Skip to content

Policies

Just Auth uses a policy language based on Starlark to define and enforce access control policies. These policies allow you to create custom rules that determine whether access should be granted or denied based on various factors.

Policy Language

Our policy language is based on Starlark, a dialect of Python. This provides a familiar and flexible environment for writing policies while keeping policy fast and safe.

Available Dictionaries

When writing policies, you have access to the following dictionaries:

  1. actor: Contains information about the user requesting access. Currently available fields are:
    1. id: The ID of the user requesting access.
    2. email: The email address of the user requesting access.
    3. name: The name of the user requesting access.
  2. ticket: Provides details about the associated ticket or work item.
    1. id: The ID of the ticket being accessed.
    2. system: The name of the system that owns the ticket being accessed (e.g. JIRA)
    3. status: The current status of the ticket. Available statuses are: OPEN, CLOSED.
    4. assignee: The ID of the user assigned to the ticket.
    5. priority: The priority of the ticket. Available priorities are: LOW, MEDIUM, HIGH.
    6. summary: The title or summary of the ticket
    7. creator: The ID of the user who created the ticket.
  3. resource: Includes information about the resource being accessed.
    1. type: The type of the resource being accessed. (e.g. GCP_RESOURCE, AWS_RESOURCE)
    2. privilege: a configurable range of 0-9 where 0 is least privileged and 9 is most privileged.
    3. regex: The pattern used to match the resource.
    4. match: The matching groups in the regex.

Policy Structure

Each policy must set two global variables:

  • reason: A string explaining why the policy passed or failed.
  • result: A boolean indicating whether access should be granted (True) or denied (False).

Example Policy

Here's an example of a valid ticket policy:

def validate_ticket():
    if ticket["status"] != "OPEN":
        return False, "Ticket is not open"

    if actor["id"] != ticket["assignee"]:
        return False, "Ticket not assigned to you"

    return True, "Ticket is valid"

result, reason = validate_ticket()

Future Enhancements

We are continually working to improve and expand our policy capabilities. Coming soon:

  • WASM Policies: This will allow for even more flexible and powerful policy definitions.
  • WebHook Policies: Enabling integration with external systems for policy decisions.