Policy Taxonomy
Overview
This reference page provides information about the attributes supported for context-based policy.
To learn more about policy, please see the documentation:
Entities
Entities in Cedar are objects that represent principals, actions, or resources. They are typically annotated in the following format.
StrongDM Account
StrongDM::Account::"<ACCOUNT_ID>"Supported properties
accountType
Type of StrongDM account (user or service account)
String
service or user
externalId
External ID populated from SCIM metadata, if applicable
String
alice
isManagedUser
Whether or not the user is managed by a third-party provider
Boolean
true
permissionLevel
Permission level (such as Administrator, Auditor, Team Leader, Database Administrator, or User)
String
admin, auditor, multi-team-leader, database-admin, user
tags
Cedar record whose keys and values are strings
KVP
dev
Example
// example for email
permit (
principal,
action,
resource
) when {
principal.email == "[email protected]"
};
// example for externalId
permit (
principal,
action,
resource
) when {
principal.externalId == "alice"
};
// example for isManagedUser
permit (
principal,
action,
resource
) when {
principal.isManagedUser == true
};
// example for accountType
permit (
principal,
action,
resource
) when {
principal.accountType == "service"
};
// example for permissionLevel
permit (
principal,
action,
resource
) when {
principal.permissionLevel == "admin"
};
// example for tags
permit (
principal,
action,
resource
) when {
principal.tags.hasTag("env") && principal.tags.getTag("foo") == "dev"
};StrongDM Role
StrongDM::Role::"<ROLE_ID>"Example
permit (
principal in StrongDM::Role::"r-1234",
action,
resource
);Entity hierarchy
StrongDM Role may be a parent of another entity, such as StrongDM Account. Matching whether a given entity is a descendant of another entity is done through the in operator (for example, principal in StrongDM::Role::"r-1234").
StrongDM Resource
StrongDM::Resource::"<RESOURCE_ID>"Supported properties
tags
Cedar record
dev
Example
permit (
principal,
action,
resource == StrongDM::Resource::"rs-1234"
) when {
resource.tags.hasTag("env") && resource.tags.getTag("env") == "dev"
};External Role
External::Role::"<ROLE_NAME>"External Role is populated from SCIM metadata, if applicable.
Example
permit (
principal in External::Role::"admin",
action,
resource
);Entity hierarchy
External Role may be a parent of another entity, such as StrongDM Account. Matching whether a given entity is a descendant of another entity is done through the in operator (for example, principal in External::Role::"admin").
External Group
External::Group::"<GROUP_NAME>"External Group is populated from SCIM metadata, if applicable.
Example
permit (
principal in External::Group::"dev",
action,
resource
);Entity hierarchy
External Group may be a parent of another entity, such as StrongDM Account. Matching whether a given entity is a descendant of another entity is done through the in operator (for example, principal in External::Group::"dev").
Location Continent
Location::Continent::"<CONTINENT_CODE>"Please use the appropriate continent code.
Example
permit (
principal,
action,
resource
) when {
context.location in Location::Continent::"NA"
};Entity hierarchy
Location Continent may be a parent of another entity, such as Location. Matching whether a given entity is a descendant of another entity is done through the in operator (for example, context.location in Location::Continent::"NA").
Location Country
Location::Country::"<ISO-3166-1-CODE>"Please use the appropriate ISO-3166-1 code.
Example
permit (
principal,
action,
resource
) when {
context.location in Location::Country::"US"
};Entity hierarchy
Location Country may be a parent of another entity, such as Location. Matching whether a given entity is a descendant of another entity is done through the in operator (for example, context.location in Location::Country::"US").
Location Subdivision
Location::Subdivision::"<ISO-3166-2-CODE>"Example
permit (
principal,
action,
resource
) when {
context.location in Location::Subdivision::"US-WA"
};Entity hierarchy
Location Subdivision may be a parent of another entity, such as Location. Matching whether a given entity is a descendant of another entity is done through the in operator (for example, context.location in Location::Subdivision::"US-WA").
Location IP
Location::IP::"<IP_ADDRESS>"Supported properties
latitude
Decimal
longitude
Decimal
Example
permit (
principal,
action,
resource
) when {
context.location == Location::IP::"1.2.3.4"
};
// example for latitude
permit (
principal,
action,
resource
) when {
context.location.latitude.greaterThan(decimal("49"))
};
// example for longitude
permit (
principal,
action,
resource
) when {
context.location.longitude.lessThan(decimal("-120"))
};Entity hierarchy
Location IP may be a parent of another entity, such as Location. Matching whether a given entity is a descendant of another entity is done through the in operator (for example, context.location == Location::IP::"1.2.3.4").
Postgres Database
Postgres::Database::"<RESOURCE_ID>/<DATABASE_NAME>"Supported properties
database
String
.sdm.tags
Cedar record
Example
// example for database
permit (
principal,
action,
resource == Postgres::Database::"rs-1234/prod"
) when {
resource.database == "prod"
};
// example for tags
permit (
principal,
action,
resource == Postgres::Database::"rs-1234/prod"
) when {
resource.sdm.tags.hasTag("env") && resource.sdm.tags.getTag("env") == "prod"
};Entity hierarchy
Postgres Database may be a parent of another entity, such as Resource. Matching whether a given entity is a descendant of another entity is done through the in operator (for example, resource in StrongDM::Resource::"rs-1234").
Principal
permit (
principal == StrongDM::Account::"a-1234",
action,
resource
);The principal referenced in StrongDM policy statements always will be a StrongDM::Account.
Resource
StrongDM Connect
StrongDM::Action::"connect"The resource referenced in StrongDM policy statements always will be a StrongDM::Resource.
Example
permit (
principal,
action == StrongDM::Action::"connect",
resource == StrongDM::Resource::"rs-1234"
);Postgres Action
SQL::ActionPostgres::ActionThis always will be Postgres::Database.
Example
permit (
principal,
action == SQL::Action::"select",
resource == Postgres::Database::"rs-1234/prod"
);Action
All resources
StrongDM::Action::"connect"
Postgres resources
Policy can be enacted for over 180 Postgres database actions, such as the following examples.
Examples of Postgres actions:
Postgres::Action::"callFunction"Postgres::Action::"executeUnknown"Postgres::Action::"parse"SQL::Action::"select"SQL::Action::"insert"SQL::Action::"update"
Supported Postgres resource types
Postgres/SQL actions are supported on all of the Postgres resource types, including:
Aurora PostgreSQL
Aurora PostgreSQL (IAM)
Azure Database for PostgreSQL
Azure PostgreSQL (Managed Identity)
Citus
CockroachDB
Greenplum
PostgreSQL
PostgreSQL (mTLS)
RDS PostgreSQL (IAM)
Redshift
Context
All resources
Supported context properties for all resources
location
Geographical location; may not be present if a location cannot be determined from the client IP address
Entity UID
Location::IP
network.clientIp
IP address associated with the client, as determined by the StrongDM control plane; always a public IP address
IPAddr
ip("1.2.3.0")
network.destinationIp
IP address of the destination resource, as determined after connecting to the resource; may not be present for policy authorization requests such as StrongDM::Action::"connect" performed prior to establishing a connection to a resource
IPAddr
1.2.3.0
network.target.hostname
Hostname of the target resource
String
"db.example.com"
network.target.port
Connection port of the target resource
Integer
1234
network.requestIp
IP address associated with the request, as determined at the point of ingest (either a StrongDM gateway or StrongDM control plane, depending on the type of request); may be either a public or private (VPN) IP address
IPAddr
ip("1.2.3.0")
trust.ok
Device Trust status; true value indicates "good" or "exempt" status; false value indicates "bad" or "unknown" status
Boolean
true
trust.status
Device Trust context; bad for low trust; exempt for exempt; good for high trust; unknown for unknown
String
"bad", "exempt", "good", "unknown"
utcNow.day
Day of month, starting with 1
Long
30
utcNow.dayOfWeek
Day of week, where Sunday is 1 and Saturday is 7
Long
3
utcNow.month
Month of year, where January is 1 and December is 12
Long
1
utcNow.timestamp
Cedar datetime (UTC)
String
YYYY-MM-DD, YYYY-MM-DDThh:mm:ssZ, YYYY-MM-DDThh:mm:ss.SSSZ, YYYY-MM-DDThh:mm:ss(+/-)hhmm, YYYY-MM-DDThh:mm:ss.SSS(+/-)hhmm
utcNow.year
Four-digit year
Long
2024
Example
permit (
principal,
action,
resource
) when {
context.location in Location::Country::"US"
};
// example for network.clientIp
permit (
principal,
action,
resource
) when {
context.network.clientIp.isInRange(ip("1.2.3.0/24"))
};
// example for network.requestIp
permit (
principal,
action,
resource
) when {
context.network.requestIp.isInRange(ip("1.2.3.0/24"))
};
// example for trust.ok
permit (
principal,
action,
resource
) when {
context.trust.ok == true
};
// example for trust.status
permit (
principal,
action,
resource
) when {
context.trust.status == "good"
};
// example for utcNow
permit (
principal,
action,
resource
) when {
context.utcNow.dayOfWeek == 3 &&
context.utcNow.day == 31 &&
context.utcNow.month == 12 &&
context.utcNow.year == 2024 &&
context.utcNow.timestamp.toTime().toHours() >= 2
};Postgres resources
Supported context properties for all Postgres resources
sql.tables
Set of strings
["users", "groups"] or ["prod.users", "prod.groups"]
sql.writeTables
Set of strings
sql.qualifiedTables
Set of strings
sql.qualifiedWriteTables
Set of strings
Example
permit(principal, action, resource) when {
context.location in Location::Country::"US" ||
context.network.clientIp.isInRange(ip("1.2.3.0/24")) ||
context.network.destinationIp.isInRange(ip("1.2.3.0/24")) ||
context.network.requestIp.isInRange(ip("1.2.3.0/24")) ||
context.trust.ok == true ||
context.trust.status == "good" ||
};
permit(principal, action == SQL::Action::"update", resource) when {
context.sql.tables.contains("secrets") ||
context.sql.writeTables.contains("secrets") ||
context.sql.qualifiedTables.contains("prod.secrets") ||
context.sql.qualifiedWriteTables.contains("prod.secrets")
};// example for location
permit (
principal,
action,
resource
) when {
context.location in Location::Country::"US"
};
// example for network.clientIp
permit (
principal,
action,
resource
) when {
context.network.clientIp.isInRange(ip("1.2.3.0/24"))
};
// example for network.destinationIp
permit (
principal,
action,
resource
) when {
context.network.destinationIp.isInRange(ip("1.2.3.0/24"))
};
// example for network.requestIp
permit (
principal,
action,
resource
) when {
context.network.requestIp.isInRange(ip("1.2.3.0/24"))
};
// example for trust.ok
permit (
principal,
action,
resource
) when {
context.trust.ok == true
};
// example for trust.status
permit (
principal,
action,
resource
) when {
context.trust.status == "good"
};
// example for sql.tables
permit (
principal,
action == SQL::Action::"update",
resource
) when {
context.sql.tables.contains("secrets")
};
// example for sql.writeTables
permit (
principal,
action == SQL::Action::"update",
resource
) when {
context.sql.writeTables.contains("secrets")
};
// example for sql.qualifiedTables
permit (
principal,
action == SQL::Action::"update",
resource
) when {
context.sql.qualifiedTables.contains("prod.secrets")
};
// example for sql.qualifiedWriteTables
permit (
principal,
action == SQL::Action::"update",
resource
) when {
context.sql.qualifiedWriteTables.contains("prod.secrets")
};Annotations
@approve("<WORKFLOW_ID>")
String
@disconnect("true")
Truthy value
@error("<REASON>")
String
@justify("<PROMPT>")
String
@logout("<REASON>")
String
@mfa("<PROMPT>")
String
@maxrows("<NUMBER>")
String
Example
@approve("af-1234")
@credential("rs-1234")
@email("[email protected]")
@justify("Enter a reason")
@mfa("MFA required")
@maxrows("1234")
@notify("You have access!")
@disconnect("true")
@error("denied!")
@logout("unauthorized access")Last updated
Was this helpful?