Policy Use Cases

Last modified on June 25, 2024

This feature is currently in closed-access beta. Functionality and documentation may change. Contact StrongDM for more information.

This feature is part of the Enterprise bundle. If it is not enabled for your organization, please contact StrongDM at the StrongDM Help Center.

Overview

This page describes common use cases for policies and provides example policy statements for each of them.

To learn how to create policy statements, please see Policy Creation.

Forbid Access for All Except a Role for a Tagged Resource

As an administrator, I want to restrict access so that only a specified user group or subset of users can perform all actions on development databases, while having read-only access to production databases.

Example policy statements

// forbid all access
// unless the user has the `devDBUsers` role
// and the resource is tagged with `env` and `env=dev`

permit (
  principal in StrongDM::Role::"devDBUsers"
  action,
  resource,
) when {
  resource.sdm.tags has env && resource.sdm.tags.env == "dev"
};

// alternative 1: permit access for principals
// that have the `devDBUsers` role and
// want to perform specific actions in SQL
// and when the resource is tagged with `env` and `env=prod`

permit (  
  principal in StrongDM::Role::"devDBUsers"  
  action in [  
    SQL::Action::"select",  
    SQL::Action::"with",  
    SQL::Action::"values",  
    SQL::Action::"show",  
    SQL::Action::"set"  
  ],  
  resource,  
) when {  
  resource.sdm.tags has env && resource.sdm.tags.env == "prod"  
};

// alternative 2: permit access for a principal
// who has the `devDBUsers` role
// when the resource is tagged with `env` and `env=prod`
// unless the principal is trying to write to SQL tables

permit (
  principal in StrongDM::Role::"devDBUsers"
  action,
  resource,
) when {
  resource.sdm.tags has env && resource.sdm.tags.env == "prod"
} unless {
  context.sql has "writeTables"
};

// or forbid principals with the `devDBUsers` role
// when trying to write to SQL tables
// when the resource is tagged with `env` and `env=prod`

forbid (
  principal in StrongDM::Role::"devDBUsers"
  action,
  resource,
) when {
  context.sql has "writeTables" &&
  resource.sdm.tags has env && resource.sdm.tags.env == "prod"
} ;

Restrict Access to Sensitive Resources

As an administrator, I want to forbid access to run queries against databases tagged as “sensitive” unless the user or group has the “Sensitive DB Group” role.

Example policy statement

forbid (
  principal,
  action,
  resource
) when {
  resource.sdm.tags has sensitive
} unless {
  principal in StrongDM::Role::"Sensitive DB Group"
};

Allow Only Postgres-Supported Actions on Specified Resources

As an administrator, I want to allow the user to run Postgres-supported actions only on the databases specified in the policy, and otherwise forbid all the actions on other resources.

Example Permit statement

permit (
  principal,
  action,
  resource == Postgres::Database::"r-1234/web"
);

Example Forbid statement

forbid (
  principal,
  action,
  resource
) when {
  // list accepted resources here
  resource != Postgres::Database::"r-1234/web"
};

Deny All Actions on the Production DB Originating Outside of the US

As an administrator, I want to restrict all activities on myProdDB for any client connections that are not from the US.

Example Forbid statement

forbid (
  principal,
  action,
  resource == StrongDM::Resource::"myProdDB"
) when {
// sets "is not in" that country
  !(context has location && context.location in Location::Country::"US")
};

Example Permit statement

permit (
  principal,
  action,
  resource == StrongDM::Resource::"myProdDB"
) unless {
  !(context.location in Location::Country::"US")
} ;

Limit Query Result Set and Display Notification for Operator Role

As an administrator, I want to restrict SQL query results to a maximum of 100 rows for users with the “Operator” role. A notification must be shown to the client indicating that the result set is limited to 100 rows.

Example policy statement

// restricts queries to returning no more than
// the defined number of rows
@maxrows("100")
// notifies the client about the row limit
@notify("queries are limited to 100 rows")
// without additional restrictions,
// this permits StrongDM operators to execute all actions
permit (
  principal in StrongDM::Role::"operator",
  action,
  resource
) unless {
  principal in StrongDM::Role::"admin"
};

Policy Use Cases

Overview #

Forbid Access for All Except a Role for a Tagged Resource #

Example policy statements #

Restrict Access to Sensitive Resources #

Example policy statement #

Allow Only Postgres-Supported Actions on Specified Resources #

Example Permit statement #

Example Forbid statement #

Deny All Actions on the Production DB Originating Outside of the US #

Example Forbid statement #

Example Permit statement #

Limit Query Result Set and Display Notification for Operator Role #

Example policy statement #

Overview

Forbid Access for All Except a Role for a Tagged Resource

Example policy statements

Restrict Access to Sensitive Resources

Example policy statement

Allow Only Postgres-Supported Actions on Specified Resources

Example Permit statement

Example Forbid statement

Deny All Actions on the Production DB Originating Outside of the US

Example Forbid statement

Example Permit statement

Limit Query Result Set and Display Notification for Operator Role

Example policy statement