Role Templating

You can template policy for automating permission granting.

The following policy blocks grants admin privileges to any user with a token in that user's namespace for the job::/ and package::/ realms.

job::/sandbox/[name] {
    if (auth_server@apcera.me->name==[name]) {
        role admin
    }
}
package::/sandbox/[name] {
    if (auth_server@apcera.me->name==[name]) {
        role admin
    }
}

Typically this type of policy is for developers who need access to both jobs and packages to create and deploy workloads. Granting them admin permissions on sandboxed realms allows them to develop freely in their own environments.

Note that the templated value is derived from the realm. Thus, the realm must be an FQN in order for templating to work. This means you cannot use templating on a root realm, such as the following:

auth::/ {
  if (auth_server@apcera.me->name == [name]) {
    defaultNamespace "/sandbox/[name]"
  }
}

Since the realm is not an FQN and does not set the value to be templated, the above policy will not properly tempalatize the name.