From ae5e7a3d9875b618d07a7ef13f251ee2f896a71d Mon Sep 17 00:00:00 2001 From: Sachin Chaurasiya Date: Fri, 31 Mar 2023 18:36:09 +0530 Subject: [PATCH] doc: update rule doc to include conditions (#10845) --- .../entity/policies/accessControl/rule.md | 78 +++++++++++++++++-- 1 file changed, 70 insertions(+), 8 deletions(-) diff --git a/openmetadata-docs/content/main-concepts/metadata-standard/schemas/entity/policies/accessControl/rule.md b/openmetadata-docs/content/main-concepts/metadata-standard/schemas/entity/policies/accessControl/rule.md index 4c2a2aba078..1f3070705e1 100644 --- a/openmetadata-docs/content/main-concepts/metadata-standard/schemas/entity/policies/accessControl/rule.md +++ b/openmetadata-docs/content/main-concepts/metadata-standard/schemas/entity/policies/accessControl/rule.md @@ -9,17 +9,79 @@ slug: /main-concepts/metadata-standard/schemas/entity/policies/accesscontrol/rul ## Properties -- **`name`** *(string)*: Name for this Rule. -- **`fullyQualifiedName`**: FullyQualifiedName same as `name`. Refer to *../../../type/basic.json#/definitions/fullyQualifiedEntityName*. -- **`entityTypeAttr`** *(string)*: Entity type that the rule should match on. Default: `None`. -- **`entityTagAttr`**: Entity tag that the rule should match on. Refer to *../../../type/tagLabel.json#/definitions/tagFQN*. Default: `None`. -- **`operation`**: Operation on the entity. Refer to *#/definitions/operation*. Default: `None`. -- **`allow`** *(boolean)*: Allow or Deny operation on the entity. Default: `False`. -- **`priority`** *(integer)*: Priority of this rule among all rules across all policies. Default: `250000`. -- **`deleted`** *(boolean)*: Is the rule soft-deleted. Default: `False`. +- **name (string)**: Name of this Rule +- **fullyQualifiedName (fullyQualifiedEntityName)**: FullyQualifiedName in the form policyName.ruleName. +- **description (markdown)**: Description of the rule. +- **effect (string)**: Indicates whether the rule allows or denies access.", where effect can take on one of two values: "allow" or "deny". +- **operations (array of operation objects)**: List of operation names related to the resources. Use * to include all the operations. +- **resources (array of strings)**: Resources/objects related to this rule. Resources are typically entityTypes such as table, database, etc. It also includes non-entityType resources such as lineage. Use * to include all the resources. +- **condition (expression)**: Expression in SpEL used for matching of a Rule based on entity, resource, and environmental attributes. ## Definitions - **`operation`** *(string)*: This schema defines all possible operations on metadata of data entities. Must be one of: `['Create', 'Delete', 'ViewAll', 'ViewUsage', 'ViewTests', 'TableViewQueries', 'TableViewDataProfile', 'TableViewSampleData', 'EditAll', 'EditDescription', 'EditTags', 'EditOwner', 'EditTier', 'EditCustomFields', 'EditLineage', 'EditReviewers', 'EditTests', 'TableEditQueries', 'TableEditDataProfile', 'TableEditSampleData', 'TeamEditUsers']`. +## Condition + +**hasAnyRole:** Returns true if the user (either direct or inherited from the parent teams) has one or more roles from the list. + +**Example:** + +``` +hasAnyRole('DataSteward', 'DataEngineer') + +``` +**inAnyTeam:** Returns true if the user belongs under the hierarchy of any of the teams in the given team list. + +**Example:** + +``` +inAnyTeam('marketing') + +``` +**isOwner:** Returns true if the user belongs under the hierarchy of any of the teams in the given team list. + +**Example:** + +``` +isOwner() +!isOwner +noOwner() || isOwner() + +``` +**matchAllTags:** Returns true if the entity being accessed has all the tags given as input. + +**Example:** + +``` +matchAllTags('PersonalData.Personal', 'Tier.Tier1', 'Business Glossary.Clothing') + +``` +**matchAnyTag:** Returns true if the entity being accessed has at least one of the tags given as input. + +**Example:** + +``` +matchAnyTag('PersonalData.Personal', 'Tier.Tier1', 'Business Glossary.Clothing') + +``` +**matchTeam:** Returns true if the user and the resource belongs to the team hierarchy where this policy is attached. This allows restricting permissions to a resource to the members of the team hierarchy. + +**Example:** + +``` +matchTeam() + +``` +**noOwner**: Returns true if the entity being accessed has no owner. + +**Example:** + +``` +noOwner() +!noOwner +noOwner() || isOwner() + +``` + Documentation file automatically generated at 2022-07-14 10:51:34.749986.