search

Policy Examples

The following are some examples of policies. These policies can be copied inline into a grant kit or be placed into a Policy Bundle and used with Abbey. The source code for all Abbey Rego functions can be found in our Policy Library Repositoryarrow-up-right.

hashtag
Table of Contents

Role-Based Access Control

Attribute-Based Access Control

Time-Based Expiry

Confirm if User is On-Call in PagerDuty for Access

hashtag
Role-Based Access Control

This example policy evaluates to true when the user has a certain role. We model these roles as groups that the user is part of. This policy checks whether a user is in the group Engineering, but you can check if the user is in any group you would like.

import data.abbey.functions

allow[msg] {
    functions.in_group("Engineering")
    msg := "granting access"
}

Information about in_group can be found at in_group(group_name).

hashtag
Attribute-Based Access Control

This example policy evaluates to true when the user has a certain attribute. We want to check whether the Cost Center associated with the given user is Engineering. To do this, we check whether the attribute cost_center_name is Engineering.

The above example can be modified for other attributes if needed. Information about has_attribute can be found at has_attribute(attribute_name, attribute_value).

hashtag
Time-Based Expiry

This example policy evaluates to false after 60 minutes have passed. Access is revoked at the end of the 60 minute time period. The time can be modified as needed for longer or shorter access durations. Hours can be entered in using syntax like "1h" for 1 hour.

Information about expire_after can be found at expire_after(duration).

hashtag
Confirm if User is On-Call in PagerDuty for Access

This example policy approves an access request if the user is on-call in PagerDuty.

This does not make use of any Abbey functions.

PreviousHelper FunctionsNextTerms of Service

Last updated