Policy Use Cases
Last modified on December 6, 2024
- Overview
- Forbid Access for All Except a Role for a Tagged Resource
- Restrict Access to Sensitive Resources
- Allow Only Postgres-Supported Actions on Specified Resources
- Deny All Actions on the Production DB Originating Outside of the US
- Limit Query Result Set and Display Notification for Operator Role
- Allow All Actions on Postgres Resources
- Permit Access Only During Business Hours Not in December
On this page
- Overview
- Forbid Access for All Except a Role for a Tagged Resource
- Restrict Access to Sensitive Resources
- Allow Only Postgres-Supported Actions on Specified Resources
- Deny All Actions on the Production DB Originating Outside of the US
- Limit Query Result Set and Display Notification for Operator Role
- Allow All Actions on Postgres Resources
- Permit Access Only During Business Hours Not in December
This feature is part of the Enterprise plan. If it is not enabled for your organization, please contact StrongDM at the StrongDM Help Center.
Overview
This page describes common use cases for policies and provides example policy statements for each of them.
- Forbid access for all except a role for a tagged resource
- Restrict access to sensitive resources
- Allow only Postgres-supported actions on specified resources
- Deny all actions on the production DB originating outside of the U.S.
- Limit query result set and display notification for operator role
- Allow All Actions on Postgres Resources
- Permit Access Only During Business Hours Not in December
To learn how to create policy statements, please see Policy Creation.
Forbid Access for All Except a Role for a Tagged Resource
As an administrator, I want to restrict access so that only a specified user group or subset of users can perform all actions on development databases, while having read-only access to production databases.
Example policy statements
// forbid all access
// unless the user has the `devDBUsers` role
// and the resource is tagged with `env` and `env=dev`
permit (
principal in StrongDM::Role::"devDBUsers",
action,
resource
) when {
resource.sdm.tags has env && resource.sdm.tags.env == "dev"
};
// alternative 1: permit access for principals
// that have the `devDBUsers` role and
// want to perform specific actions in SQL
// and when the resource is tagged with `env` and `env=prod`
permit (
principal in StrongDM::Role::"devDBUsers",
action in [
SQL::Action::"select",
SQL::Action::"with",
SQL::Action::"values",
SQL::Action::"show",
SQL::Action::"set"
],
resource
) when {
resource.sdm.tags has env && resource.sdm.tags.env == "prod"
};
// alternative 2: permit access for a principal
// who has the `devDBUsers` role
// when the resource is tagged with `env` and `env=prod`
// unless the principal is trying to write to SQL tables
permit (
principal in StrongDM::Role::"devDBUsers",
action,
resource
) when {
resource.sdm.tags has env && resource.sdm.tags.env == "prod"
} unless {
context.sql has "writeTables"
};
// or forbid principals with the `devDBUsers` role
// when trying to write to SQL tables
// when the resource is tagged with `env` and `env=prod`
forbid (
principal in StrongDM::Role::"devDBUsers",
action,
resource
) when {
context.sql has "writeTables" &&
resource.sdm.tags has env && resource.sdm.tags.env == "prod"
} ;
Restrict Access to Sensitive Resources
As an administrator, I want to forbid access to run queries against databases tagged as “sensitive” unless the user or group has the “Sensitive DB Group” role.
Example policy statement
forbid (
principal,
action,
resource
) when {
resource.sdm.tags has sensitive
} unless {
principal in StrongDM::Role::"Sensitive DB Group"
};
Allow Only Postgres-Supported Actions on Specified Resources
As an administrator, I want to allow the user to run Postgres-supported actions only on the databases specified in the policy, and otherwise forbid all the actions on other resources.
Example Permit statement
permit (
principal,
action,
resource == Postgres::Database::"r-1234/web"
);
Example Forbid statement
forbid (
principal,
action,
resource
) when {
// list accepted resources here
resource != Postgres::Database::"r-1234/web"
};
Deny All Actions on the Production DB Originating Outside of the US
As an administrator, I want to restrict all activities on myProdDB for any client connections that are not from the US.
Example Forbid statement
forbid (
principal,
action,
resource == StrongDM::Resource::"myProdDB"
) when {
// sets "is not in" that country
!(context has location && context.location in Location::Country::"US")
};
Example Permit statement
permit (
principal,
action,
resource == StrongDM::Resource::"myProdDB"
) unless {
!(context.location in Location::Country::"US")
} ;
Limit Query Result Set and Display Notification for Operator Role
As an administrator, I want to restrict SQL query results to a maximum of 100 rows for users with the “Operator” role. A notification must be shown to the client indicating that the result set is limited to 100 rows.
Example policy statement
// restricts queries to returning no more than
// the defined number of rows
@maxrows("100")
// notifies the client about the row limit
@notify("queries are limited to 100 rows")
// without additional restrictions,
// this permits StrongDM operators to execute all actions
permit (
principal in StrongDM::Role::"operator",
action,
resource
) unless {
principal in StrongDM::Role::"admin"
};
Allow All Actions on Postgres Resources
Some users who need to work with Postgres resources need to be able to conduct most or all actions against that type of resource. I want to allow all actions against Postgres databases for users with the specified role, and if necessary, be able to forbid particular sensitive actions.
Example Permit statement
permit (
principal in StrongDM::Role::"r-1caa595464152e78",
action,
resource == Postgres::Database
);
Permit Access Only During Business Hours Not in December
As an administrator, I want users to access resources during business hours (9 a.m. to 5 p.m. UTC) on weekdays (Monday through Friday) only. I want this rule to exempt December, since our example engineering team has a change freeze during December.
Example Permit statement
permit (
principal,
action,
resource
)
when {
context.utcNow.month != 12 &&
[2,3,4,5,6].contains(context.utcNow.dayOfWeek) &&
context.utcNow.timestamp.toTime().toHours() > 9 &&
context.utcNow.timestamp.toTime().toHours() < 17
};