Abbey Docs
  • 👋Welcome
  • Getting Started
    • Quickstart
    • Step-by-Step Tutorials
      • AWS: Managing Access to Identity Center Groups
      • AWS: Managing Access to Identity Center Permission Sets
      • AWS: Managing Access to IAM Groups
      • Azure AD: Managing Access to Groups
      • Confluent: Managing Access to Kafka ACLs
      • Databricks: Managing Access to Managed Tables in Unity Catalog
      • Databricks: Managing Access to Groups
      • GitHub: Managing Access to Teams
      • Google Cloud: Managing Access to Groups
      • Google Workspace: Managing Access to Google Groups
      • Kafka: Managing Access to ACLs
      • Okta: Managing Access to Groups
      • Postgres: Managing Access to Roles
      • Snowflake: Managing Access to Tables
      • Tabular: Managing Access to Apache Iceberg Roles
      • Tailscale: Managing Access to ACLs
      • Vault: Managing Access to Groups and Policies
      • Integrating Abbey with Terraform Cloud
      • Using Abbey with Atlantis
      • Using Abbey with Spacelift
    • Starter Kits
  • How Abbey Works
    • How Abbey Works
    • Key Concepts
  • Build a Grant Kit
    • Get a Starter Kit
    • Connect a Repo
    • Create a Grant Kit
    • Link Identities
    • Write Access Policies
    • Deploy Your Grant Kit
    • Request Access
    • Approve or Deny Access Requests
  • Use Cases
    • Time-Based Access
      • Expire After a Duration
      • Expire At a Specific Time
    • Approval Workflows
      • Using a Single Approval Step
      • Using Multiple Approval Steps
      • Conditionally Skip Approval Steps
  • Admin
    • User Roles
    • Sign-in and MFA
      • Sign-in Methods
      • Multifactor Authentication (MFA)
      • Enabling Single Sign-On
    • Sources
      • PagerDuty
      • Directory Sync
    • End User Notifications
    • Manage API Tokens
  • Reference
    • Grant Kits
      • Workflows
      • Policies
      • Outputs
    • Referencing Users and Groups
    • Linking Application Identities into Abbey
      • Why do I need to link application identities?
      • How do I Link Application Identities?
      • Supported Application Identity Types and Schemas
      • Application Data Object
    • Access Policies
      • Types of Access Policies
      • Policy Bundles
      • Inline Policies
      • Helper Functions
      • Policy Examples
    • Terms of Service
    • FAQ
      • Troubleshooting
  • Resources
    • Abbey Labs
    • Terraform Registry
    • GitHub
    • System Status
    • Privacy Policy
    • Logo
Powered by GitBook
On this page
  • in_group(group_name)
  • has_attribute(attribute_name, attribute_value)
  • expire_at(ts)
  • expire_after(duration)
  1. Reference
  2. Access Policies

Helper Functions

PreviousInline PoliciesNextPolicy Examples

Last updated 1 year ago

Abbey has created a number of helper functions to help write policies. First you need to write import data.abbey.functions to import the helper functions and then you can start using any helper function you'd like.

in_group(group_name)

The in_group function tests whether an Abbey user belongs to a certain group. To check whether a user is in a group named Engineering, you can write in_group("Engineering").

Look for the source.

has_attribute(attribute_name, attribute_value)

The has_attribute function tests whether an Abbey user has a certain attribute. For example, to check if a user has an Employee Type of IC, you can write has_attribute("employee_type", "IC"). attribute_name can be the name of any attribute on a user from your IDP and attribute_value can be any string.

Look for the source.

expire_at(ts)

The expire_at function denies a policy at a certain timestamp ts. For example, if you write expire_at("2023-01-01T02:00:00Z"), then this will deny the policy at any time after 2023-01-01T02:00:00Z. Abbey continues to check for whether a policy will be expiring at a later date, allowing you to write time-based expiry policies.

Look for the source.

expire_after(duration)

The expire_after function denies a policy after a certain amount of time has passed. For example, to deny a policy after 30 minutes, you can write expire_after("30m"). Like expire_at, Abbey continues to check whether an expire_after policy has expired so that policies will actually deny after their given time.

The duration argument needs an integer concatenated with a unit, so something like 30s, 60m, 3h, or 1d. The exact duration syntax is documented .

Look for the source.

here
here
here
here
here