Using Global Claims

This section describes how to use global claims.

Introducing global claims

A global claim is a user-defined policy claim that is available to any resource type as part of the input claims for policy evaluations.

Global claims help you administer and scale policy. For example, you can use global claims to set role permissions in a single policy. If the input value(s) changes, you only have to update 1 policy, not the policy that references the global claim as you would using traditional policy.

Global claims syntax

A global claim is declared in policy on the variables::/ realm within a block containing the reserved keywords "system global claims," followed by claimType claimName, [claimNameN], where the values for the claim type and claim name(s) are user-defined strings.

on variables::/ {
  system global claims {
    claimType "claimName"
    claimType "claimName1," "claimName2," "claimNameN"
  }
}

Global claims types and values are literal and static and do not change unless the policy declaring them is changed. A global claim may be assigned one or more values, and all users will see the same list of values.

Global claims are executed on policy load (before authentication) by each component and apply to all resource types.

The issuer of a global claim is GC->. A global claim is referenced using GC->global-claim-name.

Example

The following example demonstrates a global claim policy that defines user permissions for an LDAP group.

on variables::/ {
  system global claims {
    DEVGROUP "develop.apc.users"
    DEVPERMIT all
  }
}

The DEVGROUP global claim type and value defines the set of users to who the global claim applies, and the DEVPERMIT global claim defines the permission grant. Once the global claim is declared, you can reference it in any other policy. If the value of either claim changes, you only have to update the global claim policy.

on job::/ {
  if (LDAP->group == GC->DEVGROUP) { 
    permit GC->DEVPERMIT }
}

on package::/ {
  if (LDAP->group == GC->DEVGROUP) {
    permit GC->DEVPERMIT 
  }
}

on service::/ {
  if (LDAP->group == "develop.apc.users") {
    permit all 
  }
}

// And so on for other policy realms

To compare, using traditional policy you would have to specify the LDAP group and permit values in multiple policies, requiring an update to each if a value changes.

on job::/ {
  if (LDAP->group == "develop.apc.users") { 
    permit all 
  }
}

on package::/ {
  if (LDAP->group == "develop.apc.users") {
    permit all 
  }
}

on service::/ {
  if (LDAP->group == "develop.apc.users") {
    permit all 
  }
}

// And so on for all resource types

Securing global claims

The permissions required to author global claims are the same as other policy authoring permissions: to create and edit global claim policy documents, the policy author must have permit create and permit update on the policydoc resource type where the target FQN is policydoc::/::<policy filename>, and must have permit update on the policy::/ realm for authoring policy on the variables::/ resource type.

To reference global claims, the policy author must have policy-on-policy for each policy realm where the global claim is referenced.

See also policy variable security.