Abbey Docs
  • 👋Welcome
  • Getting Started
    • Quickstart
    • Step-by-Step Tutorials
      • AWS: Managing Access to Identity Center Groups
      • AWS: Managing Access to Identity Center Permission Sets
      • AWS: Managing Access to IAM Groups
      • Azure AD: Managing Access to Groups
      • Confluent: Managing Access to Kafka ACLs
      • Databricks: Managing Access to Managed Tables in Unity Catalog
      • Databricks: Managing Access to Groups
      • GitHub: Managing Access to Teams
      • Google Cloud: Managing Access to Groups
      • Google Workspace: Managing Access to Google Groups
      • Kafka: Managing Access to ACLs
      • Okta: Managing Access to Groups
      • Postgres: Managing Access to Roles
      • Snowflake: Managing Access to Tables
      • Tabular: Managing Access to Apache Iceberg Roles
      • Tailscale: Managing Access to ACLs
      • Vault: Managing Access to Groups and Policies
      • Integrating Abbey with Terraform Cloud
      • Using Abbey with Atlantis
      • Using Abbey with Spacelift
    • Starter Kits
  • How Abbey Works
    • How Abbey Works
    • Key Concepts
  • Build a Grant Kit
    • Get a Starter Kit
    • Connect a Repo
    • Create a Grant Kit
    • Link Identities
    • Write Access Policies
    • Deploy Your Grant Kit
    • Request Access
    • Approve or Deny Access Requests
  • Use Cases
    • Time-Based Access
      • Expire After a Duration
      • Expire At a Specific Time
    • Approval Workflows
      • Using a Single Approval Step
      • Using Multiple Approval Steps
      • Conditionally Skip Approval Steps
  • Admin
    • User Roles
    • Sign-in and MFA
      • Sign-in Methods
      • Multifactor Authentication (MFA)
      • Enabling Single Sign-On
    • Sources
      • PagerDuty
      • Directory Sync
    • End User Notifications
    • Manage API Tokens
  • Reference
    • Grant Kits
      • Workflows
      • Policies
      • Outputs
    • Referencing Users and Groups
    • Linking Application Identities into Abbey
      • Why do I need to link application identities?
      • How do I Link Application Identities?
      • Supported Application Identity Types and Schemas
      • Application Data Object
    • Access Policies
      • Types of Access Policies
      • Policy Bundles
      • Inline Policies
      • Helper Functions
      • Policy Examples
    • Terms of Service
    • FAQ
      • Troubleshooting
  • Resources
    • Abbey Labs
    • Terraform Registry
    • GitHub
    • System Status
    • Privacy Policy
    • Logo
Powered by GitBook
On this page
  • Table of Contents
  • Role-Based Access Control
  • Attribute-Based Access Control
  • Time-Based Expiry
  • Confirm if User is On-Call in PagerDuty for Access
  1. Reference
  2. Access Policies

Policy Examples

PreviousHelper FunctionsNextTerms of Service

Last updated 1 year ago

The following are some examples of policies. These policies can be copied inline into a grant kit or be placed into a Policy Bundle and used with Abbey. The source code for all Abbey Rego functions can be found in our .

Table of Contents

Role-Based Access Control

Attribute-Based Access Control

Time-Based Expiry

Confirm if User is On-Call in PagerDuty for Access

Role-Based Access Control

This example policy evaluates to true when the user has a certain role. We model these roles as groups that the user is part of. This policy checks whether a user is in the group Engineering, but you can check if the user is in any group you would like.

import data.abbey.functions

allow[msg] {
    functions.in_group("Engineering")
    msg := "granting access"
}

Information about in_group can be found at .

Attribute-Based Access Control

This example policy evaluates to true when the user has a certain attribute. We want to check whether the Cost Center associated with the given user is Engineering. To do this, we check whether the attribute cost_center_name is Engineering.

import data.abbey.functions

allow[msg] {
    functions.has_attribute("cost_center_name", "Engineering")
    msg := "is engineering cost center"
}

Time-Based Expiry

This example policy evaluates to false after 60 minutes have passed. Access is revoked at the end of the 60 minute time period. The time can be modified as needed for longer or shorter access durations. Hours can be entered in using syntax like "1h" for 1 hour.

import data.abbey.functions

allow[msg] {
    functions.expire_after("60m")
    msg := "granting access for 60 minutes"
}

Confirm if User is On-Call in PagerDuty for Access

This example policy approves an access request if the user is on-call in PagerDuty.

allow[msg] {
  data.user.pagerduty.isoncall
  msg := "allowing on-call engineers"
}

This does not make use of any Abbey functions.

The above example can be modified for other attributes if needed. Information about has_attribute can be found at .

Information about expire_after can be found at .

Policy Library Repository
in_group(group_name)
has_attribute(attribute_name, attribute_value)
expire_after(duration)