Skip to main content

User-Defined Policies

What Are User-Defined Policies?

User-defined policies allow you to fine-tune access control by specifying exactly which parts of the system an identity can access. While permissions provide broad access (for example, the ability to view all records in the system), user-defined policies let you narrow those permissions to a specific data source, profile, relationship definition, partition, and more. In a way, user-defined policies extend system-defined permissions by adding constraints to limit the scope of access in a more granular way. This level of control is useful when you need to:
  • Allow a user to access only one data source out of many
  • Limit editing to a specific relationship type
  • Restrict bulk operations to a single resource type or data source
  • Control which partitions a team or service account can view

How It Works

Some permissions in our system follow a structured pattern, like this: 
"datasource/{sourceKey}:ListProfile"
By default, if a user’s role includes this permission, they can list profiles in any data source. With user-defined policies, you can constrain this permission by specifying the entity explicitly. Using the permission above as an example, we could create a policy that only allows user access to list profiles in the data source source-a. Example (JSON): 
{
  "referencePermission": "datasource/{sourceKey}:ListProfile",
  "params": {
    "sourceKey": "source-a" // Can only list profiles in "source-a"
  }
}
If a user with a role containing this policy attempts to list another data source’s profiles (for instance source-b) then they will receive an “unauthorized” response.
I