Policy Use Cases

Last modified on December 6, 2024

Overview

This page describes common use cases for policies and provides example policy statements for each of them.

To learn how to create policy statements, please see Policy Creation.

Forbid Access for All Except a Role for a Tagged Resource

As an administrator, I want to restrict access so that only a specified user group or subset of users can perform all actions on development databases, while having read-only access to production databases.

Example policy statements

// forbid all access
// unless the user has the `devDBUsers` role
// and the resource is tagged with `env` and `env=dev`

permit (
  principal in StrongDM::Role::"devDBUsers",
  action,
  resource
) when {
  resource.sdm.tags has env && resource.sdm.tags.env == "dev"
};

// alternative 1: permit access for principals
// that have the `devDBUsers` role and
// want to perform specific actions in SQL
// and when the resource is tagged with `env` and `env=prod`

permit (  
  principal in StrongDM::Role::"devDBUsers",
  action in [  
    SQL::Action::"select",  
    SQL::Action::"with",  
    SQL::Action::"values",  
    SQL::Action::"show",  
    SQL::Action::"set"  
  ],  
  resource
) when {  
  resource.sdm.tags has env && resource.sdm.tags.env == "prod"  
};

// alternative 2: permit access for a principal
// who has the `devDBUsers` role
// when the resource is tagged with `env` and `env=prod`
// unless the principal is trying to write to SQL tables

permit (
  principal in StrongDM::Role::"devDBUsers",
  action,
  resource
) when {
  resource.sdm.tags has env && resource.sdm.tags.env == "prod"
} unless {
  context.sql has "writeTables"
};

// or forbid principals with the `devDBUsers` role
// when trying to write to SQL tables
// when the resource is tagged with `env` and `env=prod`

forbid (
  principal in StrongDM::Role::"devDBUsers",
  action,
  resource
) when {
  context.sql has "writeTables" &&
  resource.sdm.tags has env && resource.sdm.tags.env == "prod"
} ;

Restrict Access to Sensitive Resources

As an administrator, I want to forbid access to run queries against databases tagged as “sensitive” unless the user or group has the “Sensitive DB Group” role.

Example policy statement

forbid (
  principal,
  action,
  resource
) when {
  resource.sdm.tags has sensitive
} unless {
  principal in StrongDM::Role::"Sensitive DB Group"
};

Allow Only Postgres-Supported Actions on Specified Resources

As an administrator, I want to allow the user to run Postgres-supported actions only on the databases specified in the policy, and otherwise forbid all the actions on other resources.

Example Permit statement

permit (
  principal,
  action,
  resource == Postgres::Database::"r-1234/web"
);

Example Forbid statement

forbid (
  principal,
  action,
  resource
) when {
  // list accepted resources here
  resource != Postgres::Database::"r-1234/web"
};

Deny All Actions on the Production DB Originating Outside of the US

As an administrator, I want to restrict all activities on myProdDB for any client connections that are not from the US.

Example Forbid statement

forbid (
  principal,
  action,
  resource == StrongDM::Resource::"myProdDB"
) when {
// sets "is not in" that country
  !(context has location && context.location in Location::Country::"US")
};

Example Permit statement

permit (
  principal,
  action,
  resource == StrongDM::Resource::"myProdDB"
) unless {
  !(context.location in Location::Country::"US")
} ;

Limit Query Result Set and Display Notification for Operator Role

As an administrator, I want to restrict SQL query results to a maximum of 100 rows for users with the “Operator” role. A notification must be shown to the client indicating that the result set is limited to 100 rows.

Example policy statement

// restricts queries to returning no more than
// the defined number of rows
@maxrows("100")
// notifies the client about the row limit
@notify("queries are limited to 100 rows")
// without additional restrictions,
// this permits StrongDM operators to execute all actions
permit (
  principal in StrongDM::Role::"operator",
  action,
  resource
) unless {
  principal in StrongDM::Role::"admin"
};

Allow All Actions on Postgres Resources

Some users who need to work with Postgres resources need to be able to conduct most or all actions against that type of resource. I want to allow all actions against Postgres databases for users with the specified role, and if necessary, be able to forbid particular sensitive actions.

Example Permit statement

permit (
  principal in StrongDM::Role::"r-1caa595464152e78",
  action,
  resource == Postgres::Database
);

Permit Access Only During Business Hours Not in December

As an administrator, I want users to access resources during business hours (9 a.m. to 5 p.m. UTC) on weekdays (Monday through Friday) only. I want this rule to exempt December, since our example engineering team has a change freeze during December.

Example Permit statement

permit (
  principal,
  action,
  resource
)
when {
  context.utcNow.month != 12 &&
  [2,3,4,5,6].contains(context.utcNow.dayOfWeek) &&
  context.utcNow.timestamp.toTime().toHours() > 9 &&
  context.utcNow.timestamp.toTime().toHours() < 17
};
Top