Policy Introduction Policy Syntax Working with Policies Identifying Resources Granting Permissions Default Policies Policy Authoring Tutorial Policy Examples Policy Simulation Global Claims Policy Variables Policy Data Tutorial

Policy on Policy Examples

Policies belong to policy documents (also known as realmdocs). Policy documents contain rules on a number of arbitrary policies (realms).

Policy on the policy::/ realm permit a user to read/update existing policy documents. Note that a user can read/update policy contained in a policy document only if that user has policy permissions to read/update each realm in the policy document. (See example below.)

Policy on the policydoc::/ realm provides CRUD permissions on policy documents.

Policy permissions

The follow policy defines the permissions for resources in the policy::/ realm:

policy::/ {
  if (permit == all) {
    permit read, update
  }
}

Policydoc permissions

The follow policy define the permissions for resources in the policydoc::/ realm:

policydoc::/ {
  if (permit == all) {
    permit create, read, update, delete
  }
}

Policy read example

The following policy lets users read all policy documents in the system:

on policy::/ {
  { permit read }
}

Policy authoring example

The following policy block gives "tom" the ability to author policy for all the resource types in /prod namespace, whereas "bob" can only write policy for jobs and packages in dev namespace:

policy::/prod {
  if (auth_server@apcera.me->name == "tom") {
    permit update
  }
}

policy::/dev {
  if (auth_server@apcera.me->name == "bob@gmail.com" && ResType == "job"){
    permit update
  }
  if (auth_server@apcera.me->name == "bob@gmail.com" && ResType == "package"){
    permit update
  }
}

To constrain policy permissions to certain resoure types, you can add a condition to the rule that checks for ResType.

policy::/sandbox/[name] {
  if (auth_server@apcera.me->name==[name] && ResType == "gateway") {
    permit update
  }

  if (auth_server@apcera.me->name==[name] && ResType == "job") {
    permit update
  }

  if (auth_server@apcera.me->name==[name] && ResType == "package") {
    permit update
  }
  
  if (auth_server@apcera.me->name==[name] && ResType == "provider") {
    permit update
  }

  if (auth_server@apcera.me->name==[name] && ResType == "sempiperule") {
    permit update
  }

  if (auth_server@apcera.me->name==[name] && ResType == "service") {
    permit update
  }

  if (auth_server@apcera.me->name==[name] && ResType == "stagpipe") {
    permit update
  }
}

Policy document creation example

The following policy example shows how to use the policydoc::/ realm permissions.

policydoc::/::user-policy-student {
  if (auth_server@apcera.me->name == "student") {
    permit read, update
  }
}

intro

Getting Started

Working with Jobs

Staging and Packages

Routes

Networks

Connecting Services

Policy and Governance

Developer Tutorials

API Documentation

Installing Apcera Platform

Configuring Apcera Platform

Operations