Principal policies
Principal policies define overrides for a specific user.
---
apiVersion: "api.cerbos.dev/v1"
variables: (1)
is_dev_record: request.resource.attr.dev_record == true
principalPolicy:
principal: daffy_duck (2)
version: "dev" (3)
scope: "acme.corp" (4)
rules:
- resource: leave_request (5)
actions:
- name: dev_record_wildcard (6)
action: "*" (7)
condition: (8)
match:
expr: variables.is_dev_record
effect: EFFECT_ALLOW
- resource: employee_profile
actions:
- name: view_employee_profile
action: "*"
condition:
match:
all:
of:
- expr: V.is_dev_record
- expr: request.resource.attr.public == true
effect: EFFECT_ALLOW
- resource: salary_record
actions:
- action: "*"
effect: EFFECT_DENY| 1 | Optional variables section. Each variable is evaluated before any rule condition. A variable expression can contain anything that condition expression can have. |
| 2 | Principal to whom this policy applies. |
| 3 | Version of this policy. Policies are uniquely identified by the principal name and version pair. You can have multiple policy versions for the same principal (e.g. production vs. staging). The version value default is special as it is the default fallback when no version is specified in the request. |
| 4 | Optional scope for this policy. See Scoped Policies. |
| 5 | Resource to which this override applies. Wildcards are supported here. |
| 6 | Optional name for the rule. |
| 7 | Actions that can be performed on the resource. Wildcards are supported here. |
| 8 | Optional conditions required to match this rule. |