diff --git a/cedar-language-server/src/schema/fold.rs b/cedar-language-server/src/schema/fold.rs
index 29bdde9f59..671ab8fb5d 100644
--- a/cedar-language-server/src/schema/fold.rs
+++ b/cedar-language-server/src/schema/fold.rs
@@ -80,7 +80,7 @@ pub(crate) fn fold_schema(schema_info: &SchemaInfo) -> Option<Vec<FoldingRange>>
         .filter_map(|et| et.loc.as_loc_ref());
     let action_locs = validator.action_ids().filter_map(|a| a.loc());
     let common_types = validator
-        .common_types()
+        .common_types_extended()
         .filter_map(|ct| ct.type_loc.as_loc_ref());
 
     // Combine all locations and create folding ranges
diff --git a/cedar-language-server/src/schema/symbols.rs b/cedar-language-server/src/schema/symbols.rs
index b0be0e6cc2..602f533746 100644
--- a/cedar-language-server/src/schema/symbols.rs
+++ b/cedar-language-server/src/schema/symbols.rs
@@ -125,7 +125,7 @@ pub(crate) fn schema_symbols(schema_info: &SchemaInfo) -> Option<Vec<DocumentSym
 
     // Create common type symbols
     let common_type_symbols: Vec<DocumentSymbol> = validator
-        .common_types()
+        .common_types_extended()
         .filter_map(|ct| {
             ct.name_loc
                 .as_ref()
diff --git a/cedar-policy-core/src/ast.rs b/cedar-policy-core/src/ast.rs
index e8367a647d..7b45cd8bc0 100644
--- a/cedar-policy-core/src/ast.rs
+++ b/cedar-policy-core/src/ast.rs
@@ -54,5 +54,7 @@ mod expr_iterator;
 pub use expr_iterator::*;
 mod annotation;
 pub use annotation::*;
+mod generalized_slots_declaration;
+pub use generalized_slots_declaration::*;
 mod expr_visitor;
 pub use expr_visitor::*;
diff --git a/cedar-policy-core/src/ast/expr.rs b/cedar-policy-core/src/ast/expr.rs
index ee3c567ed8..e81c763c2b 100644
--- a/cedar-policy-core/src/ast/expr.rs
+++ b/cedar-policy-core/src/ast/expr.rs
@@ -293,7 +293,7 @@ impl<T> Expr<T> {
         self.subexpressions()
             .filter_map(|exp| match &exp.expr_kind {
                 ExprKind::Slot(slotid) => Some(Slot {
-                    id: *slotid,
+                    id: slotid.clone(),
                     loc: exp.source_loc().into_maybe_loc(),
                 }),
                 _ => None,
@@ -1842,7 +1842,7 @@ mod test {
         let e = Expr::slot(SlotId::principal());
         let p = SlotId::principal();
         let r = SlotId::resource();
-        let set: HashSet<SlotId> = HashSet::from_iter([p]);
+        let set: HashSet<SlotId> = HashSet::from_iter([p.clone()]);
         assert_eq!(set, e.slots().map(|slot| slot.id).collect::<HashSet<_>>());
         let e = Expr::or(
             Expr::slot(SlotId::principal()),
diff --git a/cedar-policy-core/src/ast/expr_visitor.rs b/cedar-policy-core/src/ast/expr_visitor.rs
index ee6acd3f26..c5adb9b353 100644
--- a/cedar-policy-core/src/ast/expr_visitor.rs
+++ b/cedar-policy-core/src/ast/expr_visitor.rs
@@ -55,7 +55,7 @@ pub trait ExprVisitor {
         match expr.expr_kind() {
             ExprKind::Lit(lit) => self.visit_literal(lit, loc),
             ExprKind::Var(var) => self.visit_var(*var, loc),
-            ExprKind::Slot(slot) => self.visit_slot(*slot, loc),
+            ExprKind::Slot(slot) => self.visit_slot(slot.clone(), loc),
             ExprKind::Unknown(unknown) => self.visit_unknown(unknown, loc),
             ExprKind::If {
                 test_expr,
diff --git a/cedar-policy-core/src/ast/generalized_slots_declaration.rs b/cedar-policy-core/src/ast/generalized_slots_declaration.rs
new file mode 100644
index 0000000000..c1b02bd706
--- /dev/null
+++ b/cedar-policy-core/src/ast/generalized_slots_declaration.rs
@@ -0,0 +1,122 @@
+/*
+ * Copyright Cedar Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+use std::collections::BTreeMap;
+
+use crate::ast::SlotId;
+use crate::extensions::Extensions;
+use crate::validator::{
+    json_schema::Type as JSONSchemaType, types::Type as ValidatorType, RawName, SchemaError,
+    ValidatorSchema,
+};
+use serde::{Deserialize, Serialize};
+
+/// Struct storing the pairs of SlotId's and their corresponding type
+#[derive(Clone, Eq, PartialEq, PartialOrd, Ord, Debug, Hash, Serialize, Deserialize)]
+pub struct GeneralizedSlotsDeclaration(BTreeMap<SlotId, JSONSchemaType<RawName>>);
+
+impl GeneralizedSlotsDeclaration {
+    /// Create a new empty `GeneralizedSlotsDeclaration` (with no slots)
+    pub fn new() -> Self {
+        Self(BTreeMap::new())
+    }
+
+    /// Get the type of the slot by key
+    pub fn get(&self, key: &SlotId) -> Option<&JSONSchemaType<RawName>> {
+        self.0.get(key)
+    }
+
+    /// Iterate over all pairs of slots and their types
+    pub fn iter(&self) -> impl Iterator<Item = (&SlotId, &JSONSchemaType<RawName>)> {
+        self.0.iter()
+    }
+
+    /// Tell if it's empty
+    pub fn is_empty(&self) -> bool {
+        self.0.is_empty()
+    }
+
+    /// Converts the types of generalized_slots_declaration to
+    /// use validator types so that they can be used by the typechecker
+    pub fn into_validator_generalized_slots_declaration(
+        self,
+        schema: &ValidatorSchema,
+    ) -> Result<ValidatorGeneralizedSlotsDeclaration, SchemaError> {
+        let validator_generalized_slots_declaration: Result<BTreeMap<_, _>, SchemaError> = self
+            .0
+            .into_iter()
+            .map(|(k, ty)| -> Result<_, SchemaError> {
+                Ok((
+                    k,
+                    schema.json_schema_type_to_validator_type(ty, Extensions::all_available())?,
+                ))
+            })
+            .collect();
+        Ok(validator_generalized_slots_declaration?.into())
+    }
+}
+
+impl Default for GeneralizedSlotsDeclaration {
+    fn default() -> Self {
+        Self::new()
+    }
+}
+
+impl FromIterator<(SlotId, JSONSchemaType<RawName>)> for GeneralizedSlotsDeclaration {
+    fn from_iter<T: IntoIterator<Item = (SlotId, JSONSchemaType<RawName>)>>(iter: T) -> Self {
+        Self(BTreeMap::from_iter(iter))
+    }
+}
+
+impl From<BTreeMap<SlotId, JSONSchemaType<RawName>>> for GeneralizedSlotsDeclaration {
+    fn from(value: BTreeMap<SlotId, JSONSchemaType<RawName>>) -> Self {
+        Self(value)
+    }
+}
+
+/// Struct storing the pairs of SlotId's and their corresponding validator types
+#[derive(Clone, Eq, PartialEq, PartialOrd, Ord, Debug, Hash)]
+pub struct ValidatorGeneralizedSlotsDeclaration(BTreeMap<SlotId, ValidatorType>);
+
+impl FromIterator<(SlotId, ValidatorType)> for ValidatorGeneralizedSlotsDeclaration {
+    fn from_iter<T: IntoIterator<Item = (SlotId, ValidatorType)>>(iter: T) -> Self {
+        Self(BTreeMap::from_iter(iter))
+    }
+}
+
+impl From<BTreeMap<SlotId, ValidatorType>> for ValidatorGeneralizedSlotsDeclaration {
+    fn from(value: BTreeMap<SlotId, ValidatorType>) -> Self {
+        Self(value)
+    }
+}
+
+impl Default for ValidatorGeneralizedSlotsDeclaration {
+    fn default() -> Self {
+        Self::new()
+    }
+}
+
+impl ValidatorGeneralizedSlotsDeclaration {
+    /// Create a new empty `ValidatorGeneralizedSlotsDeclaration` (with no slots)
+    pub fn new() -> Self {
+        Self(BTreeMap::new())
+    }
+
+    /// Get the validator type of the slot by key
+    pub fn get(&self, slot: &SlotId) -> Option<&ValidatorType> {
+        self.0.get(slot)
+    }
+}
diff --git a/cedar-policy-core/src/ast/name.rs b/cedar-policy-core/src/ast/name.rs
index 8482cf6e39..eb713995f9 100644
--- a/cedar-policy-core/src/ast/name.rs
+++ b/cedar-policy-core/src/ast/name.rs
@@ -283,7 +283,7 @@ impl<'de> Deserialize<'de> for InternalName {
 /// Clone is O(1).
 // This simply wraps a separate enum -- currently [`ValidSlotId`] -- in case we
 // want to generalize later
-#[derive(Debug, Clone, Copy, Eq, PartialEq, PartialOrd, Ord, Hash, Serialize, Deserialize)]
+#[derive(Debug, Clone, Eq, PartialEq, PartialOrd, Ord, Hash, Serialize, Deserialize)]
 #[serde(transparent)]
 pub struct SlotId(pub(crate) ValidSlotId);
 
@@ -298,6 +298,11 @@ impl SlotId {
         Self(ValidSlotId::Resource)
     }
 
+    /// Create a `generalized slot`
+    pub fn generalized_slot(id: Id) -> Self {
+        Self(ValidSlotId::GeneralizedSlot(id))
+    }
+
     /// Check if a slot represents a principal
     pub fn is_principal(&self) -> bool {
         matches!(self, Self(ValidSlotId::Principal))
@@ -307,6 +312,11 @@ impl SlotId {
     pub fn is_resource(&self) -> bool {
         matches!(self, Self(ValidSlotId::Resource))
     }
+
+    /// Check if a slot represents a generalized slot
+    pub fn is_generalized_slot(&self) -> bool {
+        matches!(self, Self(ValidSlotId::GeneralizedSlot(_)))
+    }
 }
 
 impl From<PrincipalOrResource> for SlotId {
@@ -324,13 +334,14 @@ impl std::fmt::Display for SlotId {
     }
 }
 
-/// Two possible variants for Slots
-#[derive(Debug, Clone, Copy, Eq, PartialEq, PartialOrd, Ord, Hash, Serialize, Deserialize)]
+/// Three possible variants for Slots
+#[derive(Debug, Clone, Eq, PartialEq, PartialOrd, Ord, Hash, Serialize, Deserialize)]
 pub(crate) enum ValidSlotId {
     #[serde(rename = "?principal")]
     Principal,
     #[serde(rename = "?resource")]
     Resource,
+    GeneralizedSlot(Id), // Slots for generalized templates, for more info see [RFC 98](https://github.com/cedar-policy/rfcs/pull/98).
 }
 
 impl std::fmt::Display for ValidSlotId {
@@ -338,6 +349,7 @@ impl std::fmt::Display for ValidSlotId {
         let s = match self {
             ValidSlotId::Principal => "principal",
             ValidSlotId::Resource => "resource",
+            ValidSlotId::GeneralizedSlot(id) => id.as_ref(),
         };
         write!(f, "?{s}")
     }
diff --git a/cedar-policy-core/src/ast/policy.rs b/cedar-policy-core/src/ast/policy.rs
index 191d66079e..dedb7ff73a 100644
--- a/cedar-policy-core/src/ast/policy.rs
+++ b/cedar-policy-core/src/ast/policy.rs
@@ -15,9 +15,16 @@
  */
 
 use crate::ast::*;
+use crate::entities::{conformance::typecheck_restricted_expr_against_schematype, SchemaType};
+use crate::extensions::Extensions;
 use crate::parser::{AsLocRef, IntoMaybeLoc, Loc, MaybeLoc};
+use crate::validator::{
+    err::SchemaError, json_schema::Type as JSONSchemaType, types::Type as ValidatorType, RawName,
+    ValidatorSchema,
+};
 use annotation::{Annotation, Annotations};
 use educe::Educe;
+use generalized_slots_declaration::GeneralizedSlotsDeclaration;
 use itertools::Itertools;
 use miette::Diagnostic;
 use nonempty::{nonempty, NonEmpty};
@@ -53,6 +60,9 @@ cfg_tolerant_ast! {
     static DEFAULT_ANNOTATIONS: std::sync::LazyLock<Arc<Annotations>> =
         std::sync::LazyLock::new(|| Arc::new(Annotations::default()));
 
+    static DEFAULT_GENERALIZED_SLOTS_DECLARATION: std::sync::LazyLock<Arc<GeneralizedSlotsDeclaration>> =
+        std::sync::LazyLock::new(|| Arc::new(GeneralizedSlotsDeclaration::default()));
+
     static DEFAULT_PRINCIPAL_CONSTRAINT: std::sync::LazyLock<PrincipalConstraint> =
         std::sync::LazyLock::new(PrincipalConstraint::any);
 
@@ -120,6 +130,7 @@ impl Template {
         id: PolicyID,
         loc: MaybeLoc,
         annotations: Annotations,
+        generalized_slots_declaration: GeneralizedSlotsDeclaration,
         effect: Effect,
         principal_constraint: PrincipalConstraint,
         action_constraint: ActionConstraint,
@@ -130,6 +141,7 @@ impl Template {
             id,
             loc,
             annotations,
+            generalized_slots_declaration,
             effect,
             principal_constraint,
             action_constraint,
@@ -154,6 +166,7 @@ impl Template {
         id: PolicyID,
         loc: MaybeLoc,
         annotations: Arc<Annotations>,
+        generalized_slots_declaration: Arc<GeneralizedSlotsDeclaration>,
         effect: Effect,
         principal_constraint: PrincipalConstraint,
         action_constraint: ActionConstraint,
@@ -164,6 +177,7 @@ impl Template {
             id,
             loc,
             annotations,
+            generalized_slots_declaration,
             effect,
             principal_constraint,
             action_constraint,
@@ -238,6 +252,18 @@ impl Template {
         self.body.annotations_arc()
     }
 
+    /// Get all generalized_slots_declaration data.
+    pub fn generalized_slots_declaration(
+        &self,
+    ) -> impl Iterator<Item = (&SlotId, &JSONSchemaType<RawName>)> {
+        self.body.generalized_slots_declaration()
+    }
+
+    /// Get [`Arc`] owning the generalized_slots_declaration data.
+    pub fn generalized_slots_declaration_arc(&self) -> &Arc<GeneralizedSlotsDeclaration> {
+        self.body.generalized_slots_declaration_arc()
+    }
+
     /// Get the condition expression of this template.
     ///
     /// This will be a conjunction of the template's scope constraints (on
@@ -247,11 +273,18 @@ impl Template {
         self.body.condition()
     }
 
-    /// List of open slots in this template
+    /// List of open slots in this template including principal, resource, and generalized slots
     pub fn slots(&self) -> impl Iterator<Item = &Slot> {
         self.slots.iter()
     }
 
+    /// List of principal and resource slots in this template
+    pub fn principal_resource_slots(&self) -> impl Iterator<Item = &Slot> {
+        self.slots
+            .iter()
+            .filter(|slot| slot.id.is_principal() || slot.id.is_resource())
+    }
+
     /// Check if this template is a static policy
     ///
     /// Static policies can be linked without any slots,
@@ -263,18 +296,40 @@ impl Template {
     /// Ensure that every slot in the template is bound by values,
     /// and that no extra values are bound in values
     /// This upholds invariant (values total map)
+    ///
+    /// All callers of this function
+    /// must enforce INVARIANT that `?principal` and `?resource` slots
+    /// are in values and generalized slots are in generalized_values
     pub fn check_binding(
         template: &Template,
         values: &HashMap<SlotId, EntityUID>,
+        generalized_values: &HashMap<SlotId, RestrictedExpr>,
     ) -> Result<(), LinkingError> {
         // Verify all slots bound
-        let unbound = template
+        let unbound_values_and_generalized_values = template
             .slots
             .iter()
-            .filter(|slot| !values.contains_key(&slot.id))
+            .filter(|slot| {
+                !values.contains_key(&slot.id) && !generalized_values.contains_key(&slot.id)
+            })
+            .collect::<Vec<_>>();
+
+        let extra_values = values
+            .iter()
+            .filter_map(|(slot, _)| {
+                if !template
+                    .slots
+                    .iter()
+                    .any(|template_slot| template_slot.id == *slot)
+                {
+                    Some(slot)
+                } else {
+                    None
+                }
+            })
             .collect::<Vec<_>>();
 
-        let extra = values
+        let extra_generalized_values = generalized_values
             .iter()
             .filter_map(|(slot, _)| {
                 if !template
@@ -289,16 +344,94 @@ impl Template {
             })
             .collect::<Vec<_>>();
 
-        if unbound.is_empty() && extra.is_empty() {
+        if unbound_values_and_generalized_values.is_empty()
+            && extra_values.is_empty()
+            && extra_generalized_values.is_empty()
+        {
             Ok(())
         } else {
             Err(LinkingError::from_unbound_and_extras(
-                unbound.into_iter().map(|slot| slot.id),
-                extra.into_iter().copied(),
+                unbound_values_and_generalized_values
+                    .into_iter()
+                    .map(|slot| slot.id.clone()),
+                extra_values
+                    .into_iter()
+                    .cloned()
+                    .chain(extra_generalized_values.into_iter().cloned()),
             ))
         }
     }
 
+    /// Validates that the values provided for the generalized slots are of the types declared
+    pub fn link_time_type_checking_with_schema(
+        template: &Template,
+        schema: &ValidatorSchema,
+        values: &HashMap<SlotId, EntityUID>,
+        generalized_values: &HashMap<SlotId, RestrictedExpr>,
+    ) -> Result<(), LinkingError> {
+        let validator_generalized_slots_declaration = GeneralizedSlotsDeclaration::from_iter(
+            template
+                .generalized_slots_declaration()
+                .map(|(k, v)| (k.clone(), v.clone())),
+        )
+        .into_validator_generalized_slots_declaration(schema)?;
+
+        let values_restricted_expr: HashMap<SlotId, RestrictedExpr> = values
+            .iter()
+            .map(|(slot, entity_uid)| (slot.clone(), RestrictedExpr::val(entity_uid.clone())))
+            .collect();
+
+        // we treat values differently because their type annotations are optional
+        for (slot, restricted_expr) in values_restricted_expr {
+            let maybe_validator_type = validator_generalized_slots_declaration.get(&slot);
+            if let Some(validator_type) = maybe_validator_type {
+                let borrowed_restricted_expr = restricted_expr.as_borrowed();
+                #[allow(clippy::expect_used)]
+                let schema_ty = &SchemaType::try_from(validator_type.clone()).expect(
+                    "This should never happen as expected_ty is a statically annotated type",
+                );
+                let extensions = Extensions::all_available();
+                typecheck_restricted_expr_against_schematype(
+                    borrowed_restricted_expr,
+                    schema_ty,
+                    extensions,
+                )
+                .map_err(|_| {
+                    LinkingError::ValueProvidedForSlotIsNotOfTypeSpecified {
+                        slot: slot.clone(),
+                        value: restricted_expr.clone(),
+                        ty: validator_type.clone(),
+                    }
+                })?
+            }
+        }
+
+        for (slot, restricted_expr) in generalized_values {
+            let validator_type = validator_generalized_slots_declaration.get(slot).ok_or(
+                LinkingError::ArityError {
+                    unbound_values: vec![slot.clone()],
+                    extra_values: vec![],
+                },
+            )?;
+            let borrowed_restricted_expr = restricted_expr.as_borrowed();
+            #[allow(clippy::expect_used)]
+            let schema_ty = &SchemaType::try_from(validator_type.clone())
+                .expect("This should never happen as expected_ty is a statically annotated type");
+            let extensions = Extensions::all_available();
+            typecheck_restricted_expr_against_schematype(
+                borrowed_restricted_expr,
+                schema_ty,
+                extensions,
+            )
+            .map_err(|_| LinkingError::ValueProvidedForSlotIsNotOfTypeSpecified {
+                slot: slot.clone(),
+                value: restricted_expr.clone(),
+                ty: validator_type.clone(),
+            })?
+        }
+        Ok(())
+    }
+
     /// Attempt to create a template-linked policy from this template.
     /// This will fail if values for all open slots are not given.
     /// `new_instance_id` is the `PolicyId` for the created template-linked policy.
@@ -306,10 +439,24 @@ impl Template {
         template: Arc<Template>,
         new_id: PolicyID,
         values: HashMap<SlotId, EntityUID>,
+        generalized_values: HashMap<SlotId, RestrictedExpr>,
+        schema: Option<&ValidatorSchema>,
     ) -> Result<Policy, LinkingError> {
         // INVARIANT (policy total map) Relies on check_binding to uphold the invariant
-        Template::check_binding(&template, &values)
-            .map(|_| Policy::new(template, Some(new_id), values))
+        Template::check_binding(&template, &values, &generalized_values)
+            .and_then(|_| {
+                if let Some(schema) = schema {
+                    Template::link_time_type_checking_with_schema(
+                        &template,
+                        schema,
+                        &values,
+                        &generalized_values,
+                    )
+                } else {
+                    Ok(())
+                }
+            })
+            .map(|_| Policy::new(template, Some(new_id), values, generalized_values))
     }
 
     /// Take a static policy and create a template and a template-linked policy for it.
@@ -324,7 +471,7 @@ impl Template {
             slots: vec![],
         });
         t.check_invariant();
-        let p = Policy::new(Arc::clone(&t), None, HashMap::new());
+        let p = Policy::new(Arc::clone(&t), None, HashMap::new(), HashMap::new());
         (t, p)
     }
 }
@@ -345,7 +492,7 @@ impl std::fmt::Display for Template {
 }
 
 /// Errors linking templates
-#[derive(Debug, Clone, PartialEq, Eq, Diagnostic, Error)]
+#[derive(Debug, Diagnostic, Error)]
 pub enum LinkingError {
     /// An error with the slot arguments provided
     // INVARIANT: `unbound_values` and `extra_values` can't both be empty
@@ -370,6 +517,31 @@ pub enum LinkingError {
         /// [`PolicyID`] where the conflict exists
         id: PolicyID,
     },
+
+    /// Value provided for slot in scope is not an EntityUID
+    #[error("value provided `{value}` for `{slot}` is not an EntityUID")]
+    ValueProvidedForSlotInScopeNotEntityUID {
+        /// Slot
+        slot: SlotId,
+        /// Value provided
+        value: RestrictedExpr,
+    },
+
+    /// Value provided for a slot is not of the type declared
+    #[error("value provided `{value}` for `{slot}` is not of declared type `{ty}`")]
+    ValueProvidedForSlotIsNotOfTypeSpecified {
+        /// Slot
+        slot: SlotId,
+        /// Value provided
+        value: RestrictedExpr,
+        /// Expected Type
+        ty: ValidatorType,
+    },
+
+    /// Types provided are not found in the Schema
+    #[error(transparent)]
+    #[diagnostic(transparent)]
+    DeclaredTypeNotFoundInSchema(#[from] SchemaError),
 }
 
 impl LinkingError {
@@ -414,30 +586,47 @@ pub struct Policy {
     ///
     /// None in the case that this is an instance of a Static Policy
     link: Option<PolicyID>,
-    // INVARIANT (values total map)
-    // All of the slots in `template` MUST be bound by `values`
+    // INVARIANT (the union of `values` and `generalized_values` must be a total map)
+    // All of the slots in `template` MUST be bound by the 
+    // union of `values` and `generalized_values`
     //
-    /// values the slots are bound to.
     /// The constructor `new` is only visible in this module,
     /// so it is the responsibility of callers to maintain
+    /// 
+    /// Values should only contain bindings for `?principal`
+    /// and `?resource`.
     values: HashMap<SlotId, EntityUID>,
+    /// All of the generalized slots in `template` MUST
+    /// be bound by `generalized values`.
+    /// In other words, all SlotId's other 
+    /// than `?principal` and `?resource` need to be binded
+    /// in generalized_values. 
+    /// For more context, view https://github.com/cedar-policy/cedar/pull/1732. 
+    generalized_values: HashMap<SlotId, RestrictedExpr>,
 }
 
 impl Policy {
     /// Link a policy to its template
-    /// INVARIANT (values total map):
-    /// `values` must bind every open slot in `template`
-    fn new(template: Arc<Template>, link_id: Option<PolicyID>, values: SlotEnv) -> Self {
+    /// INVARIANT (the union of `values` and `generalized_values` must be a total map):
+    /// the union of `values` and `generalized_values` must bind every open slot in `template`
+    fn new(
+        template: Arc<Template>,
+        link_id: Option<PolicyID>,
+        values: SlotEnv,
+        generalized_values: GeneralizedSlotEnv,
+    ) -> Self {
         #[cfg(debug_assertions)]
         {
             // PANIC SAFETY: asserts (value total map invariant) which is justified at call sites
             #[allow(clippy::expect_used)]
-            Template::check_binding(&template, &values).expect("(values total map) does not hold!");
+            Template::check_binding(&template, &values, &generalized_values)
+                .expect("(values total map) does not hold!");
         }
         Self {
             template,
             link: link_id,
             values,
+            generalized_values,
         }
     }
 
@@ -464,13 +653,14 @@ impl Policy {
             id,
             loc,
             annotations,
+            Arc::new(GeneralizedSlotsDeclaration::default()),
             effect,
             PrincipalConstraint::any(),
             ActionConstraint::any(),
             ResourceConstraint::any(),
             when,
         );
-        Self::new(Arc::new(t), None, SlotEnv::new())
+        Self::new(Arc::new(t), None, SlotEnv::new(), GeneralizedSlotEnv::new())
     }
 
     /// Get pointer to the template for this policy
@@ -503,6 +693,13 @@ impl Policy {
         self.template.annotations_arc()
     }
 
+    /// Get all generalized_slots_declaration data.
+    pub fn generalized_slots_declaration(
+        &self,
+    ) -> impl Iterator<Item = (&SlotId, &JSONSchemaType<RawName>)> {
+        self.template.generalized_slots_declaration()
+    }
+
     /// Get the principal constraint for this policy.
     ///
     /// By the invariant, this principal constraint will not contain
@@ -555,6 +752,12 @@ impl Policy {
         &self.values
     }
 
+    /// Get the mapping from generalized SlotIds to RestrictedExprs for this policy. (This will
+    /// be empty for inline policies.)
+    pub fn generalized_env(&self) -> &GeneralizedSlotEnv {
+        &self.generalized_values
+    }
+
     /// Get the ID of this policy.
     pub fn id(&self) -> &PolicyID {
         self.link.as_ref().unwrap_or_else(|| self.template.id())
@@ -567,11 +770,13 @@ impl Policy {
                 template: Arc::new(self.template.new_id(id)),
                 link: None,
                 values: self.values.clone(),
+                generalized_values: self.generalized_values.clone(),
             },
             Some(_) => Policy {
                 template: self.template.clone(),
                 link: Some(id),
                 values: self.values.clone(),
+                generalized_values: self.generalized_values.clone(),
             },
         }
     }
@@ -615,7 +820,7 @@ impl std::fmt::Display for Policy {
                 f,
                 "Template Instance of {}, slots: [{}]",
                 self.template().id(),
-                display_slot_env(self.env())
+                display_slot_env(self.env(), self.generalized_env())
             )
         }
     }
@@ -624,6 +829,9 @@ impl std::fmt::Display for Policy {
 /// Map from Slot Ids to Entity UIDs which fill the slots
 pub type SlotEnv = HashMap<SlotId, EntityUID>;
 
+/// Map from Slot Ids to RestrictedExpr which fill the generalized slots
+pub type GeneralizedSlotEnv = HashMap<SlotId, RestrictedExpr>;
+
 /// Represents either a static policy or a template linked policy.
 ///
 /// Contains less rich information than `Policy`. In particular, this form is
@@ -639,7 +847,16 @@ pub struct LiteralPolicy {
     /// as the `template_id`
     link_id: Option<PolicyID>,
     /// Values of the slots
+    /// Should only contain bindings for `?resource`
+    /// and `?principal`
     values: SlotEnv,
+    /// Generalized values of the slots
+    /// All of the generalized slots in `template` MUST
+    /// be bound by `generalized values`.
+    /// In other words, all SlotId's other 
+    /// than `?principal` and `?resource` need to be binded
+    /// in generalized_values. 
+    generalized_values: GeneralizedSlotEnv,
 }
 
 impl LiteralPolicy {
@@ -651,6 +868,7 @@ impl LiteralPolicy {
             template_id,
             link_id: None,
             values: SlotEnv::new(),
+            generalized_values: GeneralizedSlotEnv::new(),
         }
     }
 
@@ -661,11 +879,13 @@ impl LiteralPolicy {
         template_id: PolicyID,
         link_id: PolicyID,
         values: SlotEnv,
+        generalized_values: GeneralizedSlotEnv,
     ) -> Self {
         Self {
             template_id,
             link_id: Some(link_id),
             values,
+            generalized_values,
         }
     }
 
@@ -673,6 +893,11 @@ impl LiteralPolicy {
     pub fn value(&self, slot: &SlotId) -> Option<&EntityUID> {
         self.values.get(slot)
     }
+
+    /// Returns the hashmap of generalized values
+    pub fn generalized_values(&self) -> GeneralizedSlotEnv {
+        self.generalized_values.clone()
+    }
 }
 
 // Can we verify the hash property?
@@ -713,6 +938,7 @@ mod hashing_tests {
             template_id: PolicyID::from_string("template"),
             link_id: Some(PolicyID::from_string("id")),
             values: map,
+            generalized_values: HashMap::new(),
         }
     }
 
@@ -750,8 +976,14 @@ impl LiteralPolicy {
             .get(&self.template_id)
             .ok_or_else(|| ReificationError::NoSuchTemplate(self.template_id().clone()))?;
         // INVARIANT (values total map)
-        Template::check_binding(template, &self.values).map_err(ReificationError::Linking)?;
-        Ok(Policy::new(template.clone(), self.link_id, self.values))
+        Template::check_binding(template, &self.values, &self.generalized_values)
+            .map_err(ReificationError::Linking)?;
+        Ok(Policy::new(
+            template.clone(),
+            self.link_id,
+            self.values,
+            self.generalized_values,
+        ))
     }
 
     /// Lookup the euid bound by a SlotId
@@ -777,9 +1009,14 @@ impl LiteralPolicy {
     }
 }
 
-fn display_slot_env(env: &SlotEnv) -> String {
+fn display_slot_env(env: &SlotEnv, generalized_env: &GeneralizedSlotEnv) -> String {
     env.iter()
         .map(|(slot, value)| format!("{slot} -> {value}"))
+        .chain(
+            generalized_env
+                .iter()
+                .map(|(slot, value)| format!("{slot} -> {value}")),
+        )
         .join(",")
 }
 
@@ -792,7 +1029,7 @@ impl std::fmt::Display for LiteralPolicy {
                 f,
                 "Template linked policy of {}, slots: [{}]",
                 self.template_id(),
-                display_slot_env(&self.values),
+                display_slot_env(&self.values, &self.generalized_values),
             )
         }
     }
@@ -804,6 +1041,7 @@ impl From<Policy> for LiteralPolicy {
             template_id: p.template.id().clone(),
             link_id: p.link,
             values: p.values,
+            generalized_values: p.generalized_values,
         }
     }
 }
@@ -904,6 +1142,7 @@ impl StaticPolicy {
         id: PolicyID,
         loc: MaybeLoc,
         annotations: Annotations,
+        generalized_slots_declaration: GeneralizedSlotsDeclaration,
         effect: Effect,
         principal_constraint: PrincipalConstraint,
         action_constraint: ActionConstraint,
@@ -914,6 +1153,7 @@ impl StaticPolicy {
             id,
             loc,
             annotations,
+            generalized_slots_declaration,
             effect,
             principal_constraint,
             action_constraint,
@@ -971,6 +1211,8 @@ pub struct TemplateBodyImpl {
     /// Note that the keys are `AnyId`, so Cedar reserved words like `if` and `has`
     /// are explicitly allowed as annotations.
     annotations: Arc<Annotations>,
+    /// Stores the type and position information for generalized slots
+    generalized_slots_declaration: Arc<GeneralizedSlotsDeclaration>,
     /// `Effect` of this policy
     effect: Effect,
     /// Scope constraint for principal. This will be a boolean-valued expression:
@@ -1081,6 +1323,32 @@ impl TemplateBody {
         }
     }
 
+    /// Get shared ref to generalized_slots_declaration
+    pub fn generalized_slots_declaration_arc(&self) -> &Arc<GeneralizedSlotsDeclaration> {
+        match self {
+            TemplateBody::TemplateBody(TemplateBodyImpl {
+                generalized_slots_declaration,
+                ..
+            }) => generalized_slots_declaration,
+            #[cfg(feature = "tolerant-ast")]
+            TemplateBody::TemplateBodyError(_, _) => &DEFAULT_GENERALIZED_SLOTS_DECLARATION,
+        }
+    }
+
+    /// Get all generalized_slots_declaration data.
+    pub fn generalized_slots_declaration(
+        &self,
+    ) -> impl Iterator<Item = (&SlotId, &JSONSchemaType<RawName>)> {
+        match self {
+            TemplateBody::TemplateBody(TemplateBodyImpl {
+                generalized_slots_declaration,
+                ..
+            }) => generalized_slots_declaration.iter(),
+            #[cfg(feature = "tolerant-ast")]
+            TemplateBody::TemplateBodyError(_, _) => DEFAULT_GENERALIZED_SLOTS_DECLARATION.iter(),
+        }
+    }
+
     /// Get the `principal` scope constraint of this policy.
     pub fn principal_constraint(&self) -> &PrincipalConstraint {
         match self {
@@ -1217,6 +1485,7 @@ impl TemplateBody {
         id: PolicyID,
         loc: MaybeLoc,
         annotations: Arc<Annotations>,
+        generalized_slots_declaration: Arc<GeneralizedSlotsDeclaration>,
         effect: Effect,
         principal_constraint: PrincipalConstraint,
         action_constraint: ActionConstraint,
@@ -1227,6 +1496,7 @@ impl TemplateBody {
             id,
             loc,
             annotations,
+            generalized_slots_declaration,
             effect,
             principal_constraint,
             action_constraint,
@@ -1241,6 +1511,7 @@ impl TemplateBody {
         id: PolicyID,
         loc: MaybeLoc,
         annotations: Annotations,
+        generalized_slots_declaration: GeneralizedSlotsDeclaration,
         effect: Effect,
         principal_constraint: PrincipalConstraint,
         action_constraint: ActionConstraint,
@@ -1251,6 +1522,7 @@ impl TemplateBody {
             id,
             loc,
             annotations: Arc::new(annotations),
+            generalized_slots_declaration: Arc::new(generalized_slots_declaration),
             effect,
             principal_constraint,
             action_constraint,
@@ -1384,6 +1656,19 @@ impl PrincipalConstraint {
             _ => self,
         }
     }
+
+    /// If the principal constraint has a slot, return it
+    pub fn get_slot(self) -> Option<Slot> {
+        match self.constraint {
+            PrincipalOrResourceConstraint::Eq(EntityReference::Slot(l))
+            | PrincipalOrResourceConstraint::In(EntityReference::Slot(l))
+            | PrincipalOrResourceConstraint::IsIn(_, EntityReference::Slot(l)) => Some(Slot {
+                id: SlotId::principal(),
+                loc: l,
+            }),
+            _ => None,
+        }
+    }
 }
 
 impl std::fmt::Display for PrincipalConstraint {
@@ -1491,6 +1776,19 @@ impl ResourceConstraint {
             _ => self,
         }
     }
+
+    /// If the resource constraint has a slot, return it
+    pub fn get_slot(self) -> Option<Slot> {
+        match self.constraint {
+            PrincipalOrResourceConstraint::Eq(EntityReference::Slot(l))
+            | PrincipalOrResourceConstraint::In(EntityReference::Slot(l))
+            | PrincipalOrResourceConstraint::IsIn(_, EntityReference::Slot(l)) => Some(Slot {
+                id: SlotId::resource(),
+                loc: l,
+            }),
+            _ => None,
+        }
+    }
 }
 
 impl std::fmt::Display for ResourceConstraint {
@@ -2007,6 +2305,7 @@ pub(crate) mod test_generators {
                         permit.clone(),
                         None,
                         Annotations::new(),
+                        GeneralizedSlotsDeclaration::new(),
                         Effect::Permit,
                         principal.clone(),
                         action.clone(),
@@ -2017,6 +2316,7 @@ pub(crate) mod test_generators {
                         forbid.clone(),
                         None,
                         Annotations::new(),
+                        GeneralizedSlotsDeclaration::new(),
                         Effect::Forbid,
                         principal.clone(),
                         action.clone(),
@@ -2056,10 +2356,12 @@ mod test {
             template.check_invariant();
             let t = Arc::new(template);
             let env = t
-                .slots()
-                .map(|slot| (slot.id, EntityUID::with_eid("eid")))
+                .principal_resource_slots()
+                .map(|slot| (slot.id.clone(), EntityUID::with_eid("eid")))
                 .collect();
-            let _ = Template::link(t, PolicyID::from_string("id"), env).expect("Linking failed");
+            let generalized_env = HashMap::new();
+            let _ = Template::link(t, PolicyID::from_string("id"), env, generalized_env, None)
+                .expect("Linking failed");
         }
     }
 
@@ -2072,7 +2374,17 @@ mod test {
             let a = template.action_constraint().clone();
             let r = template.resource_constraint().clone();
             let non_scope = template.non_scope_constraints().clone();
-            let t2 = Template::new(id, None, Annotations::new(), effect, p, a, r, non_scope);
+            let t2 = Template::new(
+                id,
+                None,
+                Annotations::new(),
+                GeneralizedSlotsDeclaration::new(),
+                effect,
+                p,
+                a,
+                r,
+                non_scope,
+            );
             assert_eq!(template, t2);
         }
     }
@@ -2091,8 +2403,18 @@ mod test {
                 let a = ip.action_constraint().clone();
                 let r = ip.resource_constraint().clone();
                 let non_scope = ip.non_scope_constraints().clone();
-                let ip2 = StaticPolicy::new(id, None, anno, e, p, a, r, non_scope)
-                    .expect("Policy Creation Failed");
+                let ip2 = StaticPolicy::new(
+                    id,
+                    None,
+                    anno,
+                    GeneralizedSlotsDeclaration::new(),
+                    e,
+                    p,
+                    a,
+                    r,
+                    non_scope,
+                )
+                .expect("Policy Creation Failed");
                 assert_eq!(ip, ip2);
                 let (t2, inst) = Template::link_static_policy(ip2);
                 assert!(inst.is_static());
@@ -2109,6 +2431,7 @@ mod test {
             tid,
             None,
             Annotations::new(),
+            GeneralizedSlotsDeclaration::new(),
             Effect::Forbid,
             PrincipalConstraint::is_eq_slot(),
             ActionConstraint::Any,
@@ -2116,8 +2439,9 @@ mod test {
             Expr::val(true),
         ));
         let mut m = HashMap::new();
+        let generalized_env = HashMap::new();
         m.insert(SlotId::resource(), EntityUID::with_eid("eid"));
-        assert_matches!(Template::link(t, iid, m), Err(LinkingError::ArityError { unbound_values, extra_values }) => {
+        assert_matches!(Template::link(t, iid, m, generalized_env, None), Err(LinkingError::ArityError { unbound_values, extra_values }) => {
             assert_eq!(unbound_values, vec![SlotId::principal()]);
             assert_eq!(extra_values, vec![SlotId::resource()]);
         });
@@ -2131,19 +2455,22 @@ mod test {
             tid,
             None,
             Annotations::new(),
+            GeneralizedSlotsDeclaration::new(),
             Effect::Forbid,
             PrincipalConstraint::is_eq_slot(),
             ActionConstraint::Any,
             ResourceConstraint::is_in_slot(),
             Expr::val(true),
         ));
-        assert_matches!(Template::link(t.clone(), iid.clone(), HashMap::new()), Err(LinkingError::ArityError { unbound_values, extra_values }) => {
+        let generalized_env = HashMap::new();
+        assert_matches!(Template::link(t.clone(), iid.clone(), HashMap::new(), generalized_env, None), Err(LinkingError::ArityError { unbound_values, extra_values }) => {
             assert_eq!(unbound_values, vec![SlotId::resource(), SlotId::principal()]);
             assert_eq!(extra_values, vec![]);
         });
         let mut m = HashMap::new();
         m.insert(SlotId::principal(), EntityUID::with_eid("eid"));
-        assert_matches!(Template::link(t, iid, m), Err(LinkingError::ArityError { unbound_values, extra_values }) => {
+        let generalized_env = HashMap::new();
+        assert_matches!(Template::link(t, iid, m, generalized_env, None), Err(LinkingError::ArityError { unbound_values, extra_values }) => {
             assert_eq!(unbound_values, vec![SlotId::resource()]);
             assert_eq!(extra_values, vec![]);
         });
@@ -2157,6 +2484,7 @@ mod test {
             tid,
             None,
             Annotations::new(),
+            GeneralizedSlotsDeclaration::new(),
             Effect::Permit,
             PrincipalConstraint::is_in_slot(),
             ActionConstraint::any(),
@@ -2168,7 +2496,9 @@ mod test {
         m.insert(SlotId::principal(), EntityUID::with_eid("theprincipal"));
         m.insert(SlotId::resource(), EntityUID::with_eid("theresource"));
 
-        let r = Template::link(t, iid.clone(), m).expect("Should Succeed");
+        let generalized_env = HashMap::new();
+
+        let r = Template::link(t, iid.clone(), m, generalized_env, None).expect("Should Succeed");
         assert_eq!(r.id(), &iid);
         assert_eq!(
             r.env().get(&SlotId::principal()),
@@ -2365,7 +2695,7 @@ mod test {
                 .exactly_one_underline("?principal")
                 .build()
             );
-            assert_eq!(e.len(), 2);
+            assert_eq!(e.len(), 1);
         });
     }
 
diff --git a/cedar-policy-core/src/ast/policy_set.rs b/cedar-policy-core/src/ast/policy_set.rs
index 135531b3a3..ce65df8018 100644
--- a/cedar-policy-core/src/ast/policy_set.rs
+++ b/cedar-policy-core/src/ast/policy_set.rs
@@ -18,6 +18,8 @@ use super::{
     EntityUID, LinkingError, LiteralPolicy, Policy, PolicyID, ReificationError, SlotId,
     StaticPolicy, Template,
 };
+use crate::ast::RestrictedExpr;
+use crate::validator::ValidatorSchema;
 use itertools::Itertools;
 use miette::Diagnostic;
 use smol_str::format_smolstr;
@@ -498,21 +500,24 @@ impl PolicySet {
     /// set. Returns a references to the new template linked policy if
     /// successful.
     ///
-    /// Errors for two reasons
-    ///   1) The the passed SlotEnv either does not match the slots in the templates
+    /// Errors for three reasons
+    ///   1) The the passed SlotEnv or GeneralizedSlotEnv either does not match the slots in the templates
     ///   2) The passed link Id conflicts with an Id already in the set
+    ///   3) SlotEnv and GeneralizedSlotEnv do not conform to their type annotations
     pub fn link(
         &mut self,
         template_id: PolicyID,
         new_id: PolicyID,
-        values: HashMap<SlotId, EntityUID>,
+        values: HashMap<SlotId, EntityUID>, // If `?principal` or `?resource` are slots of template_id then the values that bind to it must be placed in values
+        generalized_values: HashMap<SlotId, RestrictedExpr>, // The values for all slots other that `?principal` and `?resource` belong in generalized_values
+        schema: Option<&ValidatorSchema>,
     ) -> Result<&Policy, LinkingError> {
         let t =
             self.get_template_arc(&template_id)
                 .ok_or_else(|| LinkingError::NoSuchTemplate {
                     id: template_id.clone(),
                 })?;
-        let r = Template::link(t, new_id.clone(), values)?;
+        let r = Template::link(t, new_id.clone(), values, generalized_values, schema)?;
 
         // Both maps must not contain the `new_id`
         match (
@@ -640,8 +645,8 @@ mod test {
     use super::*;
     use crate::{
         ast::{
-            annotation::Annotations, ActionConstraint, Effect, Expr, PrincipalConstraint,
-            ResourceConstraint,
+            annotation::Annotations, ActionConstraint, Effect, Expr, GeneralizedSlotsDeclaration,
+            PrincipalConstraint, ResourceConstraint,
         },
         parser,
     };
@@ -669,7 +674,14 @@ mod test {
             r#"Test::"test""#.parse().expect("Failed to parse"),
         )]);
 
-        let r = pset.link(PolicyID::from_string("t"), PolicyID::from_string("id"), env);
+        let generalized_env = HashMap::new();
+        let r = pset.link(
+            PolicyID::from_string("t"),
+            PolicyID::from_string("id"),
+            env,
+            generalized_env,
+            None,
+        );
 
         match r {
             Ok(_) => panic!("Should have failed due to conflict"),
@@ -706,8 +718,15 @@ mod test {
             r#"Test::"test1""#.parse().expect("Failed to parse"),
         )]);
 
-        let p1 = Template::link(Arc::clone(&template), PolicyID::from_string("link"), env1)
-            .expect("Failed to link");
+        let generalized_env = HashMap::new();
+        let p1 = Template::link(
+            Arc::clone(&template),
+            PolicyID::from_string("link"),
+            env1,
+            generalized_env,
+            None,
+        )
+        .expect("Failed to link");
         pset.add(p1).expect(
             "Adding link should succeed, even though the template wasn't previously in the pset",
         );
@@ -721,10 +740,13 @@ mod test {
             r#"Test::"test2""#.parse().expect("Failed to parse"),
         )]);
 
+        let generalized_env = HashMap::new();
         let p2 = Template::link(
             Arc::clone(&template),
             PolicyID::from_string("link"),
             env2.clone(),
+            generalized_env,
+            None,
         )
         .expect("Failed to link");
         match pset.add(p2) {
@@ -732,8 +754,15 @@ mod test {
             Err(PolicySetError::Occupied { id }) => assert_eq!(id, PolicyID::from_string("link")),
         }
 
-        let p3 = Template::link(Arc::clone(&template), PolicyID::from_string("link2"), env2)
-            .expect("Failed to link");
+        let generalized_env = HashMap::new();
+        let p3 = Template::link(
+            Arc::clone(&template),
+            PolicyID::from_string("link2"),
+            env2,
+            generalized_env,
+            None,
+        )
+        .expect("Failed to link");
         pset.add(p3).expect(
             "Adding link should succeed, even though the template already existed in the pset",
         );
@@ -750,10 +779,13 @@ mod test {
             r#"Test::"test3""#.parse().expect("Failed to parse"),
         )]);
 
+        let generalized_env = HashMap::new();
         let p4 = Template::link(
             Arc::clone(&template2),
             PolicyID::from_string("unique3"),
             env3,
+            generalized_env,
+            None,
         )
         .expect("Failed to link");
         match pset.add(p4) {
@@ -906,6 +938,8 @@ mod test {
             PolicyID::from_string("template"),
             PolicyID::from_string("id"),
             HashMap::from([(SlotId::principal(), EntityUID::with_eid("eid"))]),
+            HashMap::new(),
+            None,
         )
         .expect("Linking failed!");
         assert_eq!(set.static_policies().count(), 1);
@@ -920,6 +954,7 @@ mod test {
             tid.clone(),
             None,
             Annotations::new(),
+            GeneralizedSlotsDeclaration::new(),
             Effect::Permit,
             PrincipalConstraint::any(),
             ActionConstraint::any(),
@@ -929,7 +964,13 @@ mod test {
 
         let mut s = PolicySet::new();
         let e = s
-            .link(tid.clone(), lid.clone(), HashMap::new())
+            .link(
+                tid.clone(),
+                lid.clone(),
+                HashMap::new(),
+                HashMap::new(),
+                None,
+            )
             .expect_err("Should fail");
 
         match e {
@@ -938,7 +979,8 @@ mod test {
         };
 
         s.add_template(t).unwrap();
-        s.link(tid, lid, HashMap::new()).expect("Should succeed");
+        s.link(tid, lid, HashMap::new(), HashMap::new(), None)
+            .expect("Should succeed");
     }
 
     #[test]
@@ -949,6 +991,7 @@ mod test {
             tid.clone(),
             None,
             Annotations::new(),
+            GeneralizedSlotsDeclaration::new(),
             Effect::Permit,
             PrincipalConstraint::is_eq_slot(),
             ActionConstraint::any(),
@@ -963,7 +1006,9 @@ mod test {
         vals.insert(SlotId::principal(), EntityUID::with_eid("p"));
         vals.insert(SlotId::resource(), EntityUID::with_eid("a"));
 
-        s.link(tid.clone(), lid.clone(), vals).expect("Should link");
+        let generalized_env = HashMap::new();
+        s.link(tid.clone(), lid.clone(), vals, generalized_env, None)
+            .expect("Should link");
 
         let v: Vec<_> = s.policies().collect();
 
@@ -985,6 +1030,7 @@ mod test {
             id.clone(),
             None,
             Annotations::new(),
+            GeneralizedSlotsDeclaration::new(),
             Effect::Forbid,
             PrincipalConstraint::any(),
             ActionConstraint::any(),
@@ -1014,6 +1060,7 @@ mod test {
             template_id.clone(),
             None,
             Annotations::new(),
+            GeneralizedSlotsDeclaration::new(),
             Effect::Forbid,
             PrincipalConstraint::is_eq_slot(),
             ActionConstraint::any(),
@@ -1025,8 +1072,16 @@ mod test {
         let mut v = HashMap::new();
         let entity = EntityUID::with_eid("eid");
         v.insert(SlotId::principal(), entity.clone());
-        s.link(template_id.clone(), link_id.clone(), v)
-            .expect("Linking failed!");
+
+        let generalized_env = HashMap::new();
+        s.link(
+            template_id.clone(),
+            link_id.clone(),
+            v,
+            generalized_env,
+            None,
+        )
+        .expect("Linking failed!");
 
         let link = s.get(&link_id).expect("Link should exist");
         assert_eq!(&link_id, link.id());
@@ -1049,6 +1104,7 @@ mod test {
             id1.clone(),
             None,
             Annotations::new(),
+            GeneralizedSlotsDeclaration::new(),
             Effect::Permit,
             PrincipalConstraint::any(),
             ActionConstraint::any(),
@@ -1060,6 +1116,7 @@ mod test {
             tid1.clone(),
             None,
             Annotations::new(),
+            GeneralizedSlotsDeclaration::new(),
             Effect::Permit,
             PrincipalConstraint::any(),
             ActionConstraint::any(),
@@ -1080,6 +1137,7 @@ mod test {
             id2.clone(),
             None,
             Annotations::new(),
+            GeneralizedSlotsDeclaration::new(),
             Effect::Forbid,
             PrincipalConstraint::is_eq(Arc::new(EntityUID::with_eid("jane"))),
             ActionConstraint::any(),
@@ -1095,6 +1153,7 @@ mod test {
             tid2.clone(),
             None,
             Annotations::new(),
+            GeneralizedSlotsDeclaration::new(),
             Effect::Permit,
             PrincipalConstraint::is_eq_slot(),
             ActionConstraint::any(),
@@ -1109,6 +1168,8 @@ mod test {
             tid2.clone(),
             id3.clone(),
             HashMap::from([(SlotId::principal(), EntityUID::with_eid("example"))]),
+            HashMap::new(),
+            None,
         );
         r.expect("Linking failed");
 
diff --git a/cedar-policy-core/src/authorizer.rs b/cedar-policy-core/src/authorizer.rs
index c332a6787f..ed181ad7e7 100644
--- a/cedar-policy-core/src/authorizer.rs
+++ b/cedar-policy-core/src/authorizer.rs
@@ -192,7 +192,7 @@ impl std::fmt::Debug for Authorizer {
 #[cfg(test)]
 mod test {
     use super::*;
-    use crate::ast::Annotations;
+    use crate::ast::{Annotations, GeneralizedSlotsDeclaration};
     use crate::parser;
 
     /// Sanity unit test case for is_authorized.
@@ -277,6 +277,7 @@ mod test {
             pid,
             None,
             Annotations::new(),
+            GeneralizedSlotsDeclaration::new(),
             e,
             PrincipalConstraint::any(),
             ActionConstraint::any(),
@@ -293,6 +294,7 @@ mod test {
             pid,
             None,
             Annotations::new(),
+            GeneralizedSlotsDeclaration::new(),
             effect,
             PrincipalConstraint::any(),
             ActionConstraint::any(),
diff --git a/cedar-policy-core/src/est.rs b/cedar-policy-core/src/est.rs
index fbfd55f52f..bdcec10392 100644
--- a/cedar-policy-core/src/est.rs
+++ b/cedar-policy-core/src/est.rs
@@ -138,9 +138,11 @@ impl Clause {
     /// Fill in any slots in the clause using the values in `vals`. Throws an
     /// error if `vals` doesn't contain a necessary mapping, but does not throw
     /// an error if `vals` contains unused mappings.
-    pub fn link(self, _vals: &HashMap<ast::SlotId, EntityUidJson>) -> Result<Self, LinkingError> {
-        // currently, slots are not allowed in clauses
-        Ok(self)
+    pub fn link(self, vals: &HashMap<ast::SlotId, EntityUidJson>) -> Result<Self, LinkingError> {
+        match self {
+            Clause::When(e) => Ok(Clause::When(e.link(vals)?)),
+            Clause::Unless(e) => Ok(Clause::Unless(e.link(vals)?)),
+        }
     }
 
     /// Substitute entity literals
@@ -157,8 +159,10 @@ impl Clause {
 
     /// Returns true if this clause has a slot.
     pub fn has_slot(&self) -> bool {
-        // currently, slots are not allowed in clauses
-        false
+        match self {
+            Clause::When(e) => e.has_slot(),
+            Clause::Unless(e) => e.has_slot(),
+        }
     }
 }
 
@@ -280,10 +284,13 @@ impl Policy {
         id: Option<ast::PolicyID>,
     ) -> Result<ast::Template, FromJsonError> {
         let id = id.unwrap_or_else(|| ast::PolicyID::from_string("JSON policy"));
+        let has_principal_slot = self.principal.has_slot();
+        let has_resource_slot = self.resource.has_slot();
+
         let mut conditions_iter = self
             .conditions
             .into_iter()
-            .map(|cond| cond.try_into_ast(&id));
+            .map(|cond| cond.try_into_ast(has_principal_slot, has_resource_slot, &id));
         let conditions = match conditions_iter.next() {
             None => ast::Expr::val(true),
             Some(first) => ast::ExprBuilder::with_data(())
@@ -302,6 +309,7 @@ impl Policy {
                     )
                 })
                 .collect(),
+            ast::GeneralizedSlotsDeclaration::new(), // Chore: We will include this when we include the EST functionality
             self.effect,
             self.principal.try_into()?,
             self.action.try_into()?,
@@ -312,25 +320,50 @@ impl Policy {
 }
 
 impl Clause {
-    fn filter_slots(e: ast::Expr, is_when: bool) -> Result<ast::Expr, FromJsonError> {
-        let first_slot = e.slots().next();
-        if let Some(slot) = first_slot {
-            Err(parse_errors::SlotsInConditionClause {
-                slot,
-                clause_type: if is_when { "when" } else { "unless" },
+    fn filter_slots(
+        e: ast::Expr,
+        has_principal_slot: bool,
+        has_resource_slot: bool,
+        is_when: bool,
+    ) -> Result<ast::Expr, FromJsonError> {
+        for slot in e.slots() {
+            if (slot.id.is_principal() && !has_principal_slot)
+                || (slot.id.is_resource() && !has_resource_slot)
+            {
+                return Err(FromJsonError::SlotsNotInScopeInConditionClause(
+                    parse_errors::SlotsNotInScopeInConditionClause {
+                        slot,
+                        clause_type: if is_when { "when" } else { "unless" },
+                    },
+                ));
             }
-            .into())
-        } else {
-            Ok(e)
         }
+        Ok(e)
     }
+
     /// `id` is the ID of the policy the clause belongs to, used only for reporting errors
-    fn try_into_ast(self, id: &ast::PolicyID) -> Result<ast::Expr, FromJsonError> {
+    /// has_principal_slot/has_resource_slot tells us whether there is a principal/resource slot in the scope
+    /// so we know when a slot is allowed to appear in the condition
+    /// an error is thrown otherwise if there is a slot not in the scope but in the condition
+    fn try_into_ast(
+        self,
+        has_principal_slot: bool,
+        has_resource_slot: bool,
+        id: &ast::PolicyID,
+    ) -> Result<ast::Expr, FromJsonError> {
         match self {
-            Clause::When(expr) => Self::filter_slots(expr.try_into_ast(id)?, true),
-            Clause::Unless(expr) => {
-                Self::filter_slots(ast::Expr::not(expr.try_into_ast(id)?), false)
-            }
+            Clause::When(expr) => Self::filter_slots(
+                expr.try_into_ast(id)?,
+                has_principal_slot,
+                has_resource_slot,
+                true,
+            ),
+            Clause::Unless(expr) => Self::filter_slots(
+                ast::Expr::not(expr.try_into_ast(id)?),
+                has_principal_slot,
+                has_resource_slot,
+                false,
+            ),
         }
     }
 }
@@ -3320,6 +3353,88 @@ mod test {
         );
     }
 
+    #[test]
+    fn link_with_slots_in_condition() {
+        let template = r#"
+            permit(
+                principal == ?principal,
+                action == Action::"view",
+                resource in ?resource
+            ) when {
+                ?principal in resource.owners
+            };
+        "#;
+        let cst = parser::text_to_cst::parse_policy(template)
+            .unwrap()
+            .node
+            .unwrap();
+        let est: Policy = cst.try_into().unwrap();
+
+        let linked_est = est
+            .link(&HashMap::from_iter([
+                (
+                    ast::SlotId::principal(),
+                    EntityUidJson::new("XYZCorp::User", "12UA45"),
+                ),
+                (ast::SlotId::resource(), EntityUidJson::new("Folder", "abc")),
+            ]))
+            .expect("did fill all the slots");
+
+        let old_est = linked_est.clone();
+        let roundtripped = est_roundtrip(linked_est.clone());
+        assert_eq!(&old_est, &roundtripped);
+        let est = text_roundtrip(&old_est);
+        assert_eq!(&old_est, &est);
+
+        let expected_json = json!(
+            {
+                "effect": "permit",
+                "principal": {
+                    "op": "==",
+                    "entity": { "type": "XYZCorp::User", "id": "12UA45" },
+                },
+                "action": {
+                    "op": "==",
+                    "entity": { "type": "Action", "id": "view" },
+                },
+                "resource": {
+                    "op": "in",
+                    "entity": { "type": "Folder", "id": "abc" },
+                },
+                "conditions": [
+                    {
+                        "kind": "when",
+                        "body": {
+                            "in": {
+                                "left": {
+                                    "Value": {
+                                        "__entity": { "type": "XYZCorp::User", "id": "12UA45" }
+                                    }
+                                },
+                                "right": {
+                                    ".": {
+                                        "left": {
+                                            "Var": "resource"
+                                        },
+                                        "attr": "owners"
+                                    }
+                                }
+                            }
+                        }
+                    }
+                ],
+            }
+        );
+        let linked_json = serde_json::to_value(linked_est).unwrap();
+        assert_eq!(
+            linked_json,
+            expected_json,
+            "\nExpected:\n{}\n\nActual:\n{}\n\n",
+            serde_json::to_string_pretty(&expected_json).unwrap(),
+            serde_json::to_string_pretty(&linked_json).unwrap(),
+        );
+    }
+
     #[test]
     fn eid_with_nulls() {
         let policy = r#"
@@ -3575,6 +3690,39 @@ mod test {
                 );
             }
         );
+
+        let template = json!({
+            "effect": "permit",
+            "principal": { "op": "All" },
+            "action": { "op": "All" },
+            "resource": { "op": "All" },
+            "conditions": [
+                {
+                    "kind": "when",
+                    "body": {
+                        "==": {
+                            "left": { "Var": "principal" },
+                            "right": { "Slot": "?principal" }
+                        }
+                    }
+                }
+            ]
+        });
+
+        let est: Policy = serde_json::from_value(template).unwrap();
+        let ast: Result<ast::Policy, _> = est.try_into_ast_policy(None);
+        assert_matches!(
+            ast,
+            Err(e) => {
+                expect_err(
+                    "",
+                    &miette::Report::new(e),
+                    &ExpectedErrorMessageBuilder::error("found template slot ?principal in a `when` clause")
+                    .help("?principal needs to appear in the scope to appear in the condition of the template")
+                    .build(),
+                );
+            }
+        )
     }
 
     #[test]
@@ -4689,6 +4837,46 @@ mod test {
         let est: Policy = cst.try_into().unwrap();
         assert!(!est.is_template(), "Static policy marked as template");
     }
+
+    #[test]
+    fn template_condition_has_slot() {
+        let template: &'static str = r#"
+            permit(
+                principal == ?principal,
+                action == Action::"view",
+                resource
+            ) when {
+                ?principal in resource.owners && ?principal has owners
+            };
+        "#;
+        let cst = parser::text_to_cst::parse_policy(template)
+            .unwrap()
+            .node
+            .unwrap();
+        let est: Policy = cst.try_into().unwrap();
+        let has_slot = est.conditions.iter().any(|c| c.has_slot());
+        assert!(has_slot, "Policy condition not marked as having a slot");
+
+        let template: &'static str = r#"
+            permit(
+                principal == ?principal,
+                action == Action::"view",
+                resource
+            ) when {
+                principal == resource.owners
+            };
+        "#;
+        let cst = parser::text_to_cst::parse_policy(template)
+            .unwrap()
+            .node
+            .unwrap();
+        let est: Policy = cst.try_into().unwrap();
+        let has_slot = est.conditions.iter().any(|c| c.has_slot());
+        assert!(
+            !has_slot,
+            "Policy condition marked as having a slot when it does not have a slot"
+        )
+    }
 }
 
 #[cfg(test)]
diff --git a/cedar-policy-core/src/est/err.rs b/cedar-policy-core/src/est/err.rs
index 2a6af4ff87..7562c1551f 100644
--- a/cedar-policy-core/src/est/err.rs
+++ b/cedar-policy-core/src/est/err.rs
@@ -15,7 +15,7 @@
  */
 
 use crate::ast;
-use crate::entities::json::err::JsonDeserializationError;
+use crate::entities::json::err::{JsonDeserializationError, JsonSerializationError};
 use crate::parser::err::{parse_errors, ParseErrors};
 use crate::parser::unescape;
 use miette::Diagnostic;
@@ -53,7 +53,7 @@ pub enum FromJsonError {
     /// EST contained a template slot in policy condition
     #[error(transparent)]
     #[diagnostic(transparent)]
-    SlotsInConditionClause(#[from] parse_errors::SlotsInConditionClause),
+    SlotsNotInScopeInConditionClause(#[from] parse_errors::SlotsNotInScopeInConditionClause),
     /// EST contained the empty JSON object `{}` where a key (operator) was expected
     #[error("missing operator, found empty object")]
     MissingOperator,
@@ -104,7 +104,7 @@ pub enum PolicySetFromJsonError {
 }
 
 /// Errors while linking a policy
-#[derive(Debug, PartialEq, Eq, Diagnostic, Error)]
+#[derive(Debug, Diagnostic, Error)]
 pub enum LinkingError {
     /// Template contains this slot, but a value wasn't provided for it
     #[error("failed to link template: no value provided for `{slot}`")]
@@ -112,6 +112,16 @@ pub enum LinkingError {
         /// Slot which didn't have a value provided for it
         slot: ast::SlotId,
     },
+
+    /// Encounter JSON Serialization error when linking
+    #[error(transparent)]
+    #[diagnostic(transparent)]
+    UnableToSerializeJSONValueProvided(#[from] JsonSerializationError),
+
+    /// Encountered JSON deserialization error when linking
+    #[error(transparent)]
+    #[diagnostic(transparent)]
+    InvalidJSON(#[from] JsonDeserializationError),
 }
 
 impl From<ast::UnexpectedSlotError> for FromJsonError {
diff --git a/cedar-policy-core/src/est/expr.rs b/cedar-policy-core/src/est/expr.rs
index 9dc89c3c30..848f9e42a9 100644
--- a/cedar-policy-core/src/est/expr.rs
+++ b/cedar-policy-core/src/est/expr.rs
@@ -22,8 +22,9 @@ use crate::ast::Infallible;
 use crate::ast::{self, BoundedDisplay, EntityUID};
 use crate::entities::json::{
     err::EscapeKind, err::JsonDeserializationError, err::JsonDeserializationErrorContext,
-    CedarValueJson, FnAndArgs,
+    CedarValueJson, EntityUidJson, FnAndArgs,
 };
+use crate::est::LinkingError;
 use crate::expr_builder::ExprBuilder;
 use crate::extensions::Extensions;
 use crate::jsonvalue::JsonValueWithNoDuplicateKeys;
@@ -877,6 +878,174 @@ impl Expr {
             }
         }
     }
+
+    /// Instantiate all the slots in an expression with their values
+    pub fn link(self, vals: &HashMap<ast::SlotId, EntityUidJson>) -> Result<Self, LinkingError> {
+        match self {
+            Expr::ExprNoExt(e) => match e {
+                v @ ExprNoExt::Value(_) => Ok(Expr::ExprNoExt(v)),
+                v @ ExprNoExt::Var(_) => Ok(Expr::ExprNoExt(v)),
+                ExprNoExt::Slot(slot) => match vals.get(&slot) {
+                    Some(e) => {
+                        let literal = CedarValueJson::from_lit(
+                            e.clone()
+                                .into_euid(|| JsonDeserializationErrorContext::Unknown)?
+                                .into(),
+                        );
+                        Ok(Expr::ExprNoExt(ExprNoExt::Value(literal)))
+                    }
+                    None => Err(LinkingError::MissedSlot { slot }),
+                },
+                ExprNoExt::Not { arg } => Ok(Expr::ExprNoExt(ExprNoExt::Not {
+                    arg: Arc::new(Arc::unwrap_or_clone(arg).link(vals)?),
+                })),
+                ExprNoExt::Neg { arg } => Ok(Expr::ExprNoExt(ExprNoExt::Neg {
+                    arg: Arc::new(Arc::unwrap_or_clone(arg).link(vals)?),
+                })),
+                ExprNoExt::Eq { left, right } => Ok(Expr::ExprNoExt(ExprNoExt::Eq {
+                    left: Arc::new(Arc::unwrap_or_clone(left).link(vals)?),
+                    right: Arc::new(Arc::unwrap_or_clone(right).link(vals)?),
+                })),
+                ExprNoExt::NotEq { left, right } => Ok(Expr::ExprNoExt(ExprNoExt::NotEq {
+                    left: Arc::new(Arc::unwrap_or_clone(left).link(vals)?),
+                    right: Arc::new(Arc::unwrap_or_clone(right).link(vals)?),
+                })),
+                ExprNoExt::In { left, right } => Ok(Expr::ExprNoExt(ExprNoExt::In {
+                    left: Arc::new(Arc::unwrap_or_clone(left).link(vals)?),
+                    right: Arc::new(Arc::unwrap_or_clone(right).link(vals)?),
+                })),
+                ExprNoExt::Less { left, right } => Ok(Expr::ExprNoExt(ExprNoExt::Less {
+                    left: Arc::new(Arc::unwrap_or_clone(left).link(vals)?),
+                    right: Arc::new(Arc::unwrap_or_clone(right).link(vals)?),
+                })),
+                ExprNoExt::LessEq { left, right } => Ok(Expr::ExprNoExt(ExprNoExt::LessEq {
+                    left: Arc::new(Arc::unwrap_or_clone(left).link(vals)?),
+                    right: Arc::new(Arc::unwrap_or_clone(right).link(vals)?),
+                })),
+                ExprNoExt::Greater { left, right } => Ok(Expr::ExprNoExt(ExprNoExt::Greater {
+                    left: Arc::new(Arc::unwrap_or_clone(left).link(vals)?),
+                    right: Arc::new(Arc::unwrap_or_clone(right).link(vals)?),
+                })),
+                ExprNoExt::GreaterEq { left, right } => Ok(Expr::ExprNoExt(ExprNoExt::GreaterEq {
+                    left: Arc::new(Arc::unwrap_or_clone(left).link(vals)?),
+                    right: Arc::new(Arc::unwrap_or_clone(right).link(vals)?),
+                })),
+                ExprNoExt::And { left, right } => Ok(Expr::ExprNoExt(ExprNoExt::And {
+                    left: Arc::new(Arc::unwrap_or_clone(left).link(vals)?),
+                    right: Arc::new(Arc::unwrap_or_clone(right).link(vals)?),
+                })),
+                ExprNoExt::Or { left, right } => Ok(Expr::ExprNoExt(ExprNoExt::Or {
+                    left: Arc::new(Arc::unwrap_or_clone(left).link(vals)?),
+                    right: Arc::new(Arc::unwrap_or_clone(right).link(vals)?),
+                })),
+                ExprNoExt::Add { left, right } => Ok(Expr::ExprNoExt(ExprNoExt::Add {
+                    left: Arc::new(Arc::unwrap_or_clone(left).link(vals)?),
+                    right: Arc::new(Arc::unwrap_or_clone(right).link(vals)?),
+                })),
+                ExprNoExt::Sub { left, right } => Ok(Expr::ExprNoExt(ExprNoExt::Sub {
+                    left: Arc::new(Arc::unwrap_or_clone(left).link(vals)?),
+                    right: Arc::new(Arc::unwrap_or_clone(right).link(vals)?),
+                })),
+                ExprNoExt::Mul { left, right } => Ok(Expr::ExprNoExt(ExprNoExt::Mul {
+                    left: Arc::new(Arc::unwrap_or_clone(left).link(vals)?),
+                    right: Arc::new(Arc::unwrap_or_clone(right).link(vals)?),
+                })),
+                ExprNoExt::Contains { left, right } => Ok(Expr::ExprNoExt(ExprNoExt::Contains {
+                    left: Arc::new(Arc::unwrap_or_clone(left).link(vals)?),
+                    right: Arc::new(Arc::unwrap_or_clone(right).link(vals)?),
+                })),
+                ExprNoExt::ContainsAll { left, right } => {
+                    Ok(Expr::ExprNoExt(ExprNoExt::ContainsAll {
+                        left: Arc::new(Arc::unwrap_or_clone(left).link(vals)?),
+                        right: Arc::new(Arc::unwrap_or_clone(right).link(vals)?),
+                    }))
+                }
+                ExprNoExt::ContainsAny { left, right } => {
+                    Ok(Expr::ExprNoExt(ExprNoExt::ContainsAny {
+                        left: Arc::new(Arc::unwrap_or_clone(left).link(vals)?),
+                        right: Arc::new(Arc::unwrap_or_clone(right).link(vals)?),
+                    }))
+                }
+                ExprNoExt::IsEmpty { arg } => Ok(Expr::ExprNoExt(ExprNoExt::IsEmpty {
+                    arg: Arc::new(Arc::unwrap_or_clone(arg).link(vals)?),
+                })),
+                ExprNoExt::GetTag { left, right } => Ok(Expr::ExprNoExt(ExprNoExt::GetTag {
+                    left: Arc::new(Arc::unwrap_or_clone(left).link(vals)?),
+                    right: Arc::new(Arc::unwrap_or_clone(right).link(vals)?),
+                })),
+                ExprNoExt::HasTag { left, right } => Ok(Expr::ExprNoExt(ExprNoExt::HasTag {
+                    left: Arc::new(Arc::unwrap_or_clone(left).link(vals)?),
+                    right: Arc::new(Arc::unwrap_or_clone(right).link(vals)?),
+                })),
+                ExprNoExt::GetAttr { left, attr } => Ok(Expr::ExprNoExt(ExprNoExt::GetAttr {
+                    left: Arc::new(Arc::unwrap_or_clone(left).link(vals)?),
+                    attr,
+                })),
+                ExprNoExt::HasAttr { left, attr } => Ok(Expr::ExprNoExt(ExprNoExt::HasAttr {
+                    left: Arc::new(Arc::unwrap_or_clone(left).link(vals)?),
+                    attr,
+                })),
+                ExprNoExt::Like { left, pattern } => Ok(Expr::ExprNoExt(ExprNoExt::Like {
+                    left: Arc::new(Arc::unwrap_or_clone(left).link(vals)?),
+                    pattern,
+                })),
+                ExprNoExt::Is {
+                    left,
+                    entity_type,
+                    in_expr,
+                } => match in_expr {
+                    Some(in_expr) => Ok(Expr::ExprNoExt(ExprNoExt::Is {
+                        left: Arc::new(Arc::unwrap_or_clone(left).link(vals)?),
+                        entity_type,
+                        in_expr: Some(Arc::new(Arc::unwrap_or_clone(in_expr).link(vals)?)),
+                    })),
+                    None => Ok(Expr::ExprNoExt(ExprNoExt::Is {
+                        left: Arc::new(Arc::unwrap_or_clone(left).link(vals)?),
+                        entity_type,
+                        in_expr: None,
+                    })),
+                },
+                ExprNoExt::If {
+                    cond_expr,
+                    then_expr,
+                    else_expr,
+                } => Ok(Expr::ExprNoExt(ExprNoExt::If {
+                    cond_expr: Arc::new(Arc::unwrap_or_clone(cond_expr).link(vals)?),
+                    then_expr: Arc::new(Arc::unwrap_or_clone(then_expr).link(vals)?),
+                    else_expr: Arc::new(Arc::unwrap_or_clone(else_expr).link(vals)?),
+                })),
+                ExprNoExt::Set(v) => {
+                    let mut new_v = vec![];
+                    for e in v {
+                        new_v.push(e.link(vals)?);
+                    }
+                    Ok(Expr::ExprNoExt(ExprNoExt::Set(new_v)))
+                }
+                ExprNoExt::Record(m) => {
+                    let mut new_m = BTreeMap::new();
+                    for (k, v) in m {
+                        new_m.insert(k, v.link(vals)?);
+                    }
+                    Ok(Expr::ExprNoExt(ExprNoExt::Record(new_m)))
+                }
+                #[cfg(feature = "tolerant-ast")]
+                ExprNoExt::Error(_) => Err(LinkingError::InvalidJSON(
+                    JsonDeserializationError::ASTErrorNode,
+                )),
+            },
+            Expr::ExtFuncCall(e_fn_call) => {
+                let mut new_m = HashMap::new();
+                for (k, v) in e_fn_call.call {
+                    let mut new_v = vec![];
+                    for e in v {
+                        new_v.push(e.link(vals)?);
+                    }
+                    new_m.insert(k, new_v);
+                }
+                Ok(Expr::ExtFuncCall(ExtFuncCall { call: new_m }))
+            }
+        }
+    }
 }
 
 impl Expr {
@@ -1060,6 +1229,76 @@ impl Expr {
             Expr::ExprNoExt(ExprNoExt::Error(_)) => Err(FromJsonError::ASTErrorNode),
         }
     }
+
+    /// Returns true if expr has a slot
+    pub fn has_slot(&self) -> bool {
+        match self {
+            Expr::ExprNoExt(ExprNoExt::Value(..)) => false,
+            Expr::ExprNoExt(ExprNoExt::Var(..)) => false,
+            Expr::ExprNoExt(ExprNoExt::Slot(..)) => true,
+            Expr::ExprNoExt(ExprNoExt::Not { arg }) => arg.has_slot(),
+            Expr::ExprNoExt(ExprNoExt::Neg { arg }) => arg.has_slot(),
+            Expr::ExprNoExt(ExprNoExt::Eq { left, right }) => left.has_slot() || right.has_slot(),
+            Expr::ExprNoExt(ExprNoExt::NotEq { left, right }) => {
+                left.has_slot() || right.has_slot()
+            }
+            Expr::ExprNoExt(ExprNoExt::In { left, right }) => left.has_slot() || right.has_slot(),
+            Expr::ExprNoExt(ExprNoExt::Less { left, right }) => left.has_slot() || right.has_slot(),
+            Expr::ExprNoExt(ExprNoExt::LessEq { left, right }) => {
+                left.has_slot() || right.has_slot()
+            }
+            Expr::ExprNoExt(ExprNoExt::Greater { left, right }) => {
+                left.has_slot() || right.has_slot()
+            }
+            Expr::ExprNoExt(ExprNoExt::GreaterEq { left, right }) => {
+                left.has_slot() || right.has_slot()
+            }
+            Expr::ExprNoExt(ExprNoExt::And { left, right }) => left.has_slot() || right.has_slot(),
+            Expr::ExprNoExt(ExprNoExt::Or { left, right }) => left.has_slot() || right.has_slot(),
+            Expr::ExprNoExt(ExprNoExt::Add { left, right }) => left.has_slot() || right.has_slot(),
+            Expr::ExprNoExt(ExprNoExt::Sub { left, right }) => left.has_slot() || right.has_slot(),
+            Expr::ExprNoExt(ExprNoExt::Mul { left, right }) => left.has_slot() || right.has_slot(),
+            Expr::ExprNoExt(ExprNoExt::Contains { left, right }) => {
+                left.has_slot() || right.has_slot()
+            }
+            Expr::ExprNoExt(ExprNoExt::ContainsAll { left, right }) => {
+                left.has_slot() || right.has_slot()
+            }
+            Expr::ExprNoExt(ExprNoExt::ContainsAny { left, right }) => {
+                left.has_slot() || right.has_slot()
+            }
+            Expr::ExprNoExt(ExprNoExt::IsEmpty { arg }) => arg.has_slot(),
+            Expr::ExprNoExt(ExprNoExt::GetTag { left, right }) => {
+                left.has_slot() || right.has_slot()
+            }
+            Expr::ExprNoExt(ExprNoExt::HasTag { left, right }) => {
+                left.has_slot() || right.has_slot()
+            }
+            Expr::ExprNoExt(ExprNoExt::GetAttr { left, .. }) => left.has_slot(),
+            Expr::ExprNoExt(ExprNoExt::HasAttr { left, .. }) => left.has_slot(),
+            Expr::ExprNoExt(ExprNoExt::Like { left, .. }) => left.has_slot(),
+            Expr::ExprNoExt(ExprNoExt::Is { left, in_expr, .. }) => match in_expr {
+                Some(right) => left.has_slot() || right.has_slot(),
+                None => left.has_slot(),
+            },
+            Expr::ExprNoExt(ExprNoExt::If {
+                cond_expr,
+                then_expr,
+                else_expr,
+            }) => cond_expr.has_slot() || then_expr.has_slot() || else_expr.has_slot(),
+            Expr::ExprNoExt(ExprNoExt::Set(elements)) => {
+                elements.iter().any(|expr| expr.has_slot())
+            }
+            Expr::ExprNoExt(ExprNoExt::Record(map)) => map
+                .iter()
+                .fold(false, |init, (_, expr)| init || expr.has_slot()),
+            Expr::ExtFuncCall(ExtFuncCall { call }) => call.iter().fold(false, |init, (_, v)| {
+                init || (v.iter().any(|expr| expr.has_slot()))
+            }),
+            #[cfg(feature = "tolerant-ast")]
+            Expr::ExprNoExt(ExprNoExt::Error(_)) => false,
+        }
+    }
 }
 
 impl From<ast::Literal> for Expr {
diff --git a/cedar-policy-core/src/est/policy_set.rs b/cedar-policy-core/src/est/policy_set.rs
index 899cd1a719..b84aaa510a 100644
--- a/cedar-policy-core/src/est/policy_set.rs
+++ b/cedar-policy-core/src/est/policy_set.rs
@@ -56,8 +56,11 @@ impl PolicySet {
             .filter_map(|link| {
                 if &link.new_id == id {
                     self.get_template(&link.template_id).and_then(|template| {
-                        let unwrapped_est_vals: HashMap<SlotId, EntityUidJson> =
-                            link.values.iter().map(|(k, v)| (*k, v.into())).collect();
+                        let unwrapped_est_vals: HashMap<SlotId, EntityUidJson> = link
+                            .values
+                            .iter()
+                            .map(|(k, v)| (k.clone(), v.into()))
+                            .collect();
                         template.link(&unwrapped_est_vals).ok()
                     })
                 } else {
@@ -124,7 +127,7 @@ impl TryFrom<PolicySet> for ast::PolicySet {
             values,
         } in value.template_links
         {
-            ast_pset.link(template_id, new_id, values)?;
+            ast_pset.link(template_id, new_id, values, HashMap::new(), None)?; // Chore: We will include this when we include the EST functionality
         }
 
         Ok(ast_pset)
diff --git a/cedar-policy-core/src/evaluator.rs b/cedar-policy-core/src/evaluator.rs
index 4f479be1c3..a3ac977f09 100644
--- a/cedar-policy-core/src/evaluator.rs
+++ b/cedar-policy-core/src/evaluator.rs
@@ -453,7 +453,9 @@ impl<'e> Evaluator<'e> {
             ExprKind::Lit(lit) => Ok(lit.clone().into()),
             ExprKind::Slot(id) => slots
                 .get(id)
-                .ok_or_else(|| err::EvaluationError::unlinked_slot(*id, loc.into_maybe_loc()))
+                .ok_or_else(|| {
+                    err::EvaluationError::unlinked_slot(id.clone(), loc.into_maybe_loc())
+                })
                 .map(|euid| PartialValue::from(euid.clone())),
             ExprKind::Var(v) => match v {
                 Var::Principal => Ok(self.principal.evaluate(*v)),
@@ -4903,10 +4905,13 @@ pub(crate) mod test {
             .expect("Template already present in PolicySet");
         let mut values = HashMap::new();
         values.insert(SlotId::principal(), EntityUID::with_eid("p"));
+        let generalized_env = HashMap::new();
         pset.link(
             PolicyID::from_string("template"),
             PolicyID::from_string("instance"),
             values,
+            generalized_env,
+            None,
         )
         .expect("Linking failed!");
         let q = Request::new(
diff --git a/cedar-policy-core/src/parser.rs b/cedar-policy-core/src/parser.rs
index 9a660057b6..e22d59382d 100644
--- a/cedar-policy-core/src/parser.rs
+++ b/cedar-policy-core/src/parser.rs
@@ -813,11 +813,12 @@ mod tests {
                 resource == ?resource
             };
             "#;
-        let slot_in_when_clause =
-            ExpectedErrorMessageBuilder::error("found template slot ?resource in a `when` clause")
-                .help("slots are currently unsupported in `when` clauses")
-                .exactly_one_underline("?resource")
-                .build();
+        let slot_in_when_clause = ExpectedErrorMessageBuilder::error(
+            "found template slot ?resource in a `when` clause",
+        )
+        .help("?resource needs to appear in the scope to appear in the condition of the template")
+        .exactly_one_underline("?resource")
+        .build();
         let unexpected_template = ExpectedErrorMessageBuilder::error(
             "expected a static policy, got a template containing the slot ?resource",
         )
@@ -852,11 +853,12 @@ mod tests {
                 resource == ?principal
             };
             "#;
-        let slot_in_when_clause =
-            ExpectedErrorMessageBuilder::error("found template slot ?principal in a `when` clause")
-                .help("slots are currently unsupported in `when` clauses")
-                .exactly_one_underline("?principal")
-                .build();
+        let slot_in_when_clause = ExpectedErrorMessageBuilder::error(
+            "found template slot ?principal in a `when` clause",
+        )
+        .help("?principal needs to appear in the scope to appear in the condition of the template")
+        .exactly_one_underline("?principal")
+        .build();
         let unexpected_template = ExpectedErrorMessageBuilder::error(
             "expected a static policy, got a template containing the slot ?principal",
         )
@@ -922,7 +924,7 @@ mod tests {
         let slot_in_unless_clause = ExpectedErrorMessageBuilder::error(
             "found template slot ?resource in a `unless` clause",
         )
-        .help("slots are currently unsupported in `unless` clauses")
+        .help("?resource needs to appear in the scope to appear in the condition of the template")
         .exactly_one_underline("?resource")
         .build();
         let unexpected_template = ExpectedErrorMessageBuilder::error(
@@ -962,7 +964,7 @@ mod tests {
         let slot_in_unless_clause = ExpectedErrorMessageBuilder::error(
             "found template slot ?principal in a `unless` clause",
         )
-        .help("slots are currently unsupported in `unless` clauses")
+        .help("?principal needs to appear in the scope to appear in the condition of the template")
         .exactly_one_underline("?principal")
         .build();
         let unexpected_template = ExpectedErrorMessageBuilder::error(
@@ -1029,15 +1031,16 @@ mod tests {
                 resource == ?resource
             };
             "#;
-        let slot_in_when_clause =
-            ExpectedErrorMessageBuilder::error("found template slot ?resource in a `when` clause")
-                .help("slots are currently unsupported in `when` clauses")
-                .exactly_one_underline("?resource")
-                .build();
+        let slot_in_when_clause = ExpectedErrorMessageBuilder::error(
+            "found template slot ?resource in a `when` clause",
+        )
+        .help("?resource needs to appear in the scope to appear in the condition of the template")
+        .exactly_one_underline("?resource")
+        .build();
         let slot_in_unless_clause = ExpectedErrorMessageBuilder::error(
             "found template slot ?resource in a `unless` clause",
         )
-        .help("slots are currently unsupported in `unless` clauses")
+        .help("?resource needs to appear in the scope to appear in the condition of the template")
         .exactly_one_underline("?resource")
         .build();
         let unexpected_template = ExpectedErrorMessageBuilder::error(
diff --git a/cedar-policy-core/src/parser/cst_to_ast.rs b/cedar-policy-core/src/parser/cst_to_ast.rs
index dfb27b6edb..ed0ddfc245 100644
--- a/cedar-policy-core/src/parser/cst_to_ast.rs
+++ b/cedar-policy-core/src/parser/cst_to_ast.rs
@@ -41,8 +41,9 @@ use super::{cst, AsLocRef, IntoMaybeLoc, Loc, MaybeLoc};
 #[cfg(feature = "tolerant-ast")]
 use crate::ast::expr_allows_errors::ExprWithErrsBuilder;
 use crate::ast::{
-    self, ActionConstraint, CallStyle, Integer, PatternElem, PolicySetError, PrincipalConstraint,
-    PrincipalOrResourceConstraint, ResourceConstraint, UnreservedId,
+    self, ActionConstraint, CallStyle, GeneralizedSlotsDeclaration, Integer, PatternElem,
+    PolicySetError, PrincipalConstraint, PrincipalOrResourceConstraint, ResourceConstraint,
+    UnreservedId,
 };
 use crate::expr_builder::ExprBuilder;
 use crate::fuzzy_match::fuzzy_search_limited;
@@ -270,16 +271,18 @@ impl Node<Option<cst::Policy>> {
             )
             .into()),
             // The source failed to parse completely. If the parse errors include
-            // `SlotsInConditionClause` also add an `ExpectedStaticPolicy` error.
+            // `SlotsNotInScopeInConditionClause` also add an `ExpectedStaticPolicy` error.
             Err(mut errs) => {
                 let new_errs = errs
                     .iter()
                     .filter_map(|err| match err {
                         ParseError::ToAST(err) => match err.kind() {
-                            ToASTErrorKind::SlotsInConditionClause(inner) => Some(ToASTError::new(
-                                ToASTErrorKind::expected_static_policy(inner.slot.clone()),
-                                err.source_loc().into_maybe_loc(),
-                            )),
+                            ToASTErrorKind::SlotsNotInScopeInConditionClause(inner) => {
+                                Some(ToASTError::new(
+                                    ToASTErrorKind::expected_static_policy(inner.slot.clone()),
+                                    err.source_loc().into_maybe_loc(),
+                                ))
+                            }
                             _ => None,
                         },
                         _ => None,
@@ -320,24 +323,38 @@ impl Node<Option<cst::Policy>> {
         let maybe_scope = policy.extract_scope();
 
         // convert conditions
-        let maybe_conds = ParseErrors::transpose(policy.conds.iter().map(|c| {
-            let (e, is_when) = c.to_expr::<ast::ExprBuilder<()>>()?;
+        let maybe_conds = match policy.extract_scope() {
+            Ok((p, _, r)) => {
+                let slots_in_scope: HashSet<ast::Slot> =
+                    HashSet::from_iter(vec![p.get_slot(), r.get_slot()].into_iter().flatten());
+
+                ParseErrors::transpose(policy.conds.iter().map(|c| {
+                    let (e, is_when) = c.to_expr::<ast::ExprBuilder<()>>()?;
+                    let slot_errs =
+                        e.slots()
+                            .filter(|slot| !slots_in_scope.contains(slot))
+                            .map(|slot| {
+                                ToASTError::new(
+                                    ToASTErrorKind::slots_not_in_scope_in_condition_clause(
+                                        slot.clone(),
+                                        if is_when { "when" } else { "unless" },
+                                    ),
+                                    slot.loc,
+                                )
+                                .into()
+                            });
 
-            let slot_errs = e.slots().map(|slot| {
-                ToASTError::new(
-                    ToASTErrorKind::slots_in_condition_clause(
-                        slot.clone(),
-                        if is_when { "when" } else { "unless" },
-                    ),
-                    slot.loc.or_else(|| c.loc.clone()),
-                )
-                .into()
-            });
-            match ParseErrors::from_iter(slot_errs) {
-                Some(errs) => Err(errs),
-                None => Ok(e),
+                    match ParseErrors::from_iter(slot_errs) {
+                        Some(errs) => Err(errs),
+                        None => Ok(e),
+                    }
+                }))
             }
-        }));
+            Err(_) => ParseErrors::transpose(policy.conds.iter().map(|c| {
+                let (e, _) = c.to_expr::<ast::ExprBuilder<()>>()?;
+                Ok(e)
+            })),
+        };
 
         let (effect, annotations, (principal, action, resource), conds) =
             flatten_tuple_4(maybe_effect, maybe_annotations, maybe_scope, maybe_conds)?;
@@ -371,16 +388,18 @@ impl Node<Option<cst::Policy>> {
             )
             .into()),
             // The source failed to parse completely. If the parse errors include
-            // `SlotsInConditionClause` also add an `ExpectedStaticPolicy` error.
+            // `SlotsNotInScopeInConditionClause` also add an `ExpectedStaticPolicy` error.
             Err(mut errs) => {
                 let new_errs = errs
                     .iter()
                     .filter_map(|err| match err {
                         ParseError::ToAST(err) => match err.kind() {
-                            ToASTErrorKind::SlotsInConditionClause(inner) => Some(ToASTError::new(
-                                ToASTErrorKind::expected_static_policy(inner.slot.clone()),
-                                err.source_loc().into_maybe_loc(),
-                            )),
+                            ToASTErrorKind::SlotsNotInScopeInConditionClause(inner) => {
+                                Some(ToASTError::new(
+                                    ToASTErrorKind::expected_static_policy(inner.slot.clone()),
+                                    err.source_loc().into_maybe_loc(),
+                                ))
+                            }
                             _ => None,
                         },
                         _ => None,
@@ -418,23 +437,37 @@ impl Node<Option<cst::Policy>> {
         let maybe_scope = policy.extract_scope_tolerant_ast();
 
         // convert conditions
-        let maybe_conds = ParseErrors::transpose(policy.conds.iter().map(|c| {
-            let (e, is_when) = c.to_expr::<ExprWithErrsBuilder<()>>()?;
-            let slot_errs = e.slots().map(|slot| {
-                ToASTError::new(
-                    ToASTErrorKind::slots_in_condition_clause(
-                        slot.clone(),
-                        if is_when { "when" } else { "unless" },
-                    ),
-                    slot.loc.or_else(|| c.loc.clone()),
-                )
-                .into()
-            });
-            match ParseErrors::from_iter(slot_errs) {
-                Some(errs) => Err(errs),
-                None => Ok(e),
+        let maybe_conds = match policy.extract_scope_tolerant_ast() {
+            Ok((p, _, r)) => {
+                let slots_in_scope: HashSet<ast::Slot> =
+                    HashSet::from_iter(p.as_expr().slots().chain(r.as_expr().slots()));
+                ParseErrors::transpose(policy.conds.iter().map(|c| {
+                    let (e, is_when) = c.to_expr::<ExprWithErrsBuilder<()>>()?;
+                    let slot_errs =
+                        e.slots()
+                            .filter(|slot| !slots_in_scope.contains(slot))
+                            .map(|slot| {
+                                ToASTError::new(
+                                    ToASTErrorKind::slots_not_in_scope_in_condition_clause(
+                                        slot.clone(),
+                                        if is_when { "when" } else { "unless" },
+                                    ),
+                                    slot.loc,
+                                )
+                                .into()
+                            });
+
+                    match ParseErrors::from_iter(slot_errs) {
+                        Some(errs) => Err(errs),
+                        None => Ok(e),
+                    }
+                }))
             }
-        }));
+            Err(_) => ParseErrors::transpose(policy.conds.iter().map(|c| {
+                let (e, _) = c.to_expr::<ExprWithErrsBuilder<()>>()?;
+                Ok(e)
+            })),
+        };
 
         let (effect, annotations, (principal, action, resource), conds) =
             flatten_tuple_4(maybe_effect, maybe_annotations, maybe_scope, maybe_conds)?;
@@ -2128,6 +2161,7 @@ impl From<ast::SlotId> for cst::Slot {
         match slot {
             ast::SlotId(ast::ValidSlotId::Principal) => cst::Slot::Principal,
             ast::SlotId(ast::ValidSlotId::Resource) => cst::Slot::Resource,
+            ast::SlotId(ast::ValidSlotId::GeneralizedSlot(id)) => cst::Slot::Other(id.to_smolstr()),
         }
     }
 }
@@ -2347,6 +2381,7 @@ fn construct_template_policy(
             id,
             loc.into_maybe_loc(),
             annotations,
+            GeneralizedSlotsDeclaration::new(), // Chore: This will be changed when we edit the parser
             effect,
             principal,
             action,
@@ -4805,6 +4840,94 @@ mod tests {
         }
     }
 
+    #[test]
+    fn template_slot_in_condition() {
+        let src = r#"permit(principal == ?principal, action == Action::"action", resource in ?resource) when {?principal.name == true && ?resource.valid == 5};"#;
+        text_to_cst::parse_policy(src)
+            .expect("parse_error")
+            .to_template(ast::PolicyID::from_string("i0"))
+            .unwrap_or_else(|errs| {
+                panic!(
+                    "Failed to create a policy template: {:?}",
+                    miette::Report::new(errs)
+                );
+            });
+    }
+
+    #[test]
+    fn template_slot_not_in_scope_in_condition_1() {
+        let src =
+            r#"permit(principal, action == Action::"action", resource) when {?principal.valid};"#;
+        let errs = text_to_cst::parse_policy(src)
+            .expect("parse_error")
+            .to_template(ast::PolicyID::from_string("i0"))
+            .unwrap_err();
+
+        expect_n_errors(src, &errs, 1);
+        expect_some_error_matches(
+            src,
+            &errs,
+            &ExpectedErrorMessageBuilder::error("found template slot ?principal in a `when` clause")
+                .help("?principal needs to appear in the scope to appear in the condition of the template")
+                .exactly_one_underline("?principal")
+                .build(),
+        );
+    }
+
+    #[test]
+    fn template_slot_not_in_scope_in_condition_2() {
+        let src = r#"forbid(principal, action == Action::"action", resource) unless {?resource.storage == 5};"#;
+        let errs = text_to_cst::parse_policy(src)
+            .expect("parse_error")
+            .to_template(ast::PolicyID::from_string("i0"))
+            .unwrap_err();
+
+        expect_n_errors(src, &errs, 1);
+        expect_some_error_matches(
+            src,
+            &errs,
+            &ExpectedErrorMessageBuilder::error(
+                "found template slot ?resource in a `unless` clause",
+            )
+            .help(
+                "?resource needs to appear in the scope to appear in the condition of the template",
+            )
+            .exactly_one_underline("?resource")
+            .build(),
+        );
+    }
+
+    #[test]
+    fn template_slot_not_in_scope_in_condition_3() {
+        let src = r#"permit(principal, action == Action::"action", resource) unless {?principal.valid && ?resource.storage == 5};"#;
+        let errs = text_to_cst::parse_policy(src)
+            .expect("parse_error")
+            .to_template(ast::PolicyID::from_string("i0"))
+            .unwrap_err();
+
+        expect_n_errors(src, &errs, 2);
+        expect_some_error_matches(
+            src,
+            &errs,
+            &ExpectedErrorMessageBuilder::error("found template slot ?principal in a `unless` clause")
+                .help("?principal needs to appear in the scope to appear in the condition of the template")
+                .exactly_one_underline("?principal")
+                .build(),
+        );
+        expect_some_error_matches(
+            src,
+            &errs,
+            &ExpectedErrorMessageBuilder::error(
+                "found template slot ?resource in a `unless` clause",
+            )
+            .help(
+                "?resource needs to appear in the scope to appear in the condition of the template",
+            )
+            .exactly_one_underline("?resource")
+            .build(),
+        );
+    }
+
     #[test]
     fn missing_scope_constraint() {
         let p_src = "permit();";
diff --git a/cedar-policy-core/src/parser/err.rs b/cedar-policy-core/src/parser/err.rs
index 00dd3a9a69..619e6f829e 100644
--- a/cedar-policy-core/src/parser/err.rs
+++ b/cedar-policy-core/src/parser/err.rs
@@ -152,7 +152,7 @@ pub enum ToASTErrorKind {
     /// This is not currently supported; see [RFC 3](https://github.com/cedar-policy/rfcs/pull/3).
     #[error(transparent)]
     #[diagnostic(transparent)]
-    SlotsInConditionClause(#[from] parse_errors::SlotsInConditionClause),
+    SlotsNotInScopeInConditionClause(#[from] parse_errors::SlotsNotInScopeInConditionClause),
     /// Returned when a policy is missing one of the three required scope elements
     /// (`principal`, `action`, and `resource`)
     #[error("this policy is missing the `{0}` variable in the scope")]
@@ -455,9 +455,12 @@ impl ToASTErrorKind {
         }
     }
 
-    /// Constructor for the [`ToASTErrorKind::SlotsInConditionClause`] error
-    pub fn slots_in_condition_clause(slot: ast::Slot, clause_type: &'static str) -> Self {
-        parse_errors::SlotsInConditionClause { slot, clause_type }.into()
+    /// Constructor for the [`ToASTErrorKind::SlotsNotInScopeInConditionClause`] error
+    pub fn slots_not_in_scope_in_condition_clause(
+        slot: ast::Slot,
+        clause_type: &'static str,
+    ) -> Self {
+        parse_errors::SlotsNotInScopeInConditionClause { slot, clause_type }.into()
     }
 
     /// Constructor for the [`ToASTErrorKind::ExpectedStaticPolicy`] error
@@ -546,11 +549,11 @@ pub mod parse_errors {
         }
     }
 
-    /// Details about a `SlotsInConditionClause` error.
+    /// Details about a `SlotsNotInScopeInConditionClause` error.
     #[derive(Debug, Clone, Diagnostic, Error, PartialEq, Eq)]
     #[error("found template slot {} in a `{clause_type}` clause", slot.id)]
-    #[diagnostic(help("slots are currently unsupported in `{clause_type}` clauses"))]
-    pub struct SlotsInConditionClause {
+    #[diagnostic(help("{} needs to appear in the scope to appear in the condition of the template", slot.id))]
+    pub struct SlotsNotInScopeInConditionClause {
         /// Slot that was found in a when/unless clause
         pub(crate) slot: ast::Slot,
         /// Clause type, e.g. "when" or "unless"
diff --git a/cedar-policy-core/src/validator.rs b/cedar-policy-core/src/validator.rs
index c9cf9e1aa8..8ff6d5c078 100644
--- a/cedar-policy-core/src/validator.rs
+++ b/cedar-policy-core/src/validator.rs
@@ -212,7 +212,7 @@ impl Validator {
         // `Policy::resource_constraint()` return a copy of the constraint with
         // the slot filled by the appropriate value.
         Some(
-            self.validate_entity_types_in_slots(p.id(), p.env())
+            self.validate_entity_types_in_slots(p.id(), p.env(), p.generalized_env())
                 .chain(self.validate_linked_action_application(p)),
         )
     }
@@ -425,10 +425,14 @@ mod test {
                 None,
             ),
         );
+
+        let generalized_env = HashMap::new();
         set.link(
             ast::PolicyID::from_string("template"),
             ast::PolicyID::from_string("link1"),
             values,
+            generalized_env,
+            None,
         )
         .expect("Linking failed!");
         let result = validator.validate(&set, ValidationMode::default());
@@ -444,10 +448,14 @@ mod test {
                 None,
             ),
         );
+
+        let generalized_env = HashMap::new();
         set.link(
             ast::PolicyID::from_string("template"),
             ast::PolicyID::from_string("link2"),
             values,
+            generalized_env,
+            None,
         )
         .expect("Linking failed!");
         let result = validator.validate(&set, ValidationMode::default());
@@ -478,10 +486,14 @@ mod test {
                 None,
             ),
         );
+
+        let generalized_env = HashMap::new();
         set.link(
             ast::PolicyID::from_string("template"),
             ast::PolicyID::from_string("link3"),
             values,
+            generalized_env,
+            None,
         )
         .expect("Linking failed!");
         let result = validator.validate(&set, ValidationMode::default());
diff --git a/cedar-policy-core/src/validator/json_schema.rs b/cedar-policy-core/src/validator/json_schema.rs
index 5a2c34ab21..2a25e329dc 100644
--- a/cedar-policy-core/src/validator/json_schema.rs
+++ b/cedar-policy-core/src/validator/json_schema.rs
@@ -1207,7 +1207,7 @@ impl From<EntityUID> for ActionEntityUID<Name> {
 /// this [`Type`], including recursively.
 /// See notes on [`Fragment`].
 #[derive(Educe, Debug, Clone, Serialize)]
-#[educe(PartialEq(bound(N: PartialEq)), Eq, PartialOrd, Ord(bound(N: Ord)))]
+#[educe(PartialEq(bound(N: PartialEq)), Eq, PartialOrd, Ord(bound(N: Ord)), Hash(bound(N: Hash)))]
 // This enum is `untagged` with these variants as a workaround to a serde
 // limitation. It is not possible to have the known variants on one enum, and
 // then, have catch-all variant for any unrecognized tag in the same enum that
@@ -1773,7 +1773,7 @@ impl<N> From<TypeVariant<N>> for Type<N> {
 /// this [`RecordType`], including recursively.
 /// See notes on [`Fragment`].
 #[derive(Educe, Debug, Clone, Serialize, Deserialize)]
-#[educe(PartialEq, Eq, PartialOrd, Ord)]
+#[educe(PartialEq, Eq, PartialOrd, Ord, Hash(bound(N: Hash)))]
 #[serde(bound(deserialize = "N: Deserialize<'de> + From<RawName>"))]
 #[serde(rename_all = "camelCase")]
 #[cfg_attr(feature = "wasm", derive(tsify::Tsify))]
@@ -1850,7 +1850,7 @@ impl RecordType<ConditionalName> {
 /// this [`TypeVariant`], including recursively.
 /// See notes on [`Fragment`].
 #[derive(Educe, Debug, Clone, Serialize, Deserialize)]
-#[educe(PartialEq(bound(N: PartialEq)), Eq, PartialOrd, Ord(bound(N: Ord)))]
+#[educe(PartialEq(bound(N: PartialEq)), Eq, PartialOrd, Ord(bound(N: Ord)), Hash(bound(N: Hash)))]
 #[serde(tag = "type")]
 #[serde(bound(deserialize = "N: Deserialize<'de> + From<RawName>"))]
 #[cfg_attr(feature = "wasm", derive(tsify::Tsify))]
@@ -2130,7 +2130,7 @@ impl<'a> arbitrary::Arbitrary<'a> for Type<RawName> {
 /// unknown fields for [`TypeOfAttribute`] should be passed to [`Type`] where
 /// they will be denied (`<https://github.com/serde-rs/serde/issues/1600>`).
 #[derive(Educe, Debug, Clone, Serialize, Deserialize)]
-#[educe(PartialEq, Eq, PartialOrd, Ord)]
+#[educe(PartialEq, Eq, PartialOrd, Ord, Hash(bound(N: Hash)))]
 #[serde(bound(deserialize = "N: Deserialize<'de> + From<RawName>"))]
 pub struct TypeOfAttribute<N> {
     /// Underlying type of the attribute
diff --git a/cedar-policy-core/src/validator/rbac.rs b/cedar-policy-core/src/validator/rbac.rs
index 15e3405aed..0b41b3e686 100644
--- a/cedar-policy-core/src/validator/rbac.rs
+++ b/cedar-policy-core/src/validator/rbac.rs
@@ -18,8 +18,9 @@
 
 use crate::{
     ast::{
-        self, ActionConstraint, Eid, EntityReference, EntityUID, Policy, PolicyID,
-        PrincipalConstraint, PrincipalOrResourceConstraint, ResourceConstraint, SlotEnv, Template,
+        self, ActionConstraint, Eid, EntityReference, EntityUID, GeneralizedSlotEnv, Policy,
+        PolicyID, PrincipalConstraint, PrincipalOrResourceConstraint, ResourceConstraint, SlotEnv,
+        Template,
     },
     entities::conformance::is_valid_enumerated_entity,
     fuzzy_match::fuzzy_search,
@@ -128,6 +129,7 @@ impl Validator {
         &'a self,
         policy_id: &'a PolicyID,
         slots: &'a SlotEnv,
+        generalized_slots: &'a GeneralizedSlotEnv,
     ) -> impl Iterator<Item = ValidationError> + 'a {
         // All valid entity types in the schema. These will be used to generate
         // suggestion when an entity type is not found.
@@ -137,7 +139,13 @@ impl Validator {
             .map(ToString::to_string)
             .collect::<Vec<_>>();
 
-        slots.values().filter_map(move |euid| {
+        let entities = slots.values().chain(
+            generalized_slots
+                .iter()
+                .filter_map(|(_, restricted_expr)| restricted_expr.as_euid()),
+        );
+
+        entities.filter_map(move |euid| {
             let entity_type = euid.entity_type();
             if !self.schema.is_known_entity_type(entity_type) {
                 let actual_entity_type = entity_type.to_string();
@@ -532,6 +540,7 @@ mod test {
             PolicyID::from_string("policy0"),
             None,
             ast::Annotations::new(),
+            ast::GeneralizedSlotsDeclaration::new(),
             Effect::Permit,
             PrincipalConstraint::any(),
             ActionConstraint::any(),
@@ -625,6 +634,7 @@ mod test {
             PolicyID::from_string("policy0"),
             None,
             ast::Annotations::new(),
+            ast::GeneralizedSlotsDeclaration::new(),
             Effect::Permit,
             PrincipalConstraint::any(),
             ActionConstraint::is_eq(entity),
@@ -715,7 +725,7 @@ mod test {
 
         let validator = Validator::new(schema);
         let notes: Vec<ValidationError> = validator
-            .validate_entity_types_in_slots(&PolicyID::from_string("0"), &env)
+            .validate_entity_types_in_slots(&PolicyID::from_string("0"), &env, &HashMap::new())
             .collect();
 
         assert_eq!(1, notes.len());
@@ -862,6 +872,7 @@ mod test {
             PolicyID::from_string("policy0"),
             None,
             ast::Annotations::new(),
+            ast::GeneralizedSlotsDeclaration::new(),
             Effect::Permit,
             PrincipalConstraint::any(),
             ActionConstraint::is_eq(entity),
@@ -923,6 +934,7 @@ mod test {
             PolicyID::from_string("policy0"),
             None,
             ast::Annotations::new(),
+            ast::GeneralizedSlotsDeclaration::new(),
             Effect::Permit,
             PrincipalConstraint::is_eq(Arc::new(EntityUID::from_components(
                 entity_type,
@@ -1207,6 +1219,7 @@ mod test {
             PolicyID::from_string("policy0"),
             None,
             ast::Annotations::new(),
+            ast::GeneralizedSlotsDeclaration::new(),
             Effect::Permit,
             PrincipalConstraint::is_eq(Arc::new(principal)),
             ActionConstraint::is_eq(action),
@@ -1596,6 +1609,7 @@ mod test {
             PolicyID::from_string("policy0"),
             None,
             ast::Annotations::new(),
+            ast::GeneralizedSlotsDeclaration::new(),
             Effect::Permit,
             PrincipalConstraint::any(),
             ActionConstraint::is_in([action_grandparent_euid]),
diff --git a/cedar-policy-core/src/validator/schema.rs b/cedar-policy-core/src/validator/schema.rs
index a36f706f6f..981b7739d2 100644
--- a/cedar-policy-core/src/validator/schema.rs
+++ b/cedar-policy-core/src/validator/schema.rs
@@ -157,7 +157,8 @@ impl ValidatorSchemaFragment<ConditionalName, ConditionalName> {
 #[derive(Clone, Debug, Educe)]
 #[educe(Eq, PartialEq)]
 pub struct ValidatorType {
-    ty: Type,
+    /// Type field
+    pub ty: Type,
     #[cfg(feature = "extended-schema")]
     loc: MaybeLoc,
 }
@@ -235,6 +236,9 @@ pub struct ValidatorSchema {
     /// Map from action id names to the [`ValidatorActionId`] object.
     action_ids: HashMap<EntityUID, ValidatorActionId>,
 
+    /// Map from common types to the [`ValidatorType`] they represent.
+    common_types: HashMap<InternalName, ValidatorType>,
+
     /// For easy lookup, this is a map from action name to `Entity` object
     /// for each action in the schema. This information is contained elsewhere
     /// in the `ValidatorSchema`, but not efficient to extract -- getting the
@@ -243,7 +247,7 @@ pub struct ValidatorSchema {
     pub(crate) actions: HashMap<EntityUID, Arc<Entity>>,
 
     #[cfg(feature = "extended-schema")]
-    common_types: HashSet<ValidatorCommonType>,
+    common_types_extended: HashSet<ValidatorCommonType>,
     #[cfg(feature = "extended-schema")]
     namespaces: HashSet<ValidatorNamespace>,
 }
@@ -282,6 +286,7 @@ impl ValidatorSchema {
     pub fn new(
         entity_types: impl IntoIterator<Item = ValidatorEntityType>,
         action_ids: impl IntoIterator<Item = ValidatorActionId>,
+        common_types: impl IntoIterator<Item = (InternalName, ValidatorType)>,
     ) -> Self {
         let entity_types = entity_types
             .into_iter()
@@ -291,9 +296,11 @@ impl ValidatorSchema {
             .into_iter()
             .map(|id| (id.name().clone(), id))
             .collect();
+        let common_types = common_types.into_iter().collect();
         Self::new_from_maps(
             entity_types,
             action_ids,
+            common_types,
             #[cfg(feature = "extended-schema")]
             HashSet::new(),
             #[cfg(feature = "extended-schema")]
@@ -307,7 +314,8 @@ impl ValidatorSchema {
     fn new_from_maps(
         entity_types: HashMap<EntityType, ValidatorEntityType>,
         action_ids: HashMap<EntityUID, ValidatorActionId>,
-        #[cfg(feature = "extended-schema")] common_types: HashSet<ValidatorCommonType>,
+        common_types: HashMap<InternalName, ValidatorType>,
+        #[cfg(feature = "extended-schema")] common_types_extended: HashSet<ValidatorCommonType>,
         #[cfg(feature = "extended-schema")] namespaces: HashSet<ValidatorNamespace>,
     ) -> Self {
         let actions = Self::action_entities_iter(&action_ids)
@@ -316,9 +324,10 @@ impl ValidatorSchema {
         Self {
             entity_types,
             action_ids,
+            common_types,
             actions,
             #[cfg(feature = "extended-schema")]
-            common_types,
+            common_types_extended,
             #[cfg(feature = "extended-schema")]
             namespaces,
         }
@@ -326,8 +335,8 @@ impl ValidatorSchema {
 
     /// Returns an iter of common types in the schema
     #[cfg(feature = "extended-schema")]
-    pub fn common_types(&self) -> impl Iterator<Item = &ValidatorCommonType> {
-        self.common_types.iter()
+    pub fn common_types_extended(&self) -> impl Iterator<Item = &ValidatorCommonType> {
+        self.common_types_extended.iter()
     }
 
     /// Returns an iter of validator namespaces in the schema
@@ -456,8 +465,9 @@ impl ValidatorSchema {
             entity_types: HashMap::new(),
             action_ids: HashMap::new(),
             actions: HashMap::new(),
+            common_types: HashMap::new(),
             #[cfg(feature = "extended-schema")]
-            common_types: HashSet::new(),
+            common_types_extended: HashSet::new(),
             #[cfg(feature = "extended-schema")]
             namespaces: HashSet::new(),
         }
@@ -537,6 +547,39 @@ impl ValidatorSchema {
         )
     }
 
+    /// Construct a [`Type`] from [`json_schema::Type<RawName>`]
+    pub fn json_schema_type_to_validator_type(
+        &self,
+        ty: json_schema::Type<RawName>,
+        extensions: &Extensions<'_>,
+    ) -> Result<Type> {
+        let ext_fragments = std::iter::once(cedar_fragment(extensions)).collect::<Vec<_>>();
+
+        let mut all_defs = AllDefs::new(|| ext_fragments.iter());
+
+        for entity_type in self.entity_type_names() {
+            all_defs.mark_as_defined_as_entity_type(entity_type.name().qualify_with(None));
+        }
+
+        for common_type in self.common_type_internal_names() {
+            all_defs.mark_as_defined_as_common_type(common_type.clone());
+        }
+
+        let common_types = self
+            .common_types
+            .iter()
+            .map(|(name, ty)| (name, ty.clone()))
+            .collect();
+
+        let conditional_ty = ty.conditionally_qualify_type_references(None);
+        let internal_ty = conditional_ty.fully_qualify_type_references(&all_defs)?;
+        let unresolved = try_jsonschema_type_into_validator_type(internal_ty, extensions, None)?;
+
+        unresolved
+            .resolve_common_type_refs(&common_types)
+            .map(|t| t.ty)
+    }
+
     /// Construct a [`ValidatorSchema`] from some number of [`ValidatorSchemaFragment`]s.
     pub fn from_schema_fragments(
         fragments: impl IntoIterator<Item = ValidatorSchemaFragment<ConditionalName, ConditionalName>>,
@@ -820,6 +863,11 @@ impl ValidatorSchema {
             .map(|ct| ValidatorCommonType::new(ct.0, ct.1))
             .collect();
 
+        let common_types: HashMap<InternalName, ValidatorType> = common_types
+            .into_iter()
+            .map(|ct| (ct.0.clone(), ct.1))
+            .collect();
+
         // Return with an error if there is an undeclared entity or action
         // referenced in any fragment. `{entity,action}_children` are provided
         // for the `undeclared_parent_{entities,actions}` arguments because we
@@ -832,11 +880,12 @@ impl ValidatorSchema {
             entity_children.into_keys(),
             &action_ids,
             action_children.into_keys(),
-            common_types.into_values(),
+            common_types.clone().into_values(),
         )?;
         Ok(ValidatorSchema::new_from_maps(
             entity_types,
             action_ids,
+            common_types,
             #[cfg(feature = "extended-schema")]
             common_type_validators,
             #[cfg(feature = "extended-schema")]
@@ -985,6 +1034,16 @@ impl ValidatorSchema {
         self.action_ids.values()
     }
 
+    /// An iterator over the common type internal names in the schema.
+    pub fn common_type_internal_names(&self) -> impl Iterator<Item = &InternalName> {
+        self.common_types.keys()
+    }
+
+    /// An iterator over the common types in the schema.
+    pub fn common_types(&self) -> impl Iterator<Item = (&InternalName, &ValidatorType)> {
+        self.common_types.iter()
+    }
+
     /// An iterator over the entity type names in the schema.
     pub fn entity_type_names(&self) -> impl Iterator<Item = &EntityType> {
         self.entity_types.keys()
diff --git a/cedar-policy-core/src/validator/typecheck.rs b/cedar-policy-core/src/validator/typecheck.rs
index b7bf989fe5..2e851c0db8 100644
--- a/cedar-policy-core/src/validator/typecheck.rs
+++ b/cedar-policy-core/src/validator/typecheck.rs
@@ -398,7 +398,7 @@ impl<'a> SingleEnvTypechecker<'a> {
                     Type::any_entity_reference()
                 }))
                 .with_same_source_loc(e)
-                .slot(*slotid),
+                .slot(slotid.clone()),
             ),
 
             // Literal booleans get singleton type according to their value.
diff --git a/cedar-policy-core/src/validator/typecheck/test/policy.rs b/cedar-policy-core/src/validator/typecheck/test/policy.rs
index 8e95ea2a63..9dd7e5fe11 100644
--- a/cedar-policy-core/src/validator/typecheck/test/policy.rs
+++ b/cedar-policy-core/src/validator/typecheck/test/policy.rs
@@ -107,6 +107,118 @@ fn simple_schema_file() -> json_schema::NamespaceDefinition<RawName> {
     .expect("Expected valid schema")
 }
 
+fn simple_schema_file_1() -> json_schema::NamespaceDefinition<RawName> {
+    serde_json::from_value(serde_json::json!(
+            {
+            "entityTypes": {
+                "Disk": {
+                    "shape": {
+                        "type": "Record",
+                        "attributes": {
+                            "name": {
+                                "type": "EntityOrCommon",
+                                "name": "String"
+                            },
+                            "storage": {
+                                "type": "EntityOrCommon",
+                                "name": "Long"
+                            }
+                        }
+                    }
+                },
+                "Document": {
+                    "memberOfTypes": [
+                        "Folder"
+                    ],
+                    "shape": {
+                        "type": "Record",
+                        "attributes": {
+                            "lastEdited": {
+                                "type": "EntityOrCommon",
+                                "name": "datetime"
+                            }
+                        }
+                    }
+                },
+                "File": {
+                    "memberOfTypes": [
+                        "Document"
+                    ]
+                },
+                "Folder": {
+                    "memberOfTypes": [
+                        "Disk"
+                    ],
+                    "shape": {
+                        "type": "Record",
+                        "attributes": {
+                            "lastEdited": {
+                                "type": "EntityOrCommon",
+                                "name": "datetime"
+                            }
+                        }
+                    }
+                },
+                "Person": {
+                    "shape": {
+                        "type": "Record",
+                        "attributes": {
+                            "age": {
+                                "type": "EntityOrCommon",
+                                "name": "Long"
+                            }
+                        }
+                    }
+                }
+            },
+            "actions": {
+                "Access": {
+                    "appliesTo": {
+                        "principalTypes": [
+                            "Person"
+                        ],
+                        "resourceTypes": [
+                            "Disk"
+                        ]
+                    }
+                },
+                "Navigate": {
+                    "appliesTo": {
+                        "principalTypes": [
+                            "Person"
+                        ],
+                        "resourceTypes": [
+                            "Disk",
+                            "Folder",
+                            "Document"
+                        ]
+                    }
+                },
+                "Write": {
+                    "appliesTo": {
+                        "principalTypes": [
+                            "Person"
+                        ],
+                        "resourceTypes": [
+                            "Folder",
+                            "Document"
+                        ],
+                        "context": {
+                            "type": "Record",
+                            "attributes": {
+                                "date": {
+                                    "type": "EntityOrCommon",
+                                    "name": "datetime"
+                                }
+                            }
+                        }
+                    }
+                }
+            }
+    }))
+    .expect("Expected valid schema")
+}
+
 #[track_caller] // report the caller's location as the location of the panic, not the location in this function
 fn assert_policy_typechecks_permissive_simple_schema(p: impl Into<Arc<Template>>) {
     assert_policy_typechecks_for_mode(simple_schema_file(), p, ValidationMode::Permissive)
@@ -1326,4 +1438,36 @@ mod templates {
             )
         );
     }
+
+    #[test]
+    fn slot_in_condition_should_typecheck() {
+        let s = simple_schema_file_1();
+
+        let templates = [
+            r#"permit(principal == ?principal, action == Action::"Navigate", resource in ?resource) when { ?resource has storage && ?resource.storage == 5 };"#,
+            r#"permit(principal == ?principal, action == Action::"Navigate", resource in ?resource) when { ?principal.age == 25 };"#,
+            r#"permit(principal == ?principal, action == Action::"Write", resource == ?resource) when { ?resource.lastEdited > context.date };"#,
+            r#"permit(principal == ?principal, action == Action::"Access", resource in ?resource) when { ?resource.name == "SSD" };"#,
+        ];
+
+        for template in templates {
+            let t = parse_policy_or_template(None, template).unwrap();
+            assert_policy_typechecks(s.clone(), t);
+        }
+    }
+
+    #[test]
+    fn slot_in_condition_should_not_typecheck() {
+        let s = simple_schema_file_1();
+
+        let templates = [
+            r#"permit(principal == ?principal, action == Action::"Navigate", resource in ?resource) when { ?resource.storage == 5 };"#,
+            r#"permit(principal == ?principal, action == Action::"Write", resource in ?resource) when { ?resource.random == true };"#,
+        ];
+
+        for template in templates {
+            let t = parse_policy_or_template(None, template).unwrap();
+            assert_policy_typecheck_fails(s.clone(), t);
+        }
+    }
 }
diff --git a/cedar-policy/src/api.rs b/cedar-policy/src/api.rs
index bdc561686e..62aabc4ae6 100644
--- a/cedar-policy/src/api.rs
+++ b/cedar-policy/src/api.rs
@@ -2809,6 +2809,8 @@ impl PolicySet {
             template_id.into(),
             new_id.clone().into(),
             unwrapped_vals.clone(),
+            HashMap::new(),
+            None,
         )?;
 
         // PANIC SAFETY: `lossless.link()` will not fail after `ast.link()` succeeds
@@ -2816,7 +2818,7 @@ impl PolicySet {
         let linked_lossless = template
             .lossless
             .clone()
-            .link(unwrapped_vals.iter().map(|(k, v)| (*k, v)))
+            .link(unwrapped_vals.iter().map(|(k, v)| (k.clone(), v)))
             // The only error case for `lossless.link()` is a template with
             // slots which are not filled by the provided values. `ast.link()`
             // will have already errored if there are any unfilled slots in the
@@ -2941,7 +2943,7 @@ fn is_static_or_link(
                 .ast
                 .env()
                 .iter()
-                .map(|(id, euid)| (*id, euid.clone()))
+                .map(|(id, euid)| (id.clone(), euid.clone()))
                 .collect();
             Ok(Either::Right(TemplateLink {
                 new_id: id.into(),
@@ -3173,7 +3175,7 @@ impl Template {
             .map(|(k, v)| (k.as_ref(), v.as_ref()))
     }
 
-    /// Iterate over the open slots in this `Template`
+    /// Iterate over the open slots (principal, resource, and generalized) in this `Template`
     pub fn slots(&self) -> impl Iterator<Item = &SlotId> {
         self.ast.slots().map(|slot| SlotId::ref_cast(&slot.id))
     }
@@ -3498,7 +3500,7 @@ impl Policy {
                 .ast
                 .env()
                 .iter()
-                .map(|(key, value)| ((*key).into(), value.clone().into()))
+                .map(|(key, value)| ((key.clone()).into(), value.clone().into()))
                 .collect();
             Some(wrapped_vals)
         }
@@ -3958,7 +3960,7 @@ impl LosslessPolicy {
                 if slots.is_empty() {
                     Ok(est)
                 } else {
-                    let unwrapped_vals = slots.iter().map(|(k, v)| (*k, v.into())).collect();
+                    let unwrapped_vals = slots.iter().map(|(k, v)| (k.clone(), v.into())).collect();
                     Ok(est.link(&unwrapped_vals)?)
                 }
             }
diff --git a/cedar-policy/src/test/test.rs b/cedar-policy/src/test/test.rs
index 7f88c55f20..f50b29eda5 100644
--- a/cedar-policy/src/test/test.rs
+++ b/cedar-policy/src/test/test.rs
@@ -5422,7 +5422,7 @@ mod issue_606 {
                 &miette::Report::new(e),
                 &ExpectedErrorMessageBuilder::error("error deserializing a policy/template from JSON")
                     .source("found template slot ?principal in a `when` clause")
-                    .help("slots are currently unsupported in `when` clauses")
+                    .help("?principal needs to appear in the scope to appear in the condition of the template")
                     .build(),
             );
         });