Policy Examples

The following are some examples of policies. These policies can be copied inline into a grant kit or be placed into a Policy Bundle and used with Abbey. The source code for all Abbey Rego functions can be found in our Policy Library Repository.

Table of Contents

Role-Based Access Control

Attribute-Based Access Control

Time-Based Expiry

Confirm if User is On-Call in PagerDuty for Access

Role-Based Access Control

This example policy evaluates to true when the user has a certain role. We model these roles as groups that the user is part of. This policy checks whether a user is in the group Engineering, but you can check if the user is in any group you would like.

import data.abbey.functions

allow[msg] {
    functions.in_group("Engineering")
    msg := "granting access"
}

Information about in_group can be found at .

Attribute-Based Access Control

This example policy evaluates to true when the user has a certain attribute. We want to check whether the Cost Center associated with the given user is Engineering. To do this, we check whether the attribute cost_center_name is Engineering.

import data.abbey.functions

allow[msg] {
    functions.has_attribute("cost_center_name", "Engineering")
    msg := "is engineering cost center"
}

Time-Based Expiry

This example policy evaluates to false after 60 minutes have passed. Access is revoked at the end of the 60 minute time period. The time can be modified as needed for longer or shorter access durations. Hours can be entered in using syntax like "1h" for 1 hour.

import data.abbey.functions

allow[msg] {
    functions.expire_after("60m")
    msg := "granting access for 60 minutes"
}

Confirm if User is On-Call in PagerDuty for Access

This example policy approves an access request if the user is on-call in PagerDuty.

allow[msg] {
  data.user.pagerduty.isoncall
  msg := "allowing on-call engineers"
}

This does not make use of any Abbey functions.