Basic Policy Examples

Common authorization patterns using Cedar policies.

User Access Policies

Allow Specific User

permit(
    principal == User::"alice",
    action == Action::"read",
    resource is Document
);

Allow User Group

permit(
    principal in Group::"engineering",
    action in [Action::"read", Action::"write"],
    resource is CodeRepository
);

Role-Based Access

permit(
    principal in Role::"admin",
    action,
    resource
);

Resource Access Policies

Document Access by Owner

permit(
    principal,
    action == Action::"read",
    resource is Document
) when {
    resource.owner == principal
};

Folder-Based Access

permit(
    principal in Group::"marketing",
    action == Action::"read",
    resource is Document
) when {
    resource in Folder::"marketing-assets"
};

Public Resources

permit(
    principal,
    action == Action::"read",
    resource is Document
) when {
    resource.visibility == "public"
};

Action-Based Policies

Read-Only Access

permit(
    principal in Group::"viewers",
    action == Action::"read",
    resource
);

forbid(
    principal in Group::"viewers",
    action in [Action::"write", Action::"delete"],
    resource
);

Write Access for Editors

permit(
    principal in Group::"editors",
    action in [Action::"read", Action::"write"],
    resource is Document
);

Delete Restricted to Admins

forbid(
    principal,
    action == Action::"delete",
    resource
) when {
    !(principal in Group::"admins")
};

Agent Policies

Agent Read Access

permit(
    principal is Agent,
    action == Action::"read",
    resource is Document
) when {
    principal.trust_level >= 1
};

Agent Tool Execution

permit(
    principal is Agent,
    action == Action::"execute",
    resource is Tool
) when {
    resource.risk_level <= principal.max_risk_level
};

Agent with Valid Delegation

permit(
    principal is Agent,
    action,
    resource
) when {
    context.delegation_chain.length > 0 &&
    context.delegation_chain[0].from.startsWith("User::")
};

Time-Based Policies

Business Hours Only

permit(
    principal in Group::"contractors",
    action,
    resource is InternalSystem
) when {
    context.current_hour >= 9 &&
    context.current_hour < 17 &&
    context.is_weekday == true
};

Temporary Access

permit(
    principal == User::"temp-worker",
    action == Action::"read",
    resource is ProjectDocument
) when {
    context.current_date >= "2024-01-01" &&
    context.current_date <= "2024-03-31"
};

Conditional Policies

Classification-Based

permit(
    principal,
    action == Action::"read",
    resource is Document
) when {
    resource.classification == "public" ||
    (resource.classification == "internal" && principal in Group::"employees") ||
    (resource.classification == "confidential" && principal in Group::"cleared")
};

Attribute Matching

permit(
    principal,
    action == Action::"access",
    resource is CustomerData
) when {
    resource.region == principal.assigned_region
};

Hierarchical Access

permit(
    principal,
    action == Action::"manage",
    resource is Team
) when {
    principal in resource.managers ||
    principal in resource.parent_team.managers
};

Forbid Policies (Denials)

Block Sensitive Data

forbid(
    principal,
    action,
    resource is SensitiveData
) when {
    !principal.has_clearance
};

Block External Access

forbid(
    principal,
    action,
    resource is InternalAPI
) when {
    context.request_source == "external"
};

Block During Maintenance

forbid(
    principal,
    action in [Action::"write", Action::"delete"],
    resource
) when {
    context.maintenance_mode == true &&
    !(principal in Group::"ops-team")
};

Combined Patterns

Standard CRUD for Owners

// Owners can do anything
permit(
    principal,
    action,
    resource
) when {
    resource.owner == principal
};

// Team members can read
permit(
    principal,
    action == Action::"read",
    resource
) when {
    principal in resource.team
};

// But nobody can delete archived items
forbid(
    principal,
    action == Action::"delete",
    resource
) when {
    resource.status == "archived"
};

Layered Security

// Base: Employees can read public docs
permit(
    principal in Group::"employees",
    action == Action::"read",
    resource is Document
) when {
    resource.classification == "public"
};

// Layer 2: Department access
permit(
    principal,
    action == Action::"read",
    resource is Document
) when {
    resource.department == principal.department
};

// Layer 3: Explicit grants
permit(
    principal,
    action,
    resource
) when {
    principal in resource.access_list
};

// Override: Block terminated employees
forbid(
    principal,
    action,
    resource
) when {
    principal.status == "terminated"
};

Testing These Policies

Test any policy with the authorize endpoint:

# Test user access
curl -X POST http://localhost:8081/authorize \
  -H "Content-Type: application/json" \
  -d '{
    "principal": "User::\"alice\"",
    "action": "Action::\"read\"",
    "resource": "Document::\"report\"",
    "context": {}
  }'

# Test agent access
curl -X POST http://localhost:8081/authorize \
  -H "Content-Type: application/json" \
  -d '{
    "principal": "Agent::\"assistant\"",
    "action": "Action::\"execute\"",
    "resource": "Tool::\"calculator\"",
    "context": {
      "delegation_chain": [
        {"from": "User::\"alice\"", "to": "Agent::\"assistant\""}
      ]
    }
  }'

Next Steps

Conditional Policies - More complex conditions
Intent-Goal Policies - AI agent patterns

User Access Policies​

Allow Specific User​

Allow User Group​

Role-Based Access​

Resource Access Policies​

Document Access by Owner​

Folder-Based Access​

Public Resources​

Action-Based Policies​

Read-Only Access​

Write Access for Editors​

Delete Restricted to Admins​

Agent Policies​

Agent Read Access​

Agent Tool Execution​

Agent with Valid Delegation​

Time-Based Policies​

Business Hours Only​

Temporary Access​

Conditional Policies​

Classification-Based​

Attribute Matching​

Hierarchical Access​

Forbid Policies (Denials)​

Block Sensitive Data​

Block External Access​

Block During Maintenance​

Combined Patterns​

Standard CRUD for Owners​

Layered Security​

Testing These Policies​

Next Steps​

User Access Policies

Allow Specific User

Allow User Group

Role-Based Access

Resource Access Policies

Document Access by Owner

Folder-Based Access

Public Resources

Action-Based Policies

Read-Only Access

Write Access for Editors

Delete Restricted to Admins

Agent Policies

Agent Read Access

Agent Tool Execution

Agent with Valid Delegation

Time-Based Policies

Business Hours Only

Temporary Access

Conditional Policies

Classification-Based

Attribute Matching

Hierarchical Access

Forbid Policies (Denials)

Block Sensitive Data

Block External Access

Block During Maintenance

Combined Patterns

Standard CRUD for Owners

Layered Security

Testing These Policies

Next Steps