Principal policies
Principal policies define overrides for a specific user.
---
apiVersion: "api.cerbos.dev/v1"
principalPolicy:
principal: daffy_duck (1)
version: "dev" (2)
scope: "acme.corp" (3)
variables:
import: (4)
- apatr_common_variables
local: (5)
is_dev_record: request.resource.attr.dev_record == true
rules:
- resource: leave_request (6)
actions:
- name: dev_record_wildcard (7)
action: "*" (8)
condition: (9)
match:
expr: variables.is_dev_record
effect: EFFECT_ALLOW
output: (10)
when:
ruleActivated: |-
"wildcard_override:%s".format([request.principal.id])
conditionNotMet: |-
"wildcard_condition_not_met:%s".format([request.principal.id])
- resource: employee_profile
actions:
- name: view_employee_profile
action: "*"
condition:
match:
all:
of:
- expr: V.is_dev_record
- expr: request.resource.attr.public == true
effect: EFFECT_ALLOW
- resource: salary_record
actions:
- action: "*"
effect: EFFECT_DENY
1 | Principal to whom this policy applies. |
2 | Version of this policy. Policies are uniquely identified by the principal name and version pair. You can have multiple policy versions for the same principal (e.g. production vs. staging). The version value default is special as it is the default fallback when no version is specified in the request. |
3 | Optional scope for this policy. |
4 | Variable definitions to import (optional). |
5 | Local variable definitions (optional). |
6 | Resource to which this override applies. Wildcards are supported here. |
7 | Optional name for the rule. |
8 | Actions that can be performed on the resource. Wildcards are supported here. |
9 | Optional conditions required to match this rule. |
10 | Optional output for the action rule. You can define optional expressions to be evaluated as output depending on whether the rule is activated or not activated because of a condition failure. |