135 lines
3.1 KiB
Markdown
135 lines
3.1 KiB
Markdown
---
|
|
title: "Access Control Rule Guide"
|
|
description: "A reference guide on access control rule operators"
|
|
lead: "This section contains a reference guide on access control rule operators."
|
|
date: 2022-09-09T15:44:23+10:00
|
|
draft: false
|
|
images: []
|
|
menu:
|
|
reference:
|
|
parent: "guides"
|
|
weight: 220
|
|
toc: true
|
|
---
|
|
|
|
## Operators
|
|
|
|
Rule operators are effectively words which alter the behaviour of particular access control rules. The following table
|
|
is a guide on their use.
|
|
|
|
| Operator | Effect |
|
|
|:-------------:|:--------------------------------------------------------------:|
|
|
| `equal` | Matches when the item value is equal to the provided value |
|
|
| `not equal` | Matches when the item value is not equal to the provided value |
|
|
| `present` | Matches when the item is present with any value |
|
|
| `absent` | Matches when the item is not present at all |
|
|
| `pattern` | Matches when the item matches the regex pattern |
|
|
| `not pattern` | Matches when the item doesn't match the regex pattern |
|
|
|
|
|
|
## Multi-level Logical Criteria
|
|
|
|
Criteria which is described as multi-level logical criteria indicates that it is a list of lists. The first level i.e.
|
|
the list least indented to the right will be referred to the `OR-list`, and the list most indented to the right will be
|
|
referred to the `AND-list`.
|
|
|
|
The OR-list matches if any of the criteria from it's AND-list's matches; in other words, a *__logical OR__*. The
|
|
AND-list matches if all of it's criteria matches the given request; in other words, a *__logical AND__*.
|
|
|
|
In addition to these rules, if the AND-list only needs one item, it can be represented without the second level.
|
|
|
|
### Examples
|
|
|
|
#### List of Lists
|
|
|
|
The following examples show various abstract examples to express a rule that matches either c, or a AND b;
|
|
i.e `(a AND b) OR (c)`. In relation to access control rules all of these should be treated the same. This format should
|
|
not be used for the configuration item type `list(list(object))`, see [List of List Objects](#list-of-list-objects)
|
|
instead.
|
|
|
|
##### Fully Expressed
|
|
|
|
```yaml
|
|
rule:
|
|
- - 'a'
|
|
- 'b'
|
|
- - 'c'
|
|
```
|
|
|
|
##### Omitted Level
|
|
|
|
```yaml
|
|
rule:
|
|
- - 'a'
|
|
- 'b'
|
|
- 'c'
|
|
```
|
|
|
|
##### Compact
|
|
|
|
```yaml
|
|
rule:
|
|
- ['a', 'b']
|
|
- ['c']
|
|
```
|
|
|
|
##### Compact with Omitted Level
|
|
|
|
```yaml
|
|
rule:
|
|
- ['a', 'b']
|
|
- 'c'
|
|
```
|
|
|
|
##### Super Compact
|
|
|
|
```yaml
|
|
rule: [['a', 'b'], ['c']]
|
|
```
|
|
|
|
#### List of List Objects
|
|
|
|
The following examples show various abstract examples that mirror the above rules however the AND-list is a list of
|
|
objects where the key is named `value`. This format should only be used for the configuration item type
|
|
`list(list(object))`, see [List of Lists](#list-of-lists) if you're not looking for a `list(list(object))`
|
|
|
|
##### Fully Expressed
|
|
|
|
```yaml
|
|
rule:
|
|
- - value: 'a'
|
|
- value: 'b'
|
|
- - value: 'c'
|
|
```
|
|
|
|
##### Omitted Level
|
|
|
|
```yaml
|
|
rule:
|
|
- - 'a'
|
|
- 'b'
|
|
- value: 'c'
|
|
```
|
|
|
|
##### Compact
|
|
|
|
```yaml
|
|
rule:
|
|
- ['a', 'b']
|
|
- ['c']
|
|
```
|
|
|
|
##### Compact with Omitted Level
|
|
|
|
```yaml
|
|
rule:
|
|
- ['a', 'b']
|
|
- 'c'
|
|
```
|
|
|
|
##### Super Compact
|
|
|
|
```yaml
|
|
rule: [['a', 'b'], ['c']]
|
|
```
|