# Policy Use Cases {% hint style="info" %} This feature is part of the Enterprise plan. If it is not enabled for your organization, please contact StrongDM at the [StrongDM Help Center](https://help.strongdm.com/hc/en-us). {% endhint %} ### Overview This page describes common use cases for [policies](/admin/access/policies.md) and provides example policy statements for each of them. * [Forbid access for all except a role for a tagged resource](#forbid-access-for-all-except-a-role-for-a-tagged-resource) * [Restrict access to sensitive resources](#restrict-access-to-sensitive-resources) * [Allow only Postgres-supported actions on specified resources](#allow-only-postgres-supported-actions-on-specified-resources) * [Deny all actions on the production DB originating outside of the U.S.](#deny-all-actions-on-the-production-db-originating-outside-of-the-us) * [Limit query result set and display notification for operator role](#limit-query-result-set-and-display-notification-for-operator-role) * [Allow All Actions on Postgres Resources](#allow-all-actions-on-postgres-resources) * [Permit Access Only During Business Hours Not in December](#permit-access-only-during-business-hours-not-in-december) To learn how to create policy statements, please see [Policy Creation](/admin/access/policies/policy-creation.md). ### Forbid Access for All Except a Role for a Tagged Resource As an administrator, I want to restrict access so that only principals with a specified role can perform all actions on development databases, while having read-only access to production databases. #### Example policy statements ```cedar // forbid all access // unless the principal has the `devDBUsers` role // and the resource is tagged with `env` and `env=dev` permit ( principal in StrongDM::Role::"devDBUsers", action, resource ) when { resource.hasTag("env") && resource.getTag("env") == "dev" }; // alternative 1: permit access for principals // that have the `devDBUsers` role and // want to perform specific actions in SQL // and when the resource is tagged with `env` and `env=prod` permit ( principal in StrongDM::Role::"devDBUsers", action in [ SQL::Action::"select", SQL::Action::"with", SQL::Action::"values", SQL::Action::"show", SQL::Action::"set" ], resource ) when { resource.sdm.hasTag("env") && resource.sdm.getTag("env") == "prod" }; // alternative 2: permit access for a principal // who has the `devDBUsers` role // when the resource is tagged with `env` and `env=prod` // unless the principal is trying to write to SQL tables permit ( principal in StrongDM::Role::"devDBUsers", action, resource ) when { resource.sdm.hasTag("env") && resource.sdm.getTag("env") == "prod" } unless { context.sql has "writeTables" }; // or forbid principals with the `devDBUsers` role // when trying to write to SQL tables // when the resource is tagged with `env` and `env=prod` forbid ( principal in StrongDM::Role::"devDBUsers", action, resource ) when { context.sql has "writeTables" && resource.sdm.hasTag("env") && resource.sdm.getTag("env") == "prod" } ; ``` ### Restrict Access to Sensitive Resources As an administrator, I want to forbid access to run queries against databases tagged as “sensitive” unless the principal has the “Sensitive DB Group” role. #### Example policy statement ```cedar forbid ( principal, action, resource ) when { resource.hasTag("sensitive") } unless { principal in StrongDM::Role::"Sensitive DB Group" }; ``` ### Allow Only Postgres-Supported Actions on Specified Resources As an administrator, I want to allow the principal to run Postgres-supported actions only on the databases specified in the policy, and otherwise forbid all the actions on other resources. #### Example Permit statement ```cedar permit ( principal, action, resource == Postgres::Database::"r-1234/web" ); ``` #### Example Forbid statement ```cedar forbid ( principal, action, resource ) when { // list accepted resources here resource != Postgres::Database::"r-1234/web" }; ``` ### Deny All Actions on the Production DB Originating Outside of the US As an administrator, I want to restrict all activities on myProdDB for any client connections that are not from the US. #### Example Forbid statement ```cedar forbid ( principal, action, resource == StrongDM::Resource::"myProdDB" ) when { // sets "is not in" that country !(context has location && context.location in Location::Country::"US") }; ``` #### Example Permit statement ```cedar permit ( principal, action, resource == StrongDM::Resource::"myProdDB" ) unless { !(context.location in Location::Country::"US") } ; ``` ### Limit Query Result Set and Display Notification for Operator Role As an administrator, I want to restrict SQL query results to a maximum of 100 rows for principals with the "Operator" role. A notification must be shown to the client indicating that the result set is limited to 100 rows. #### Example policy statement ```cedar // restricts queries to returning no more than // the defined number of rows @maxrows("100") // notifies the client about the row limit @notify("queries are limited to 100 rows") // without additional restrictions, // this permits StrongDM operators to execute all actions permit ( principal in StrongDM::Role::"operator", action, resource ) unless { principal in StrongDM::Role::"admin" }; ``` ### Allow All Actions on Postgres Resources Some principals who need to work with Postgres resources need to be able to conduct most or all actions against that type of resource. I want to allow all actions against Postgres databases for principals with the specified role, and if necessary, be able to forbid particular sensitive actions. #### Example Permit statement ```cedar permit ( principal in StrongDM::Role::"r-1caa595464152e78", action, resource == Postgres::Database ); ``` ### Permit Access Only During Business Hours Not in December As an administrator, I want principals to access resources during business hours (9 a.m. to 5 p.m. UTC) on weekdays (Monday through Friday) only. I want this rule to exempt December, since our example engineering team has a change freeze during December. #### Example Permit statement ```cedar permit ( principal, action, resource ) when { context.utcNow.month != 12 && [2,3,4,5,6].contains(context.utcNow.dayOfWeek) && context.utcNow.timestamp.toTime().toHours() > 9 && context.utcNow.timestamp.toTime().toHours() < 17 }; ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.strongdm.com/admin/access/policies/policy-use-cases.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.