Authorization Policy Designer
Policy Designer
Policy Designer Tool provides you with a visual editor to build, manage, and test authorization policies written in Cedar language. Policy Designer helps you quickly test these policies to authorize users based on tokens using Jans Cedarling.
You can use Policy Designer to:
- Create and manage policy stores that store multiple Cedar policies in a GitHub repository
- Create Cedar schemas and policies using a visual editor
- Import Cedar schemas and policies
- Validate policies against a given schema
- Test token-based authorization control scenarios using Jans Cedarling
Key Features
Policy Store
The Policy Designer uses a GitHub repository designated by the user for storing details about schema, policy files, etc. Using a GitHub repository enables proper version control and release management of the changes in the policies and schema.
The Policy Designer stores these details in a grouping called Policy Store
. Essentially, a policy store is a directory in a GitHub repository containing schema and policy details.
One GitHub repository can have multiple policy stores. Each policy store can have multiple policies and schemas with multiple namespaces.
Wizard-based Editors
The Policy Designer allows you to write policies and test scenarios using a step-by-step wizard. This further reduces the learning curve around writing Cedar policies by hand and makes it less error-prone.
Policy Wizard
Test Wizard
Detailed Walkthrough
Dashboard
The Policy Designer dashboard lists the policy stores available in the repository. When the user has not selected a repository yet, the dashboard displays instructions for GitHub integration and repository selection, as shown below:
After successful GitHub integration, the user can select a repository by choosing the appropriate option.
Once the repository has been selected, the dashboard will automatically load the stores from GitHub.
Now the user can create a new store as well.
There are some quick-access tools available in the list.
- Edit: Used to edit the store.
- Download: Used to download the store in JSON form, which you can directly use in Cedarling authorization.
- Link: Used to copy the store’s GitHub link, which you can use in Cedarling authorization.
- Manage: Used to manage the store’s schema, policies, trusted issuer, and test policies.
- Delete: Used to delete the store.
Schema Section
Click on the Manage
button on the Store List, it will navigate you to the store management page.
Once you create a store, Agama Lab creates one default schema for you, which you can easily modify in the schema section.
Manage Namespace
Click on Manage Namespace
button and you will get the following options:
Add namespace
Select + Add New Namespace
option from Manage Namespace
to add a new namespace.
It will open a dialog box for you to enter the new namespace name.
Just enter a custom name and click on save to create a new store.
Rename namespace
Select Rename Namespace
option from Manage Namespace
to rename the namespace. In the rename dialog box, select the namespace and enter a new name to replace the existing name.
Delete namespace
Select Delete Namespace
option from Manage Namespace
to delete the namespace.
In the delete dialog box, select the namespace to delete it.
Import Namespace
If you already have the Cedar JSON schema, you can easily import it and save it in the policy store. Click on the Import Schema
button and select the file.
View Schema
Use this feature to view your schema in JSON and text format.
Example of schema JSON view:
Example of schema Text view:
Update and Delete Schema Elements
There are options in the UI where you can easily view, update, and delete schema elements like Common Types, Entities, and Actions.
Policies Section
This section helps you to view, add, update, and delete policies.
You can see your list of policies, and there are Actions
to manage policies.
Policy Creation
There are two options to create a policy.
Text Editor
This option is simple to use. Click on Add Policy > Text Editor
option. It will open a dialog box, write your policy, and Save
the policy.
Form Editor
Writing a good and complete Cedar policy is an expert’s job, but the form editor
provides a simple UI to easily write complex Cedar policies.
- The first step is to select the Policy Effect: whether you want to
Permit
orForbid
the policy as per your requirements.
- Second step is to add a principal for your policy. There are several options. Choose as per your need.
- Click on Next, and it will take you to
Actions scope
.
- The next step is to add a resource to your policy.
- The next step is to add a condition. This is optional. You can use it to create an ABAC (Attribute-Based Access Control) policy. The
Check
button will help validate the condition.
- The last step is to add a description of your policy. At this step, you can preview and save the policy. Once you save the policy, you can view it and store the content in your selected GitHub repository.
Click on Preview
button to see the JSON Policy.
On the policy dialog box, click on Text Policy
to see the human-readable format of the policy.
Trusted Issuer Section
In jans-cedarling, there are some more features, such as token validation. For token validation, you need to register your Trusted Issuer (IDP) to validate the token. Jans-Cedarling will also use this configuration to map tokens with Cedar entities that are used during Cedar authorization.
You can see your list of Trusted Issuers, and there are Actions
in this section.
Click on Add Issuer
to add a new issuer. The token’s metadata is important to map tokens with the Cedar entities. More Details
Testing
This feature will help you quickly test your policy with your tokens and requested data.
You can easily pass custom data that helps test all your cases and save time.
Agama Lab uses Jans Cedarling WASM to test requests in this section.
- The first step is to set the initial settings for cedarling-wasm. Check here for details about the settings.
- The second step is to set the Access Token, ID Token, and UserInfo Token that you want to authorize.
- The third step is to set an action.
- The fourth step is to set the resource.
-
In the fifth step, you can set the context.
-
In the last step, you can see the entire request that will be sent to Jans Cedarling. Click on the
Test
button to authorize the request.