Principal policies

---
apiVersion: "api.cerbos.dev/v1"
principalPolicy:
  principal: daffy_duck (1)
  version: "dev" (2)
  rules:
    - resource: leave_request (3)
      actions:
        - action: "*" (4)
          condition: (5)
            match:
              expr: "request.resource.attr.dev_record == true"
          effect: EFFECT_ALLOW

    - resource: salary_record
      actions:
        - action: "*"
          effect: EFFECT_DENY

1	Principal to whom this policy applies.
2	Version of this policy. Policies are uniquely identified by the principal name and version pair. You can have multiple policy versions for the same principal (e.g. production vs. staging). The version value `default` is special as it is the default fallback when no version is specified in the request.
3	Resource to which this override applies. Wildcards are supported here.
4	Actions that can be performed on the resource. Wildcards are supported here.
5	Optional conditions required to match this rule.