
+			offset, err := BoolMarshal(buf, 0, true)
+			require.NoError(t, err)
+			require.NoError(t, VerifyMarshal(buf, offset))
+
+			buf[0] = 2
+
+			_, _, err = BoolUnmarshal(buf, 0)
+			var mErr *MarshallerError
+			require.ErrorAs(t, err, &mErr)
+		})
+
+		t.Run("invalid buffer", func(t *testing.T) {
+			t.Parallel()
+			var mErr *MarshallerError
+
+			_, err := BoolMarshal(nil, 0, true)
+			require.ErrorAs(t, err, &mErr)
+
+			buf := append(make([]byte, BoolSize), 100)
+			offset, err := BoolMarshal(buf, 0, true)
+			require.NoError(t, err)
+			require.ErrorAs(t, VerifyMarshal(buf, offset), &mErr)
+
+			v, offset, err := BoolUnmarshal(buf, 0)
+			require.NoError(t, err)
+			require.True(t, v)
+			require.ErrorAs(t, VerifyUnmarshal(buf, offset), &mErr)
+
+			_, _, err = BoolUnmarshal(nil, 0)
+			require.ErrorAs(t, err, &mErr)
+		})
+	})
+}
--- a/pkg/morph/policy/policy_contract_storage.go
+++ b/pkg/morph/policy/policy_contract_storage.go
@ -0,0 +1,184 @@
+package policy
+
+import (
+	"errors"
+	"fmt"
+	"math/big"
+	"strings"
+
+	"git.frostfs.info/TrueCloudLab/frostfs-contract/policy"
+	client "git.frostfs.info/TrueCloudLab/frostfs-contract/rpcclient/policy"
+	"git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
+	"git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine"
+	"github.com/nspcc-dev/neo-go/pkg/rpcclient/actor"
+	"github.com/nspcc-dev/neo-go/pkg/util"
+	"github.com/nspcc-dev/neo-go/pkg/vm/stackitem"
+	"github.com/nspcc-dev/neo-go/pkg/wallet"
+)
+
+var (
+	ErrEmptyChainID = errors.New("chain id is not set")
+
+	ErrEngineTargetTypeUnsupported = errors.New("this target type is not supported yet")
+)
+
+// ContractStorage is the interface to manage chain rules within Policy contract.
+type ContractStorage struct {
+	contractInterface *client.Contract
+}
+
+var _ engine.MorphRuleChainStorage = (*ContractStorage)(nil)
+
+// ContractStorageReader is the interface to read data from Policy contract.
+type ContractStorageReader struct {
+	contractReaderInterface *client.ContractReader
+}
+
+var _ engine.MorphRuleChainStorageReader = (*ContractStorageReader)(nil)
+
+func NewContractStorage(actor client.Actor, contract util.Uint160) *ContractStorage {
+	return &ContractStorage{
+		contractInterface: client.New(actor, contract),
+	}
+}
+
+func NewContractStorageWithSimpleActor(rpcActor actor.RPCActor, acc *wallet.Account, contract util.Uint160) (*ContractStorage, error) {
+	act, err := actor.NewSimple(rpcActor, acc)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create simple actor: %w", err)
+	}
+	return NewContractStorage(act, contract), nil
+}
+
+func (s *ContractStorage) AddMorphRuleChain(name chain.Name, target engine.Target, c *chain.Chain) (txHash util.Uint256, vub uint32, err error) {
+	if len(c.ID) == 0 {
+		err = ErrEmptyChainID
+		return
+	}
+
+	var kind policy.Kind
+	kind, err = policyKind(target.Type)
+	if err != nil {
+		return
+	}
+	fullName := prefixedChainName(name, c.ID)
+
+	txHash, vub, err = s.contractInterface.AddChain(big.NewInt(int64(kind)), target.Name, fullName, c.Bytes())
+	return
+}
+
+func (s *ContractStorage) RemoveMorphRuleChain(name chain.Name, target engine.Target, chainID chain.ID) (txHash util.Uint256, vub uint32, err error) {
+	if len(chainID) == 0 {
+		err = ErrEmptyChainID
+		return
+	}
+
+	var kind policy.Kind
+	kind, err = policyKind(target.Type)
+	if err != nil {
+		return
+	}
+	fullName := prefixedChainName(name, chainID)
+
+	txHash, vub, err = s.contractInterface.RemoveChain(big.NewInt(int64(kind)), target.Name, fullName)
+	return
+}
+
+func (s *ContractStorage) ListMorphRuleChains(name chain.Name, target engine.Target) ([]*chain.Chain, error) {
+	kind, err := policyKind(target.Type)
+	if err != nil {
+		return nil, err
+	}
+
+	items, err := s.contractInterface.ListChainsByPrefix(big.NewInt(int64(kind)), target.Name, []byte(name))
+	if err != nil {
+		return nil, err
+	}
+
+	var chains []*chain.Chain
+	for _, item := range items {
+		serialized, err := bytesFromStackItem(item)
+		if err != nil {
+			return nil, err
+		}
+		c := new(chain.Chain)
+		if err := c.DecodeBytes(serialized); err != nil {
+			return nil, err
+		}
+		chains = append(chains, c)
+	}
+
+	return chains, nil
+}
+
+func (s *ContractStorage) GetAdmin() (util.Uint160, error) {
+	return s.contractInterface.GetAdmin()
+}
+
+func (s *ContractStorage) SetAdmin(addr util.Uint160) (util.Uint256, uint32, error) {
+	return s.contractInterface.SetAdmin(addr)
+}
+
+func NewContractStorageReader(inv client.Invoker, contract util.Uint160) *ContractStorageReader {
+	return &ContractStorageReader{
+		contractReaderInterface: client.NewReader(inv, contract),
+	}
+}
+
+func (s *ContractStorageReader) ListMorphRuleChains(name chain.Name, target engine.Target) ([]*chain.Chain, error) {
+	kind, err := policyKind(target.Type)
+	if err != nil {
+		return nil, err
+	}
+
+	items, err := s.contractReaderInterface.ListChainsByPrefix(big.NewInt(int64(kind)), target.Name, []byte(name))
+	if err != nil {
+		return nil, err
+	}
+
+	var chains []*chain.Chain
+	for _, item := range items {
+		serialized, err := bytesFromStackItem(item)
+		if err != nil {
+			return nil, err
+		}
+		c := new(chain.Chain)
+		if err := c.DecodeBytes(serialized); err != nil {
+			return nil, err
+		}
+		chains = append(chains, c)
+	}
+
+	return chains, nil
+}
+
+func (s *ContractStorageReader) GetAdmin() (util.Uint160, error) {
+	return s.contractReaderInterface.GetAdmin()
+}
+
+func bytesFromStackItem(param stackitem.Item) ([]byte, error) {
+	switch param.Type() {
+	case stackitem.BufferT, stackitem.ByteArrayT, stackitem.IntegerT:
+		return param.TryBytes()
+	case stackitem.AnyT:
+		if param.Value() == nil {
+			return nil, nil
+		}
+		fallthrough
+	default:
+		return nil, fmt.Errorf("chain/client: %s is not a byte array type", param.Type())
+	}
+}
+
+func prefixedChainName(name chain.Name, chainID chain.ID) []byte {
+	return []byte(strings.ToLower(fmt.Sprintf("%s:%s", name, chainID)))
+}
+
+func policyKind(typ engine.TargetType) (policy.Kind, error) {
+	if typ == engine.Namespace {
+		return policy.Namespace, nil
+	} else if typ == engine.Container {
+		return policy.Container, nil
+	}
+	return policy.Kind(0), ErrEngineTargetTypeUnsupported
+}
--- a/schema/common/consts.go
+++ b/schema/common/consts.go
@ -0,0 +1,5 @@
+package common
+
+const (
+	PropertyKeyFrostFSIDGroupID = "frostfsid:groupID"
+)
--- a/schema/native/consts.go
+++ b/schema/native/consts.go
@ -9,6 +9,16 @@ const (
 	MethodRangeObject  = "RangeObject"
 	MethodHashObject   = "HashObject"

+	MethodPutContainer     = "PutContainer"
+	MethodDeleteContainer  = "DeleteContainer"
+	MethodGetContainer     = "GetContainer"
+	MethodListContainers   = "ListContainers"
+	MethodSetContainerEACL = "SetContainerEACL"
+	MethodGetContainerEACL = "GetContainerEACL"
+
+	ObjectPrefix    = "native:object"
+	ContainerPrefix = "native:container"
+
 	ResourceFormatNamespaceObjects          = "native:object/%s/*"
 	ResourceFormatNamespaceContainerObjects = "native:object/%s/%s/*"
 	ResourceFormatNamespaceContainerObject  = "native:object/%s/%s/%s"
@ -27,8 +37,9 @@ const (

 	ResourceFormatAllContainers = "native:container/*"

-	PropertyKeyActorPublicKey        = "$Actor:publicKey"
-	PropertyKeyActorRole             = "$Actor:role"
+	PropertyKeyActorPublicKey = "$Actor:publicKey"
+	PropertyKeyActorRole      = "$Actor:role"
+
 	PropertyKeyObjectVersion         = "$Object:version"
 	PropertyKeyObjectID              = "$Object:objectID"
 	PropertyKeyObjectContainerID     = "$Object:containerID"
@ -38,4 +49,11 @@ const (
 	PropertyKeyObjectPayloadHash     = "$Object:payloadHash"
 	PropertyKeyObjectType            = "$Object:objectType"
 	PropertyKeyObjectHomomorphicHash = "$Object:homomorphicHash"
+
+	PropertyKeyContainerOwnerID = "$Container:ownerID"
+
+	PropertyValueContainerRoleOwner     = "owner"
+	PropertyValueContainerRoleIR        = "ir"
+	PropertyValueContainerRoleContainer = "container"
+	PropertyValueContainerRoleOthers    = "others"
 )
--- a/schema/native/util/validation.go
+++ b/schema/native/util/validation.go
@ -0,0 +1,45 @@
+package util
+
+import (
+	"strings"
+
+	"git.frostfs.info/TrueCloudLab/policy-engine/schema/native"
+)
+
+var nativePatterns = []string{
+	native.ResourceFormatNamespaceObjects, native.ResourceFormatNamespaceContainerObjects,
+	native.ResourceFormatNamespaceContainerObject, native.ResourceFormatRootObjects,
+	native.ResourceFormatRootContainerObjects, native.ResourceFormatRootContainerObject,
+	native.ResourceFormatAllObjects, native.ResourceFormatNamespaceContainer,
+	native.ResourceFormatNamespaceContainers, native.ResourceFormatRootContainer,
+	native.ResourceFormatRootContainers, native.ResourceFormatAllContainers,
+}
+
+func match(resource, pattern string) bool {
+	rTokens := strings.Split(resource, "/")
+	pToken := strings.Split(pattern, "/")
+
+	if len(rTokens) != len(pToken) {
+		return false
+	}
+
+	for i := range rTokens {
+		if pToken[i] == "%s" {
+			continue
+		}
+		if pToken[i] != rTokens[i] {
+			return false
+		}
+	}
+
+	return true
+}
+
+func IsNativeResourceNameValid(resource string) bool {
+	for _, pattern := range nativePatterns {
+		if match(resource, pattern) {
+			return true
+		}
+	}
+	return false
+}
--- a/schema/native/util/validation_test.go
+++ b/schema/native/util/validation_test.go
@ -0,0 +1,97 @@
+package util
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+var tests = []struct {
+	name     string
+	expected bool
+	resource string
+}{
+	{
+		name:     "ResourceFormatNamespaceObjects",
+		expected: true,
+		resource: "native:object/RootNamespace/*",
+	},
+	{
+		name:     "ResourceFormatNamespaceContainerObjects",
+		expected: true,
+		resource: "native:object/RootNamespace/BzQw5HH3feoxFDD5tCT87Y1726qzgLfxEE7wgtoRzB3R/*",
+	},
+	{
+		name:     "ResourceFormatNamespaceContainerObject",
+		expected: true,
+		resource: "native:object/RootNamespace/BzQw5HH3feoxFDD5tCT87Y1726qzgLfxEE7wgtoRzB3R/AeZa5HH3feoxFDD5tCT87Y1726qzgLfxEE7wgtoRzB4E",
+	},
+	{
+		name:     "ResourceFormatRootObjects",
+		expected: true,
+		resource: "native:object//*",
+	},
+	{
+		name:     "ResourceFormatRootContainerObjects",
+		expected: true,
+		resource: "native:object//BzQw5HH3feoxFDD5tCT87Y1726qzgLfxEE7wgtoRzB3R/*",
+	},
+	{
+		name:     "ResourceFormatRootContainerObject",
+		expected: true,
+		resource: "native:object//BzQw5HH3feoxFDD5tCT87Y1726qzgLfxEE7wgtoRzB3R/AeZa5HH3feoxFDD5tCT87Y1726qzgLfxEE7wgtoRzB4E",
+	},
+	{
+		name:     "ResourceFormatAllObjects",
+		expected: true,
+		resource: "native:object/*",
+	},
+	{
+		name:     "ResourceFormatNamespaceContainer",
+		expected: true,
+		resource: "native:container/RootNamespace/BzQw5HH3feoxFDD5tCT87Y1726qzgLfxEE7wgtoRzB3R",
+	},
+	{
+		name:     "ResourceFormatNamespaceContainers",
+		expected: true,
+		resource: "native:container/RootNamespace/*",
+	},
+	{
+		name:     "ResourceFormatRootContainers",
+		expected: true,
+		resource: "native:container//*",
+	},
+	{
+		name:     "ResourceFormatAllContainers",
+		expected: true,
+		resource: "native:container/*",
+	},
+	{
+		name:     "Invalid resource 1",
+		expected: false,
+		resource: "native:::container/*",
+	},
+	{
+		name:     "Invalid resource 2",
+		expected: false,
+		resource: "native:container/RootNamespace/w5HH3feoxFDD5tCTtoRzB3R/Bz726qzgLfxEE7wgtoRzB3R/RootNamespace",
+	},
+}
+
+func TestIsNativeResourceNameValid(t *testing.T) {
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			require.Equal(t, test.expected, IsNativeResourceNameValid(test.resource))
+		})
+	}
+}
+
+func BenchmarkIsNativeResourceNameValid(b *testing.B) {
+	for _, test := range tests {
+		b.Run(test.name, func(b *testing.B) {
+			for i := 0; i < b.N; i++ {
+				_ = IsNativeResourceNameValid(test.resource)
+			}
+		})
+	}
+}
--- a/schema/s3/consts.go
+++ b/schema/s3/consts.go
@ -0,0 +1,17 @@
+package s3
+
+const (
+	PropertyKeyOwner = "Owner"
+
+	PropertyKeyDelimiter = "s3:delimiter"
+	PropertyKeyPrefix    = "s3:prefix"
+	PropertyKeyVersionID = "s3:VersionId"
+
+	ResourceFormatS3All           = "arn:aws:s3:::*"
+	ResourceFormatS3Bucket        = "arn:aws:s3:::%s"
+	ResourceFormatS3BucketObjects = "arn:aws:s3:::%s/*"
+	ResourceFormatS3BucketObject  = "arn:aws:s3:::%s/%s"
+
+	ResourceFormatIAMNamespaceUser  = "arn:aws:iam::%s:user/%s"
+	ResourceFormatIAMNamespaceGroup = "arn:aws:iam::%s:group/%s"
+)
Author	SHA1	Message	Date
aarifullin	839f22e1a3	[#55 ] router: Inmemory implementation should take empty name for "root" Signed-off-by: Airat Arifullin <aarifullin@yadro.com>	2024-03-04 18:12:11 +03:00
aarifullin	cf1f091e26	[#54 ] morph: Introduce ContractStorageReader * Implement MorphRuleChainStorageReader interface to make possible to read from Policy contract without wallets. Signed-off-by: Airat Arifullin <aarifullin@yadro.com>	2024-03-01 08:05:25 +00:00
aarifullin	9e66ce59c6	[#54 ] morph: Revise MorphRuleChainStorage interface * Split MorphRuleChainStorage interface by moving read-only methods to a separate interface MorphRuleChainStorageReader. Signed-off-by: Airat Arifullin <aarifullin@yadro.com>	2024-03-01 08:05:25 +00:00
Denis Kirillov	c960b1b088	[#53 ] iam: Extend support s3 to native actions Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>	2024-02-26 12:42:15 +03:00
aarifullin	8354a074c4	[#49 ] engine: Fix target considering order * Namespace target rules should be considered first Signed-off-by: Airat Arifullin <aarifullin@yadro.com>	2024-02-06 14:12:36 +03:00
Evgenii Stratonikov	4a989d6bb7	[#50 ] .fordejo: Update DCO action Signed-off-by: Evgenii Stratonikov <e.stratonikov@yadro.com>	2024-02-06 12:58:42 +03:00
Denis Kirillov	0edc002441	[#46 ] iam: Handle s3 complex actions Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>	2024-02-01 17:19:00 +03:00
Denis Kirillov	1cdb3e5a4a	[#46 ] iam: Support more s3 to native actions mapping Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>	2024-02-01 17:18:55 +03:00
Denis Kirillov	af388779a3	[#46 ] iam: Shrink rules for wildcard cases Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>	2024-01-29 11:50:24 +03:00
Denis Kirillov	8cc5173d73	[#46 ] iam: Support namespaces when forming native rules Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>	2024-01-29 11:50:24 +03:00
Denis Kirillov	2af381ae81	[#46 ] iam: Error if policy doesn't have actions Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>	2024-01-29 11:50:24 +03:00
Anton Nikiforov	8d21ab2d99	[#43 ] engine: Extend with target listing method Signed-off-by: Anton Nikiforov <an.nikiforov@yadro.com>	2024-01-29 09:41:40 +03:00
Dmitrii Stepanov	0a28f0a992	[#1 ] gitattributes: Add easyjson files rules Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>	2024-01-24 11:04:03 +03:00
Dmitrii Stepanov	dd0f582fc3	[#1 ] chain: Fix ID type from string to bytes ID may be non UTF-8 string, so from developers POV it is just byte slice. Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>	2024-01-24 11:04:03 +03:00
Dmitrii Stepanov	5f13d91c0d	[#1 ] native: Fix typo in owner value Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>	2024-01-24 11:04:03 +03:00
Dmitrii Stepanov	88c2a476b0	[#1 ] chain: Add json marshal/unmarshal Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>	2024-01-24 11:04:03 +03:00
Dmitrii Stepanov	58386edf58	[#1 ] chain: Add binary marshal/unmarshal Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>	2024-01-24 11:04:03 +03:00
Anton Nikiforov	06cbfe8691	[#876 ] policy: Add resource\request for container Signed-off-by: Anton Nikiforov <an.nikiforov@yadro.com>	2024-01-22 13:47:24 +03:00
Denis Kirillov	c80c99b13e	[#41 ] chain: Fix ID serialization Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>	2024-01-12 10:56:04 +03:00
Dmitrii Stepanov	ed93bb5cc5	[#35 ] local_storage: Make thread safe Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>	2023-12-21 12:13:54 +00:00
Denis Kirillov	06e9c91014	[#33 ] pkg/chain: Support CondSliceContains condition Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>	2023-12-21 11:13:52 +00:00
Anton Nikiforov	b82544b0fe	[#876 ] policy: Fix `SetAdmin` Signed-off-by: Anton Nikiforov <an.nikiforov@yadro.com>	2023-12-21 07:54:42 +03:00
Anton Nikiforov	641a1429ef	[#876 ] policy: Add methods `Get/SetAdmin` for wrapper Signed-off-by: Anton Nikiforov <an.nikiforov@yadro.com>	2023-12-21 04:51:21 +00:00
Dmitrii Stepanov	02e50307df	[#34 ] native: Add container methods Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>	2023-12-20 14:22:01 +03:00
Denis Kirillov	3128352693	[#36 ] iam: Keep s3/iam prefixes in resources Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>	2023-12-20 07:08:31 +00:00
Denis Kirillov	ec39d8371a	[#36 ] iam: Support iam actions Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>	2023-12-20 07:08:31 +00:00
aarifullin	e57d213595	[#26 ] schema: Add resource name validation method Close #26 Signed-off-by: Airat Arifullin <aarifullin@yadro.com>	2023-12-19 16:40:59 +00:00
aarifullin	62ea96b82c	[#32 ] morph: Remove name transformer in morph policy client * It is not required to transform long names because container chains will be added by container ID but not by a resource name. Signed-off-by: Airat Arifullin <aarifullin@yadro.com>	2023-12-14 12:22:53 +00:00
Denis Kirillov	1d07331f5d	[#28 ] iam: Fix converters Handle resource without object as bucket name instead of bucket with any object Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>	2023-12-13 13:20:38 +00:00
Denis Kirillov	3b107e9413	[#28 ] chain: Add S3 chain name Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>	2023-12-13 13:20:38 +00:00
Dmitrii Stepanov	8c673ee4f4	[#21 ] chain: Allow to return first match result Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>	2023-12-11 11:03:03 +03:00
Dmitrii Stepanov	1375e8f7fd	[#21 ] router: Make Deny the highest priority Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>	2023-12-08 12:37:29 +03:00
aarifullin	156018bcba	[#3 ] policy: Introduce policy contract interface wrapper Signed-off-by: Airat Arifullin <aarifullin@yadro.com>	2023-12-07 14:01:27 +03:00
aarifullin	df15b38c63	[#3 ] engine: Refactor MorphRuleChainStorage * Make changing state methods like AddMorphRuleChain, RemoveMorphRuleChain return transaction hash and VUB. Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>	2023-12-06 12:25:55 +03:00
aarifullin	2d4a9fc6dc	[#25 ] engine: Refactor ChainRouter interface * Pass RequestTarget instead only namespace * Refactor unit-tests and dependencies Signed-off-by: Airat Arifullin <aarifullin@yadro.com>	2023-12-05 09:20:54 +00:00
aarifullin	4d8242584a	[#25 ] engine: Refactor LocalOverrideStorage * Make LocalOverrideStorage methods to receive Target type instead resource * Refactor unit-tests and dependencies * Make default chain router check local overrides not only for container but also for namespaces Signed-off-by: Airat Arifullin <aarifullin@yadro.com>	2023-12-05 09:20:54 +00:00
Denis Kirillov	a0a35bf4bf	[#22 ] iam: Fix converters Validate that actions and resources contain wildcard only at the end Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>	2023-11-28 17:56:36 +03:00
Denis Kirillov	5fa9d91903	[#17 ] iam: Add converter to native/s3 policy Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>	2023-11-21 11:45:41 +03:00