Principal policies

Principal policies define overrides for a specific user.

---
apiVersion: "api.cerbos.dev/v1"
principalPolicy:
  principal: daffy_duck (1)
  version: "dev" (2)
  scope: "acme.corp" (3)
  variables:
    import: (4)
      - apatr_common_variables
    local: (5)
      is_dev_record: request.resource.attr.dev_record == true
  rules:
    - resource: leave_request (6)
      actions:
        - name: dev_record_wildcard (7)
          action: "*" (8)
          condition: (9)
            match:
              expr: variables.is_dev_record
          effect: EFFECT_ALLOW
          output: (10)
            when:
              ruleActivated: |-
                "wildcard_override:%s".format([request.principal.id])
              conditionNotMet: |-
                "wildcard_condition_not_met:%s".format([request.principal.id])

    - resource: employee_profile
      actions:
        - name: view_employee_profile
          action: "*"
          condition:
            match:
              all:
                of:
                  - expr: V.is_dev_record
                  - expr: request.resource.attr.public == true
          effect: EFFECT_ALLOW
    - resource: salary_record
      actions:
        - action: "*"
          effect: EFFECT_DENY
1 Principal to whom this policy applies.
2 Version of this policy. Policies are uniquely identified by the principal name and version pair. You can have multiple policy versions for the same principal (e.g. production vs. staging). The version value default is special as it is the default fallback when no version is specified in the request.
3 Optional scope for this policy.
4 Variable definitions to import (optional).
5 Local variable definitions (optional).
6 Resource to which this override applies. Wildcards are supported here.
7 Optional name for the rule.
8 Actions that can be performed on the resource. Wildcards are supported here.
9 Optional conditions required to match this rule.
10 Optional output for the action rule. You can define optional expressions to be evaluated as output depending on whether the rule is activated or not activated because of a condition failure.