Rules for and or relationship
Defining Relationships¶
- OR
- AND
The syntax given below allows access for either tag1 OR tag2.
Example of OR Relationship
In this example policy, an object MUST have the resource path of /metis/api/v2/workspaces/public OR /metis/api/v2/workspaces/sandbox to qualify for this policy to apply.
In this example policy, an object MUST have the PII.Email OR PII.Sensitive tags to qualify for this policy to apply.
-
Defining Complex Relationships Using AND, OR
This section represents an expression where either "tag1" or both "tag2" and "tag3" should be true. The outermost list contains three elements. The first and second elements represent "tag1" and "tag2" separately. The third element, "tag3," is indented to indicate that it is a child of "tag2," implying that both "tag2" and "tag3" should be true.
-
Example of Complex AND, OR Relationship
For example, to qualify for the following example policy, a subject must have either both tags (
roles:id:pii-readerANDroles:id:testuser) OR the tagroles:id:marketing-manager.
- Evaluating List Attributes using Wildcard
The symbol: is a delimiter in the tags field and paths field, and predicates field; additional syntax includes:
| Wildcard | Wildcard Name | Example | Description |
|---|---|---|---|
| ? | Single Character Wildcard - Matches exactly one occurrence of any character | ?at | Matches cat and bat but not at |
| * | Glob/Asterisk - Matches any number of characters, including none, within the same level of a hierarchy. Can be used to evaluate all items in a list; if any item in the list matches the condition, then the condition passes. | foo:*:bar | Matches foo:baz:bar and foo:zab:bar but not foo:bar nor foo:baz:baz:bar |
| ** | Super Glob/Double Asterisk - Matches any number of characters across multiple levels of a hierarchy. Can be used to evaluate all items in a list; if any item in the list matches the condition, then the condition passes. | foo:**:bar | Matches foo:baz:baz:bar, foo:baz:bar, and foo:bar, but not foobar or foo:baz |
| [] | Character List - Matches exactly one character that is contained within the brackets. | [cb]at | matches cat and bat but not mat nor at |
| (It’s worthing noting that the order of characters within the brackets doesn’t matter, [cb]at and [bc]at function the same way) | |||
| [!] | Negated Character List - Matches any single character that is not listed between the brackets. | [!cb]at | matches tat and mat but not cat nor bat |
| [-] | Ranged Character List - Match a specific character within a certain range. | [a-c]at | cat and bat but not mat nor at |
| [!-] | Negated Ranged Character List | [!a-c]at | matches mat and tat but not cat nor bat |
| {[]} | Alternatives List | {cat,bat,[mt]at} | matches cat, bat, mat, tat and nothing else |
| \ | Backslash (escape) | foo\bar | |
| foo\bar | |||
| foo*bar | matches foo\bar and nothing else | ||
| matches foobar and nothing else | |||
| matches foo*bar and nothing else |
Example Usage: