Articles in this section
Category / Section

Authorization Policy Designer

Published:
6 mins read

Policy Designer

Policy Designer Tool provides you with a visual editor to build, manage, and test authorization policies written in Cedar language. Policy Designer helps you quickly test these policies to authorize users based on tokens using Jans Cedarling.

You can use Policy Designer to:

  1. Create and manage policy stores that store multiple Cedar policies in a GitHub repository
  2. Create Cedar schemas and policies using a visual editor
  3. Import Cedar schemas and policies
  4. Validate policies against a given schema
  5. Test token-based authorization control scenarios using Jans Cedarling

Key Features

Policy Store

The Policy Designer uses a GitHub repository designated by the user for storing details about schema, policy files, etc. Using a GitHub repository enables proper version control and release management of the changes in the policies and schema.

The Policy Designer stores these details in a grouping called Policy Store. Essentially, a policy store is a directory in a GitHub repository containing schema and policy details.

One GitHub repository can have multiple policy stores. Each policy store can have multiple policies and schemas with multiple namespaces.

Wizard-based Editors

The Policy Designer allows you to write policies and test scenarios using a step-by-step wizard. This further reduces the learning curve around writing Cedar policies by hand and makes it less error-prone.

Policy Wizard

policy_wizard.png

Test Wizard

test_wizard.png

Detailed Walkthrough

Dashboard

The Policy Designer dashboard lists the policy stores available in the repository. When the user has not selected a repository yet, the dashboard displays instructions for GitHub integration and repository selection, as shown below:

policy_dashboard.png

After successful GitHub integration, the user can select a repository by choosing the appropriate option.

agama_select_repository.png

Once the repository has been selected, the dashboard will automatically load the stores from GitHub.
Now the user can create a new store as well.

policy_stores.png

There are some quick-access tools available in the list.

policy_tools.png

  • Edit: Used to edit the store.
  • Download: Used to download the store in JSON form, which you can directly use in Cedarling authorization.
  • Link: Used to copy the store’s GitHub link, which you can use in Cedarling authorization.
  • Manage: Used to manage the store’s schema, policies, trusted issuer, and test policies.
  • Delete: Used to delete the store.

Schema Section

Click on the Manage button on the Store List, it will navigate you to the store management page.
Once you create a store, Agama Lab creates one default schema for you, which you can easily modify in the schema section.

policy-schema-section.png

Manage Namespace

Click on Manage Namespace button and you will get the following options:

policy_manage_namespace.png

Add namespace

Select + Add New Namespace option from Manage Namespace to add a new namespace.
It will open a dialog box for you to enter the new namespace name.
Just enter a custom name and click on save to create a new store.

policy_namespace_creation.png

Rename namespace

Select Rename Namespace option from Manage Namespace to rename the namespace. In the rename dialog box, select the namespace and enter a new name to replace the existing name.

policy-rename-namespace.png

Delete namespace

Select Delete Namespace option from Manage Namespace to delete the namespace.
In the delete dialog box, select the namespace to delete it.

Import Namespace

If you already have the Cedar JSON schema, you can easily import it and save it in the policy store. Click on the Import Schema button and select the file.

View Schema

Use this feature to view your schema in JSON and text format.

policy-view-schema.png

Example of schema JSON view:

policy-example-of-schema-JSON-view.png

Example of schema Text view:

example-of-schema-text-view.png

Update and Delete Schema Elements

There are options in the UI where you can easily view, update, and delete schema elements like Common Types, Entities, and Actions.

policy-update-and-delete-schema-elements.png

Policies Section

This section helps you to view, add, update, and delete policies.
You can see your list of policies, and there are Actions to manage policies.

Policies-Section.png

Policy Creation

There are two options to create a policy.

policy-creation.png

Text Editor

This option is simple to use. Click on Add Policy > Text Editor option. It will open a dialog box, write your policy, and Save the policy.

policy_text_editor.png

Form Editor

Writing a good and complete Cedar policy is an expert’s job, but the form editor provides a simple UI to easily write complex Cedar policies.

  1. The first step is to select the Policy Effect: whether you want to Permit or Forbid the policy as per your requirements.

policy_form_editor.png

  1. Second step is to add a principal for your policy. There are several options. Choose as per your need.

policy-second-step2.png

  1. Click on Next, and it will take you to Actions scope.

policy-actions-scope3.png

  1. The next step is to add a resource to your policy.

policy-step-4.png

  1. The next step is to add a condition. This is optional. You can use it to create an ABAC (Attribute-Based Access Control) policy. The Check button will help validate the condition.

policy-step-5.png

  1. The last step is to add a description of your policy. At this step, you can preview and save the policy. Once you save the policy, you can view it and store the content in your selected GitHub repository.

policy-step6.png

Click on Preview button to see the JSON Policy.

Preview-button-to-see-JSON-Policy.png

On the policy dialog box, click on Text Policy to see the human-readable format of the policy.

On-policy-dialog-box-click-on-Text-Policy-to-see-human-readable-format-of-policy.png

Trusted Issuer Section

In jans-cedarling, there are some more features, such as token validation. For token validation, you need to register your Trusted Issuer (IDP) to validate the token. Jans-Cedarling will also use this configuration to map tokens with Cedar entities that are used during Cedar authorization.

You can see your list of Trusted Issuers, and there are Actions in this section.
policy-trusted-Issuer-Section.png

Click on Add Issuer to add a new issuer. The token’s metadata is important to map tokens with the Cedar entities. More Details

policy-add-Issuer.png

Testing

This feature will help you quickly test your policy with your tokens and requested data.
You can easily pass custom data that helps test all your cases and save time.
Agama Lab uses Jans Cedarling WASM to test requests in this section.

  1. The first step is to set the initial settings for cedarling-wasm. Check here for details about the settings.

testing.png

  1. The second step is to set the Access Token, ID Token, and UserInfo Token that you want to authorize.

second-step-is-to-set-the-access-token.png

  1. The third step is to set an action.

third-step-is-to-set-action.png

  1. The fourth step is to set the resource.

fourth-step-is-to-set-the-Resource.png

  1. In the fifth step, you can set the context.

  2. In the last step, you can see the entire request that will be sent to Jans Cedarling. Click on the Test button to authorize the request.

step6-testing.png

Was this article useful?
Like
Dislike
Help us improve this page
Please provide feedback or comments
Access denied
Access denied