Help CenterGet A DemoTry It Free

Policy Taxonomy

This feature is part of the Enterprise plan. If it is not enabled for your organization, please contact StrongDM at the StrongDM Help Center.

Overview

This reference page provides information about the attributes supported for context-based policy.

To learn more about policy, please see the documentation:

Entities

Entities in Cedar are objects that represent principals, actions, or resources. They are typically annotated in the following format.

StrongDM Account

StrongDM::Account::"<ACCOUNT_ID>"

Supported properties

Property
Description
Format
Example value(s)

accountType

Type of StrongDM account (user or service account)

String

service or user

email

User email address

String

[email protected]

externalId

External ID populated from SCIM metadata, if applicable

String

alice

isManagedUser

Whether or not the user is managed by a third-party provider

Boolean

true

permissionLevel

Permission level (such as Administrator, Auditor, Team Leader, Database Administrator, or User)

String

admin, auditor, multi-team-leader, database-admin, user

tags

Cedar record whose keys and values are strings

KVP

dev

Example

StrongDM Role

Example

Entity hierarchy

StrongDM Role may be a parent of another entity, such as StrongDM Account. Matching whether a given entity is a descendant of another entity is done through the in operator (for example, principal in StrongDM::Role::"r-1234").

StrongDM Resource

Supported properties

Property
Format
Example value(s)

tags

Cedar record

dev

Example

External Role

External Role is populated from SCIM metadata, if applicable.

Example

Entity hierarchy

External Role may be a parent of another entity, such as StrongDM Account. Matching whether a given entity is a descendant of another entity is done through the in operator (for example, principal in External::Role::"admin").

External Group

External Group is populated from SCIM metadata, if applicable.

Example

Entity hierarchy

External Group may be a parent of another entity, such as StrongDM Account. Matching whether a given entity is a descendant of another entity is done through the in operator (for example, principal in External::Group::"dev").

Location Continent

Please use the appropriate continent code.

Example

Entity hierarchy

Location Continent may be a parent of another entity, such as Location. Matching whether a given entity is a descendant of another entity is done through the in operator (for example, context.location in Location::Continent::"NA").

Location Country

Please use the appropriate ISO-3166-1 code.

Example

Entity hierarchy

Location Country may be a parent of another entity, such as Location. Matching whether a given entity is a descendant of another entity is done through the in operator (for example, context.location in Location::Country::"US").

Location Subdivision

Example

Entity hierarchy

Location Subdivision may be a parent of another entity, such as Location. Matching whether a given entity is a descendant of another entity is done through the in operator (for example, context.location in Location::Subdivision::"US-WA").

Location IP

Supported properties

Property
Format

latitude

Decimal

longitude

Decimal

Example

Entity hierarchy

Location IP may be a parent of another entity, such as Location. Matching whether a given entity is a descendant of another entity is done through the in operator (for example, context.location == Location::IP::"1.2.3.4").

Postgres Database

Supported properties

Property
Format

database

String

Example

Entity hierarchy

Postgres Database may be a parent of another entity, such as Resource. Matching whether a given entity is a descendant of another entity is done through the in operator (for example, resource in StrongDM::Resource::"rs-1234").

Principal

The principal referenced in StrongDM policy statements always will be a StrongDM::Account.

Resource

StrongDM Connect

The resource referenced in StrongDM policy statements always will be a StrongDM::Resource.

Example

Postgres Action

This always will be Postgres::Database.

Example

Action

All resources

  • StrongDM::Action::"connect"

Postgres resources

Policy can be enacted for over 180 Postgres database actions, such as the following examples.

Examples of Postgres actions:

  • Postgres::Action::"callFunction"

  • Postgres::Action::"executeUnknown"

  • Postgres::Action::"parse"

  • SQL::Action::"select"

  • SQL::Action::"insert"

  • SQL::Action::"update"

Supported Postgres resource types

Postgres/SQL actions are supported on all of the Postgres resource types, including:

  • Aurora PostgreSQL

  • Aurora PostgreSQL (IAM)

  • Azure Database for PostgreSQL

  • Azure PostgreSQL (Managed Identity)

  • Citus

  • CockroachDB

  • Greenplum

  • PostgreSQL

  • PostgreSQL (mTLS)

  • RDS PostgreSQL (IAM)

  • Redshift

Context

All resources

Supported context properties for all resources

Property
Description
Format
Example value(s)

location

Geographical location; may not be present if a location cannot be determined from the client IP address

Entity UID

Location::IP

network.clientIp

IP address associated with the client, as determined by the StrongDM control plane; always a public IP address

IPAddr

ip("1.2.3.0")

network.destinationIp

IP address of the destination resource, as determined after connecting to the resource; may not be present for policy authorization requests such as StrongDM::Action::"connect" performed prior to establishing a connection to a resource

IPAddr

1.2.3.0

network.requestIp

IP address associated with the request, as determined at the point of ingest (either a StrongDM gateway or StrongDM control plane, depending on the type of request); may be either a public or private (VPN) IP address

IPAddr

ip("1.2.3.0")

trust.ok

Device Trust status; true value indicates "good" or "exempt" status; false value indicates "bad" or "unknown" status

Boolean

true

trust.status

Device Trust context; bad for low trust; exempt for exempt; good for high trust; unknown for unknown

String

"bad", "exempt", "good", "unknown"

utcNow.day

Day of month, starting with 1

Long

30

utcNow.dayOfWeek

Day of week, where Sunday is 1 and Saturday is 7

Long

3

utcNow.month

Month of year, where January is 1 and December is 12

Long

1

utcNow.timestamp

Cedar datetime (UTC)

String

YYYY-MM-DD, YYYY-MM-DDThh:mm:ssZ, YYYY-MM-DDThh:mm:ss.SSSZ, YYYY-MM-DDThh:mm:ss(+/-)hhmm, YYYY-MM-DDThh:mm:ss.SSS(+/-)hhmm

utcNow.year

Four-digit year

Long

2024

Example

Postgres resources

Supported context properties for all Postgres resources

Property
Format
Example value(s)

sql.tables

Set of strings

["users", "groups"] or ["prod.users", "prod.groups"]

sql.writeTables

Set of strings

sql.qualifiedTables

Set of strings

sql.qualifiedWriteTables

Set of strings

Example

Annotations

Annotation
Format of value

@approve("<WORKFLOW_ID>")

String

@disconnect("true")

Truthy value

@error("<REASON>")

String

@justify("<PROMPT>")

String

@logout("<REASON>")

String

@mfa("<PROMPT>")

String

@maxrows("<NUMBER>")

String

Example

Last updated

Was this helpful?