Skip to content

Support for template groups #106

New issue
New issue
Closed
Closed
Support for template groups#106
Labels
feature-requestThis issue requets a substantial new feature
@mwhicks1

Description

@mwhicks1
mwhicks1
opened on May 31, 2023

Category

Cedar language features

Describe the feature you'd like to request

Allow template policies to be grouped together using the CLI, so they can be linked all at once. Doing so ensures that the application writer cannot mistakenly link one policy in the group separately from all the policies.

Describe the solution you'd like

Consider this pair of template policies:

@id("policy1")
permit(
  principal == ?principal,
  action, 
  resource in ?resource);

@id("policy2")
permit(
  principal == ?principal,
  action == Action::"viewDoc",
  resource in Directory::"DivisionDocs");

This pair represents a role: the linked principal can access any resource in the linked group (policy1), or it can view any document in a particular collection. We want to make sure that both policies are always linked, together, and not just one or the other. Some grouping mechanism would help. For example:

@group("role1")
@id("policy1")
permit(
  principal == ?principal,
  action, 
  resource in ?resource);

@group("role1")
@id("policy2")
permit(
  principal == ?principal,
  action == Action::"viewDoc",
  resource in Directory::"DivisionDocs");

Here we have labeled both policies with the same @group; we could instantiate them together in an API that references the group, rather than individual policy.

Describe alternatives you've considered

We could achieve a similar effect combining both templates into a single one:

@id("bothpolicies")
permit(
  principal == ?principal,
  action, 
  resource)
when {
   resource in ?resource ||
   (action == Action::"viewDoc" && resource in Directory::"DivisionDocs")
};

This has the drawback that the combined policy is more complicated to understand. It also requires the template slot ?resource to appear in the when condition, rather than the scope, which is currently not supported. Finally, this policy will not index very well in Verified Permissions because of multiple constraints on the action and resource.

Additional context

This feature request only applies to the CLI, using the annotation mechanism as shown. It should have no impact on core Cedar or its APIs.

Is this something that you'd be interested in working on?

  • 👋 I may be able to implement this feature request
  • ⚠️ This feature might incur a breaking change

Metadata

Metadata

Assignees

No one assigned

    Labels

    feature-requestThis issue requets a substantial new feature

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions