Taxonomy for Policy Attributes

Last modified on June 4, 2024

Overview

This reference page provides information about the attributes supported for context-based policy.

To learn more about policy, please see the documentation:

Entities

Entities in Cedar are objects that represent principals, actions, or resources. They are typically annotated in the following format.

StrongDM Account

StrongDM::Account::"<ACCOUNT_ID>"

Supported properties

PropertyDescriptionFormatExample value(s)
accountTypeType of StrongDM account (user or service account)Stringservice or user
emailUser email addressStringalice@example.com
externalIdExternal ID populated from SCIM metadata, if applicableStringalice
isManagedUserWhether or not the user is managed by a third-party providerBooleantrue
permissionLevelPermission level (such as Administrator, Auditor, Team Leader, Database Administrator, or User)Stringadmin, auditor, multi-team-leader, database-admin, user
tagsCedar record whose keys and values are stringsKVPdev

Example

// example for email
permit (
  principal,
  action,
  resource
) when {
  principal.email == "user@example.com"
};

// example for externalId
permit (
  principal,
  action,
  resource
) when {
  principal.externalId == "alice"
};

// example for isManagedUser
permit (
  principal,
  action,
  resource
) when {
  principal.isManagedUser == true
};

// example for accountType
permit (
  principal,
  action,
  resource
) when {
  principal.accountType == "service"
};

// example for permissionLevel
permit (
  principal,
  action,
  resource
) when {
  principal.permissionLevel == "admin"
};

// example for tags
permit (
  principal,
  action,
  resource
) when {
  principal.tags has env && principal.tags.env == "dev"
};

StrongDM Role

StrongDM::Role::"<ROLE_ID>"

Example

permit (
  principal in StrongDM::Role::"r-1234",
  action,
  resource
);

Entity hierarchy

StrongDM Role may be a parent of another entity, such as StrongDM Account. Matching whether a given entity is a descendant of another entity is done through the in operator (for example, principal in StrongDM::Role::"r-1234").

StrongDM Resource

StrongDM::Resource::"<RESOURCE_ID>"

Supported properties

PropertyFormatExample value(s)
tagsCedar recorddev

Example

permit (
  principal,
  action,
  resource == StrongDM::Resource::"rs-1234"
) when {
  resource.tags has env && resource.tags.env == "dev"
};

External Role

External::Role::"<ROLE_NAME>"

External Role is populated from SCIM metadata, if applicable.

Example

permit (
  principal in External::Role::"admin",
  action,
  resource
);

Entity hierarchy

External Role may be a parent of another entity, such as StrongDM Account. Matching whether a given entity is a descendant of another entity is done through the in operator (for example, principal in External::Role::"admin").

External Group

External::Group::"<GROUP_NAME>"

External Group is populated from SCIM metadata, if applicable.

Example

permit (
  principal in External::Group::"dev",
  action,
  resource
);

Entity hierarchy

External Group may be a parent of another entity, such as StrongDM Account. Matching whether a given entity is a descendant of another entity is done through the in operator (for example, principal in External::Group::"dev").

Location Continent

Location::Continent::"<CONTINENT_CODE>"

Please use the appropriate continent code.

Example

permit (
  principal,
  action,
  resource
) when {
  context.location in Location::Continent::"NA"
};

Entity hierarchy

Location Continent may be a parent of another entity, such as Location. Matching whether a given entity is a descendant of another entity is done through the in operator (for example, context.location in Location::Continent::"NA").

Location Country

Location::Country::"<ISO-3166-1-CODE>"

Please use the appropriate ISO-3166-1 code.

Example

permit (
  principal,
  action,
  resource
) when {
  context.location in Location::Country::"US"
};

Entity hierarchy

Location Country may be a parent of another entity, such as Location. Matching whether a given entity is a descendant of another entity is done through the in operator (for example, context.location in Location::Country::"US").

Location Subdivision

Location::Subdivision::"<ISO-3166-2-CODE>"

Example

permit (
  principal,
  action,
  resource
) when {
  context.location in Location::Subdivision::"US-WA"
};

Entity hierarchy

Location Subdivision may be a parent of another entity, such as Location. Matching whether a given entity is a descendant of another entity is done through the in operator (for example, context.location in Location::Subdivision::"US-WA").

Location IP

Location::IP::"<IP_ADDRESS>"

Supported properties

PropertyFormat
latitudeDecimal
longitudeDecimal

Example

permit (
  principal,
  action,
  resource
) when {
  context.location == Location::IP::"1.2.3.4"
};

// example for latitude
permit (
  principal,
  action,
  resource
) when {
  context.location.latitude.greaterThan(decimal("49"))
};

// example for longitude
permit (
  principal,
  action,
  resource
) when {
  context.location.longitude.lessThan(decimal("-120"))
};

Entity hierarchy

Location IP may be a parent of another entity, such as Location. Matching whether a given entity is a descendant of another entity is done through the in operator (for example, context.location == Location::IP::"1.2.3.4").

Postgres Database

Postgres::Database::"<RESOURCE_ID>/<DATABASE_NAME>"

Supported properties

PropertyFormat
databaseString
.sdm.tagsCedar record

Example

// example for database
permit (
  principal,
  action,
  resource == Postgres::Database::"rs-1234/prod"
) when {
  resource.database == "prod"
};

// example for tags
permit (
  principal,
  action,
  resource == Postgres::Database::"rs-1234/prod"
) when {
  resource.sdm.tags has env && resource.sdm.tags.env == "prod"
};

Entity hierarchy

Postgres Database may be a parent of another entity, such as Resource. Matching whether a given entity is a descendant of another entity is done through the in operator (for example, resource in StrongDM::Resource::"rs-1234").

Principal

permit (
  principal == StrongDM::Account::"a-1234",
  action,
  resource
);

The principal referenced in StrongDM policy statements always will be a StrongDM::Account.

Resource

StrongDM Connect

StrongDM::Action::"connect"

The resource referenced in StrongDM policy statements always will be a StrongDM::Resource.

Example

permit (
  principal,
  action == StrongDM::Action::"connect",
  resource == StrongDM::Resource::"rs-1234"
);

Postgres Action

SQL::Action
Postgres::Action

This always will be Postgres::Database.

Example

permit (
  principal,
  action == SQL::Action::"select",
  resource == Postgres::Database::"rs-1234/prod"
);

Action

All resources

  • StrongDM::Action::"connect"

Postgres resources

  • Postgres::Action::"callFunction"
  • Postgres::Action::"executeUnknown"
  • Postgres::Action::"parse"
  • SQL::Action::"select"
  • SQL::Action::"insert"
  • SQL::Action::"update"

Supported Postgres resource types

Postgres/SQL actions are supported on all of the Postgres resource types, including:

  • Aurora PostgreSQL
  • Aurora PostgreSQL (IAM)
  • Azure Database for PostgreSQL
  • Azure PostgreSQL (Managed Identity)
  • Citus
  • CockroachDB
  • Greenplum
  • PostgreSQL
  • PostgreSQL (mTLS)
  • RDS PostgreSQL (IAM)
  • Redshift

Context

All resources

Supported context properties for all resources

PropertyFormatExample value(s)
locationEntity UIDLocation::IP
network.clientIpIPAddr
network.destinationIpIPAddr
network.requestIpIPAddr
network.target.hostnameString
network.target.portLong
trust.okBoolean
trust.statusStringbad, exempt, good, unknown

Example

permit (
  principal,
  action,
  resource
) when {
  context.location in Location::Country::"US"
};

// example for network.clientIp
permit (
  principal,
  action,
  resource
) when {
  context.network.clientIp.isInRange(ip("1.2.3.0/24"))
};

// example for network.requestIp
permit (
  principal,
  action,
  resource
) when {
  context.network.requestIp.isInRange(ip("1.2.3.0/24"))
};

// example for network.target.hostname
permit (
  principal,
  action,
  resource
) when {
  context.network.target.hostname == "db.example.com"
};

// example for network.target.port
permit (
  principal,
  action,
  resource
) when {
  context.network.target.port == 1234
};

// example for trust.ok
permit (
  principal,
  action,
  resource
) when {
  context.trust.ok == true
};

// example for trust.status
permit (
  principal,
  action,
  resource
) when {
  context.trust.status == "good"
};

Postgres resources

Supported context properties for all Postgres resources

PropertyFormatExample value(s)
sql.tablesSet of strings["users", "groups"] or ["prod.users", "prod.groups"]
sql.writeTablesSet of strings
sql.qualifiedTablesSet of strings
sql.qualifiedWriteTablesSet of strings

Example

permit(principal, action, resource) when {
  context.location in Location::Country::"US" ||
  context.network.clientIp.isInRange(ip("1.2.3.0/24")) ||
  context.network.destinationIp.isInRange(ip("1.2.3.0/24")) ||
  context.network.requestIp.isInRange(ip("1.2.3.0/24")) ||
  context.network.target.hostname == "db.example.com" ||
  context.network.target.port == 1234 ||
  context.trust.ok == true ||
  context.trust.status == "good" ||
};

permit(principal, action == SQL::Action::"update", resource) when {
  context.sql.tables.contains("secrets") ||
  context.sql.writeTables.contains("secrets") ||
  context.sql.qualifiedTables.contains("prod.secrets") ||
  context.sql.qualifiedWriteTables.contains("prod.secrets")
};
// example for location
permit (
  principal,
  action,
  resource
) when {
  context.location in Location::Country::"US"
};

// example for network.clientIp
permit (
  principal,
  action,
  resource
) when {
  context.network.clientIp.isInRange(ip("1.2.3.0/24"))
};

// example for network.destinationIp
permit (
  principal,
  action,
  resource
) when {
  context.network.destinationIp.isInRange(ip("1.2.3.0/24"))
};

// example for network.requestIp
permit (
  principal,
  action,
  resource
) when {
  context.network.requestIp.isInRange(ip("1.2.3.0/24"))
};

// example for network.target.hostname
permit (
  principal,
  action,
  resource
) when {
  context.network.target.hostname == "db.example.com"
};

// example for network.target.port
permit (
  principal,
  action,
  resource
) when {
  context.network.target.port == 1234
};

// example for trust.ok
permit (
  principal,
  action,
  resource
) when {
  context.trust.ok == true
};

// example for trust.status
permit (
  principal,
  action,
  resource
) when {
  context.trust.status == "good"
};

// example for sql.tables
permit (
  principal,
  action == SQL::Action::"update",
  resource
) when {
  context.sql.tables.contains("secrets")
};

// example for sql.writeTables
permit (
  principal,
  action == SQL::Action::"update",
  resource
) when {
  context.sql.writeTables.contains("secrets")
};

// example for sql.qualifiedTables
permit (
  principal,
  action == SQL::Action::"update",
  resource
) when {
  context.sql.qualifiedTables.contains("prod.secrets")
};

// example for sql.qualifiedWriteTables
permit (
  principal,
  action == SQL::Action::"update",
  resource
) when {
  context.sql.qualifiedWriteTables.contains("prod.secrets")
};

Annotations

AnnotationFormat of value
@approve(“<WORKFLOW_ID>")String
@disconnect("true")Truthy value
@error("<REASON>")String
@justify("<PROMPT>")String
@logout("<REASON>")String
@mfa("<PROMPT>")String
@maxrows("<NUMBER>")String

Example

@approve("af-1234")
@credential("rs-1234")
@email("user@example.com")
@justify("Enter a reason")
@mfa("MFA required")
@maxrows("1234")
@notify("You have access!")
@disconnect("true")
@error("denied!")
@logout("unauthorized access")
Top