Principal policies
This documentation is for an as-yet unreleased version of Cerbos. Choose 0.40.0 from the version picker at the top right or navigate to https://docs.cerbos.dev for the latest version. |
Principal policies define overrides for a specific user.
---
apiVersion: "api.cerbos.dev/v1"
principalPolicy:
principal: daffy_duck (1)
version: "dev" (2)
scope: "acme.corp" (3)
constants:
import: (4)
- apatr_common_constants
local: (5)
test_department_id: 12345
variables:
import: (6)
- apatr_common_variables
local: (7)
is_dev_record: |-
request.resource.attr.dev_record == true || request.resource.attr.department_id == constants.test_department_id
rules:
- resource: leave_request (8)
actions:
- name: dev_record_wildcard (9)
action: "*" (10)
condition: (11)
match:
expr: variables.is_dev_record
effect: EFFECT_ALLOW
output: (12)
when:
ruleActivated: |-
"wildcard_override:%s".format([request.principal.id])
conditionNotMet: |-
"wildcard_condition_not_met:%s".format([request.principal.id])
- resource: employee_profile
actions:
- name: view_employee_profile
action: "*"
condition:
match:
all:
of:
- expr: variables.is_dev_record
- expr: request.resource.attr.public == true
effect: EFFECT_ALLOW
- resource: salary_record
actions:
- action: "*"
effect: EFFECT_DENY
1 | Principal to whom this policy applies. |
2 | Version of this policy. Policies are uniquely identified by the principal name and version pair. You can have multiple policy versions for the same principal (e.g. production vs. staging). The version value default is special as it is the default fallback when no version is specified in the request. |
3 | Optional scope for this policy. |
4 | Constant definitions to import (optional). |
5 | Local constant definitions (optional). |
6 | Variable definitions to import (optional). |
7 | Local variable definitions (optional). |
8 | Resource to which this override applies. Wildcards are supported here. |
9 | Optional name for the rule. |
10 | Actions that can be performed on the resource. Wildcards are supported here. |
11 | Optional conditions required to match this rule. |
12 | Optional output for the action rule. You can define optional expressions to be evaluated as output depending on whether the rule is activated or not activated because of a condition failure. |