User-Defined Policies

What Are User-Defined Policies?

User-defined policies allow you to fine-tune access control by specifying exactly which parts of the system it can access. While permissions provide broad access (e.g., the ability to view all record in the system), user-defined policies let you narrow those permissions to a specific data source, profile, relationship definition, partition, etc. In a way, User-Defined Policies extend system-defined permissions by adding constraints to those permissions to limit the scope of access in a more granular way.

For example, this level of control is useful when you need to:

• Allow a user to access only one data source out of many
• Limit editing to a specific relationship type
• Restrict bulk operations to a single resource type or data source
• Control which partitions a team or service account can view

How It Works

Some permissions in our system follows a structured pattern, like this:

"datasource/{sourceKey}:ListProfile"

By default, if a user’s role includes this permission, they can list profiles in any data source. With user-defined policies, you can constrain this permission by specifying the entity explicitly. Using the permission above as an example, we could create a policy that only allows user access to list profiles in the data source source-a.

{
	"referencePermission": "datasource/{sourceKey}:ListProfile",
	"params": {
		"sourceKey": "source-a" // Can only list profiles in "source-a"
	} 
}

If a user with a role containing this policy attempts to list another data source’s profiles (for instance source-b) then they will receive an “unauthorized” response.