-
Notifications
You must be signed in to change notification settings - Fork 71
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for template groups #106
Labels
Comments
2 tasks
andrewmwells-amazon
added
enhancement
and removed
pending-triage
Hasn't been triaged yet
labels
Jun 1, 2023
anwarmamat
added
requires-RFC
Needs to go through the RFC process
feature-request
Request for a new feature
and removed
enhancement
labels
Jun 6, 2023
khieta
added
pending-review
Awaiting review by the core team
feature-request
Request for a new feature
requires-RFC
Needs to go through the RFC process
and removed
feature-request
Request for a new feature
requires-RFC
Needs to go through the RFC process
pending-review
Awaiting review by the core team
labels
Jun 6, 2023
Closing this issue in favor of cedar-policy/rfc#7. Please move any future discussion there. |
I am canceling the corresponding RFC and reopening this issue. The proposed change, to be implemented as written, should only apply to the CLI, with no changes to core Cedar or its APIs. This means it does not rise to the level of an RFC and it makes sense to bring back this issue. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
Category
Cedar language features
Describe the feature you'd like to request
Allow template policies to be grouped together using the CLI, so they can be linked all at once. Doing so ensures that the application writer cannot mistakenly link one policy in the group separately from all the policies.
Describe the solution you'd like
Consider this pair of template policies:
This pair represents a role: the linked principal can access any resource in the linked group (policy1), or it can view any document in a particular collection. We want to make sure that both policies are always linked, together, and not just one or the other. Some grouping mechanism would help. For example:
Here we have labeled both policies with the same
@group
; we could instantiate them together in an API that references the group, rather than individual policy.Describe alternatives you've considered
We could achieve a similar effect combining both templates into a single one:
This has the drawback that the combined policy is more complicated to understand. It also requires the template slot
?resource
to appear in thewhen
condition, rather than the scope, which is currently not supported. Finally, this policy will not index very well in Verified Permissions because of multiple constraints on the action and resource.Additional context
This feature request only applies to the CLI, using the annotation mechanism as shown. It should have no impact on core Cedar or its APIs.
Is this something that you'd be interested in working on?
The text was updated successfully, but these errors were encountered: