Conditional Policy Examples
Advanced Cedar policies with complex conditions.
String Operations
Prefix Matching
permit(
principal is Agent,
action == Action::"query",
resource is Database
) when {
context.intent.startsWith("analyze_") ||
context.intent.startsWith("report_")
};
Suffix Matching
permit(
principal,
action == Action::"read",
resource is File
) when {
resource.name.endsWith(".pdf") ||
resource.name.endsWith(".docx")
};
Contains Check
permit(
principal,
action,
resource is Document
) when {
resource.tags.contains("public")
};
Pattern Matching
permit(
principal,
action == Action::"access",
resource is Endpoint
) when {
// Match API version pattern
resource.path.like("/api/v[0-9]/*")
};
Numeric Conditions
Range Checks
permit(
principal is Agent,
action == Action::"execute",
resource is Tool
) when {
resource.risk_level >= 1 &&
resource.risk_level <= 3 &&
principal.trust_score >= 0.7
};
Threshold-Based
permit(
principal,
action == Action::"transfer",
resource is BankAccount
) when {
context.amount <= 10000 ||
(context.amount > 10000 && context.has_manager_approval)
};
Count Limits
permit(
principal is Agent,
action == Action::"execute",
resource is Tool
) when {
context.execution_count_today < 100
};
List Operations
Membership Checks
permit(
principal,
action,
resource is Document
) when {
principal in resource.collaborators ||
principal.email in resource.shared_with
};
Any/All Conditions
permit(
principal,
action == Action::"access",
resource is Service
) when {
// Principal must have all required permissions
resource.required_permissions.all(p, principal.permissions.contains(p))
};
permit(
principal,
action,
resource is Document
) when {
// At least one tag must be public
resource.tags.any(t, t == "public" || t == "shared")
};
List Size
permit(
principal is Agent,
action == Action::"delegate",
resource is Agent
) when {
context.delegation_chain.length < 3
};
Boolean Logic
Complex AND/OR
permit(
principal,
action == Action::"access",
resource is CustomerData
) when {
(
principal.department == "sales" &&
resource.customer_type == "prospect"
) || (
principal.department == "support" &&
resource.has_active_ticket
) || (
principal.department == "finance" &&
resource.has_outstanding_invoice
)
};
Negation
permit(
principal,
action,
resource is Document
) when {
!resource.is_archived &&
!resource.is_deleted &&
!principal.is_suspended
};
Conditional Defaults
permit(
principal,
action == Action::"read",
resource is Document
) when {
// If no explicit classification, default to public
resource.classification == "public" ||
!resource.has("classification")
};
Context-Aware Policies
Multi-Factor Requirements
permit(
principal,
action == Action::"access",
resource is SensitiveSystem
) when {
context.mfa_verified == true &&
context.session_age_minutes < 30 &&
context.ip_in_allowlist == true
};
Environment-Based
permit(
principal,
action == Action::"deploy",
resource is Service
) when {
(
context.environment == "development"
) || (
context.environment == "staging" &&
principal in Group::"qa-team"
) || (
context.environment == "production" &&
principal in Group::"release-managers" &&
context.has_change_ticket
)
};
Request Source
permit(
principal,
action,
resource is InternalAPI
) when {
context.request_source in ["internal", "vpn", "office"] ||
(
context.request_source == "external" &&
principal in Group::"remote-workers" &&
context.mfa_verified
)
};
Temporal Conditions
Date Ranges
permit(
principal == User::"contractor-jane",
action,
resource
) when {
context.current_date >= "2024-01-01" &&
context.current_date <= "2024-06-30"
};
Time Windows
permit(
principal in Group::"batch-jobs",
action == Action::"write",
resource is Database
) when {
// Only during maintenance window: 2 AM - 4 AM
context.current_hour >= 2 &&
context.current_hour < 4
};
Recency Checks
permit(
principal,
action == Action::"access",
resource is SecureVault
) when {
// Password must have been changed recently
context.days_since_password_change < 90
};
Hierarchical Conditions
Organizational Hierarchy
permit(
principal,
action == Action::"view",
resource is EmployeeRecord
) when {
// Can view own record
resource.employee_id == principal.employee_id ||
// Manager can view direct reports
resource.manager_id == principal.employee_id ||
// HR can view all
principal in Group::"hr-team"
};
Resource Hierarchy
permit(
principal,
action,
resource
) when {
// Check against resource and all parent containers
principal in resource.access_list ||
(resource.has("parent") && principal in resource.parent.access_list) ||
(resource.has("parent") && resource.parent.has("parent") &&
principal in resource.parent.parent.access_list)
};
Computed Conditions
Dynamic Risk Assessment
permit(
principal is Agent,
action == Action::"execute",
resource is Tool
) when {
// Computed risk must be below threshold
(resource.base_risk_level + context.environmental_risk_modifier) <=
principal.max_allowed_risk
};
Quota Management
permit(
principal,
action == Action::"create",
resource is StorageObject
) when {
context.current_storage_usage + context.object_size <=
principal.storage_quota
};
Error Handling
Safe Property Access
permit(
principal,
action,
resource is Document
) when {
// Check property exists before using
(resource.has("classification") && resource.classification == "public") ||
(!resource.has("classification"))
};
Default Values
permit(
principal,
action == Action::"read",
resource is Document
) when {
// Use default if not set
(resource.has("min_clearance") && principal.clearance >= resource.min_clearance) ||
(!resource.has("min_clearance") && principal.clearance >= 1)
};
Testing Complex Conditions
# Test with detailed context
curl -X POST http://localhost:8081/authorize \
-H "Content-Type: application/json" \
-d '{
"principal": "Agent::\"research-bot\"",
"action": "Action::\"query\"",
"resource": "Database::\"analytics\"",
"context": {
"intent": "analyze_sales_trends",
"goal": "quarterly_report",
"current_hour": 14,
"is_weekday": true,
"execution_count_today": 42,
"delegation_chain": [
{"from": "User::\"analyst\"", "to": "Agent::\"research-bot\""}
]
}
}'
Next Steps
- Intent-Goal Policies - AI-specific patterns
- Policy Management - Organize complex policies