search
Help CenterGet A DemoTry It Free

Policy Use Cases

circle-info

This feature is part of the Enterprise plan. If it is not enabled for your organization, please contact StrongDM at the StrongDM Help Centerarrow-up-right.

hashtag
Overview

This page describes common use cases for policies and provides example policy statements for each of them.

To learn how to create policy statements, please see Policy Creation.

hashtag
Forbid Access for All Except a Role for a Tagged Resource

As an administrator, I want to restrict access so that only principals with a specified role can perform all actions on development databases, while having read-only access to production databases.

hashtag
Example policy statements

// forbid all access
// unless the principal has the `devDBUsers` role
// and the resource is tagged with `env` and `env=dev`

permit (
  principal in StrongDM::Role::"devDBUsers",
  action,
  resource
) when {
  resource.hasTag("env") && resource.getTag("env") == "dev"
};

// alternative 1: permit access for principals
// that have the `devDBUsers` role and
// want to perform specific actions in SQL
// and when the resource is tagged with `env` and `env=prod`

permit (  
  principal in StrongDM::Role::"devDBUsers",
  action in [  
    SQL::Action::"select",  
    SQL::Action::"with",  
    SQL::Action::"values",  
    SQL::Action::"show",  
    SQL::Action::"set"  
  ],  
  resource
) when {  
  resource.sdm.hasTag("env") && resource.sdm.getTag("env") == "prod" 
};

// alternative 2: permit access for a principal
// who has the `devDBUsers` role
// when the resource is tagged with `env` and `env=prod`
// unless the principal is trying to write to SQL tables

permit (
  principal in StrongDM::Role::"devDBUsers",
  action,
  resource
) when {
  resource.sdm.hasTag("env") && resource.sdm.getTag("env") == "prod"
} unless {
  context.sql has "writeTables"
};

// or forbid principals with the `devDBUsers` role
// when trying to write to SQL tables
// when the resource is tagged with `env` and `env=prod`

forbid (
  principal in StrongDM::Role::"devDBUsers",
  action,
  resource
) when {
  context.sql has "writeTables" &&
  resource.sdm.hasTag("env") && resource.sdm.getTag("env") == "prod"
} ;

hashtag
Restrict Access to Sensitive Resources

As an administrator, I want to forbid access to run queries against databases tagged as “sensitive” unless the principal has the “Sensitive DB Group” role.

hashtag
Example policy statement

hashtag
Allow Only Postgres-Supported Actions on Specified Resources

As an administrator, I want to allow the principal to run Postgres-supported actions only on the databases specified in the policy, and otherwise forbid all the actions on other resources.

hashtag
Example Permit statement

hashtag
Example Forbid statement

hashtag
Deny All Actions on the Production DB Originating Outside of the US

As an administrator, I want to restrict all activities on myProdDB for any client connections that are not from the US.

hashtag
Example Forbid statement

hashtag
Example Permit statement

hashtag
Limit Query Result Set and Display Notification for Operator Role

As an administrator, I want to restrict SQL query results to a maximum of 100 rows for principals with the "Operator" role. A notification must be shown to the client indicating that the result set is limited to 100 rows.

hashtag
Example policy statement

hashtag
Allow All Actions on Postgres Resources

Some principals who need to work with Postgres resources need to be able to conduct most or all actions against that type of resource. I want to allow all actions against Postgres databases for principals with the specified role, and if necessary, be able to forbid particular sensitive actions.

hashtag
Example Permit statement

hashtag
Permit Access Only During Business Hours Not in December

As an administrator, I want principals to access resources during business hours (9 a.m. to 5 p.m. UTC) on weekdays (Monday through Friday) only. I want this rule to exempt December, since our example engineering team has a change freeze during December.

hashtag
Example Permit statement

Last updated

Was this helpful?