From 518bc67ef932e76b83e3f81a7d091d582fdf1535 Mon Sep 17 00:00:00 2001 From: Lukas Klass Date: Fri, 13 Nov 2020 00:30:23 +0100 Subject: [PATCH] [DOCS] Clarify use of multiple subjects in ACLs and their logical evaluation (#1454) * Clarify use of multiple subjects and their logical evaluation * Update docs/configuration/access-control.md Co-authored-by: Amir Zarrinkafsh --- docs/configuration/access-control.md | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/docs/configuration/access-control.md b/docs/configuration/access-control.md index 6bdd2f08a..671fdb600 100644 --- a/docs/configuration/access-control.md +++ b/docs/configuration/access-control.md @@ -55,11 +55,14 @@ protected by Authelia or the protected domain itself. In order to match multiple subdomains, the wildcard matcher character `*.` can be used as prefix of the domain. For instance, to define a rule for all subdomains of *example.com*, one would use `*.example.com` in the rule. A single rule can define multiple domains for matching. +These domains can be either listed in YAML-short form `["example1.com", "example2.com"]` +or in YAML long-form as dashed list. ## Resources -A rule can define multiple regular expressions for matching the path of the resource. If -any one of them matches, the resource criteria of the rule matches. +A rule can define multiple regular expressions for matching the path of the resource +similar to the list of domains. If any one of them matches, the resource criteria of +the rule matches. ## Subjects @@ -70,10 +73,11 @@ For a user with unique identifier `john`, the subject should be `user:john` and uniquely identified by `developers`, the subject should be `group:developers`. Similar to resources and domains you can define multiple subjects in a single rule. -If you want a combination of subjects to be matched at once, you can specify a list of subjects like -`- ["group:developers", "group:admins"]`. Make sure to preceed it by a list key `-`. -In summary, the first level of subjects are evaluated using a logical `OR`, whereas the second level -by a logical `AND`. +If you want a combination of subjects to be matched at once using a logical `AND`, you can +specify a nested list of subjects like `- ["group:developers", "group:admins"]`. +In summary, the first list level of subjects are evaluated using a logical `OR`, whereas the +second level by a logical `AND`. The last example below reads as: the group is `dev` AND the +username is `john` OR the group is `admins`. ## Networks @@ -135,5 +139,6 @@ access_control: - "^/users/john/.*$" subject: - ["group:dev", "user:john"] + - "group:admins" policy: two_factor ```