Policy Examples with Arbitrary Strings

As documented in the policy syntax section, you can create policy claim types and values using arbitrary strings.

Consequent claims can set the name of any arbitrary string to be referenced by other rules. Antecedent claims can use arbitrary strings that have been set by any consequent claim of another rule. This lets you introduce new claim hierarchies.

For example, consider the following valid policy:

job::/sandbox/ {
  { brooklyn bridge }
}

Where brooklyn is the consequent claim type and bridge is the consequent claim value, and the antecedent claim is omitted.

Then, you could use these strings in subsequent policies, for example:

job::/sandbox/user {
  if (brooklyn == "bridge") {
        permit ssh
  }
}

While the above examples are illustrative of the fact that policy allows arbitrary strings, it is not practical.

In the following example, we use arbitrary strings to create a team claim type and value:

job::/ {
    { team DevXX }
}

Then:

job::/ {
  if (team == DevXX) {
    permit create, read, update, delete
    permit start, stop, map, link, bind
  }
}

What we have done here is similar to creating a role, but in this case we leverage the extensible nature of the policy language to create team-based permissions using arbitrary strings that you define.

As always with policy, you need to test your policies in development before deploying them to production to ensure they work as expected.