diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerInlinePolicy.java b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerInlinePolicy.java
new file mode 100644
index 0000000000..8c659ba98b
--- /dev/null
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerInlinePolicy.java
@@ -0,0 +1,145 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ranger.plugin.model;
+
+import com.fasterxml.jackson.annotation.JsonAutoDetect;
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonInclude;
+
+import java.util.List;
+import java.util.Objects;
+
+@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY)
+@JsonInclude(JsonInclude.Include.NON_EMPTY)
+@JsonIgnoreProperties(ignoreUnknown = true)
+public class RangerInlinePolicy implements java.io.Serializable {
+    private static final long serialVersionUID = 1L;
+
+    public enum Mode {
+        ENFORCING,    // default. access will be granted only when allowed by both Ranger policies and this inline policy
+        COMPLEMENTARY // access will be granted when allowed by either Ranger policies or this inline policy
+    }
+
+    private String      grantor; // example: "r:role1"; when non-empty, access must be granted for this grantor as well
+    private Mode        mode;
+    private List<Grant> grants;
+
+    public RangerInlinePolicy() {
+        this.mode = Mode.ENFORCING;
+    }
+
+    public RangerInlinePolicy(String grantor, Mode mode, List<Grant> grants) {
+        this.grantor = grantor;
+        this.mode    = mode;
+        this.grants  = grants;
+    }
+
+    public String getGrantor() {
+        return grantor;
+    }
+
+    public void setGrantor(String grantor) {
+        this.grantor = grantor;
+    }
+
+    public Mode getMode() {
+        return mode;
+    }
+
+    public void setMode(Mode mode) {
+        this.mode = mode;
+    }
+
+    public List<Grant> getGrants() {
+        return grants;
+    }
+
+    public void setGrants(List<Grant> grants) {
+        this.grants = grants;
+    }
+
+    public static class Grant {
+        private List<String> principals;  // example: [ "u:user1, "g:group1", "r:role1" ]; if empty, means public grant
+        private List<String> resources;   // example: [ "key:vol1/bucket1/db1/tbl1/*", "key:vol1/bucket1/db1/tbl2/*" ]; if empty, means all resources
+        private List<String> permissions; // example: [ "read", "write" ]; if empty, means no permission
+
+        public Grant() {
+        }
+
+        public Grant(List<String> principals, List<String> resources, List<String> permissions) {
+            this.principals  = principals;
+            this.resources   = resources;
+            this.permissions = permissions;
+        }
+
+        public List<String> getPrincipals() {
+            return principals;
+        }
+
+        public void setPrincipals(List<String> principals) {
+            this.principals = principals;
+        }
+
+        public List<String> getResources() {
+            return resources;
+        }
+
+        public void setResources(List<String> resources) {
+            this.resources = resources;
+        }
+
+        public List<String> getPermissions() {
+            return permissions;
+        }
+
+        public void setPermissions(List<String> permissions) {
+            this.permissions = permissions;
+        }
+
+        @Override
+        public boolean equals(Object o) {
+            if (this == o) {
+                return true;
+            } else if (o == null || getClass() != o.getClass()) {
+                return false;
+            }
+
+            Grant that = (Grant) o;
+
+            return Objects.equals(principals, that.principals) &&
+                   Objects.equals(resources, that.resources) &&
+                   Objects.equals(permissions, that.permissions);
+        }
+
+        @Override
+        public int hashCode() {
+            return Objects.hash(principals, resources, permissions);
+        }
+
+        @Override
+        public String toString() {
+            return "Grant{" +
+                    "principals=" + principals +
+                    ", resources=" + resources +
+                    ", permissions=" + permissions +
+                    '}';
+        }
+    }
+}
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java
index 8b7e9b3e42..8736cb4b21 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java
@@ -19,6 +19,8 @@
 
 package org.apache.ranger.plugin.policyengine;
 
+import org.apache.ranger.plugin.model.RangerInlinePolicy;
+
 import java.util.Collections;
 import java.util.Date;
 import java.util.List;
@@ -74,6 +76,10 @@ default Map<String, ResourceElementMatchingScope> getResourceElementMatchingScop
         return Collections.emptyMap();
     }
 
+    default RangerInlinePolicy getInlinePolicy() {
+        return null;
+    }
+
     enum ResourceMatchingScope { SELF, SELF_OR_DESCENDANTS }
 
     enum ResourceElementMatchingScope { SELF, SELF_OR_CHILD, SELF_OR_PREFIX }
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java
index 6f453da8f8..319815b1a0 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java
@@ -21,6 +21,7 @@
 
 import org.apache.commons.collections.CollectionUtils;
 import org.apache.commons.lang.StringUtils;
+import org.apache.ranger.plugin.model.RangerInlinePolicy;
 import org.apache.ranger.plugin.util.RangerAccessRequestUtil;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -59,6 +60,7 @@ public class RangerAccessRequestImpl implements RangerAccessRequest {
     private boolean                                   isAccessTypeDelegatedAdmin;
     private ResourceMatchingScope                     resourceMatchingScope         = ResourceMatchingScope.SELF;
     private Map<String, ResourceElementMatchingScope> resourceElementMatchingScopes = Collections.emptyMap();
+    private RangerInlinePolicy                        inlinePolicy;
 
     public RangerAccessRequestImpl() {
         this(null, null, null, null, null);
@@ -236,6 +238,11 @@ public Map<String, ResourceElementMatchingScope> getResourceElementMatchingScope
         return this.resourceElementMatchingScopes;
     }
 
+    @Override
+    public RangerInlinePolicy getInlinePolicy() {
+        return inlinePolicy;
+    }
+
     public void setResourceElementMatchingScopes(Map<String, ResourceElementMatchingScope> resourceElementMatchingScopes) {
         this.resourceElementMatchingScopes = resourceElementMatchingScopes == null ? Collections.emptyMap() : resourceElementMatchingScopes;
     }
@@ -313,6 +320,10 @@ public void setIgnoreDescendantDeny(Boolean isDescendantDenyIgnored) {
         this.isDescendantDenyIgnored = isDescendantDenyIgnored == null || isDescendantDenyIgnored;
     }
 
+    public void setInlinePolicy(RangerInlinePolicy inlinePolicy) {
+        this.inlinePolicy = inlinePolicy;
+    }
+
     public void extractAndSetClientIPAddress(boolean useForwardedIPAddress, String[] trustedProxyAddresses) {
         String ip = getRemoteIPAddress();
 
@@ -393,6 +404,7 @@ public StringBuilder toString(StringBuilder sb) {
         sb.append("resourceElementMatchingScopes={").append(resourceElementMatchingScopes).append("} ");
         sb.append("clusterName={").append(clusterName).append("} ");
         sb.append("clusterType={").append(clusterType).append("} ");
+        sb.append("inlinePolicy={").append(inlinePolicy).append("} ");
 
         sb.append("context={");
         if (context != null) {
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestReadOnly.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestReadOnly.java
index 2e640d24a7..0a4b8b016a 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestReadOnly.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestReadOnly.java
@@ -19,6 +19,8 @@
 
 package org.apache.ranger.plugin.policyengine;
 
+import org.apache.ranger.plugin.model.RangerInlinePolicy;
+
 import java.util.Collections;
 import java.util.Date;
 import java.util.List;
@@ -153,4 +155,9 @@ public ResourceMatchingScope getResourceMatchingScope() {
     public Map<String, ResourceElementMatchingScope> getResourceElementMatchingScopes() {
         return source.getResourceElementMatchingScopes();
     }
+
+    @Override
+    public RangerInlinePolicy getInlinePolicy() {
+        return source.getInlinePolicy();
+    }
 }
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestWrapper.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestWrapper.java
index a76a4bcb55..eebf3a9729 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestWrapper.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestWrapper.java
@@ -20,6 +20,7 @@
 package org.apache.ranger.plugin.policyengine;
 
 import org.apache.commons.lang.StringUtils;
+import org.apache.ranger.plugin.model.RangerInlinePolicy;
 
 import java.util.Date;
 import java.util.List;
@@ -148,4 +149,9 @@ public ResourceMatchingScope getResourceMatchingScope() {
     public Map<String, ResourceElementMatchingScope> getResourceElementMatchingScopes() {
         return request.getResourceElementMatchingScopes();
     }
+
+    @Override
+    public RangerInlinePolicy getInlinePolicy() {
+        return request.getInlinePolicy();
+    }
 }