Category
Cedar language features
Describe the feature you'd like to request
We would like to be able to use placeholders like ?principal and ?resource in the when/unless conditions.
Describe the solution you'd like
Placeholders are evaluated in the conditions.
Describe alternatives you've considered
The alternative seems to be creating multiple different policies, rather than using the template linking feature to re-use the same policy. This is unappealing because of the maintenance burden of applying changes to the underlying logic to a large number of existing policies.
Additional context
An example of a policy that would use this:
@id("Admin")
permit(
principal == ?principal,
action,
resource)
when {
// take any action in the scope that you're admin on
resource in ?resource
// allow access up the tree for navigation
|| (action == Action::"Navigate" && ?resource in resource)
};
This policy is intended to allow someone to administer a particular resource subtree in the resource hierarchy, and also to navigate down to their subtree.
This could be broken up into:
@id("AdminAdmin")
permit(
principal == ?principal,
action,
resource in ?resource); // take any action in the scope that you're admin on;
@id("AdminNavigate")
permit(
principal == ?principal,
action == Action::"Navigate",
?resource in resource); // allow access up the tree for navigation
to avoid supporting placeholders in the conditions, but then it would be possible to get into strange states where someone had AdminAdmin applied, but not AdminNavigate, which is undesirable.
Notes:
- The
Admin policy above currently appears to work, though the docs say it shouldn't
- The docs also say that
?resource in resource is not allowed ("Placeholders can appear in only the policy head on the right-hand side of the == or in operators.") but it also appears to work
Is this something that you'd be interested in working on?
Category
Cedar language features
Describe the feature you'd like to request
We would like to be able to use placeholders like
?principaland?resourcein thewhen/unlessconditions.Describe the solution you'd like
Placeholders are evaluated in the conditions.
Describe alternatives you've considered
The alternative seems to be creating multiple different policies, rather than using the template linking feature to re-use the same policy. This is unappealing because of the maintenance burden of applying changes to the underlying logic to a large number of existing policies.
Additional context
An example of a policy that would use this:
This policy is intended to allow someone to administer a particular resource subtree in the resource hierarchy, and also to navigate down to their subtree.
This could be broken up into:
to avoid supporting placeholders in the conditions, but then it would be possible to get into strange states where someone had
AdminAdminapplied, but notAdminNavigate, which is undesirable.Notes:
Adminpolicy above currently appears to work, though the docs say it shouldn't?resource in resourceis not allowed ("Placeholders can appear in only the policy head on the right-hand side of the == or in operators.") but it also appears to workIs this something that you'd be interested in working on?