Access Policies

Access Policies are modeled after industry-standard Identity and Access Management (IAM) to define compliance, enforcement and monitoring across internal and third-party systems. By controlling which keys that services can request and what data they can decrypt, security teams can manage their data infrastructure through declarative policies instead of human-driven best practices.

type AccessRole {
  Policies []AccessPolicy `json:"policies"`
}

type AccessPolicy struct {
  Rules []PolicyRule `json:"rules"`
}

type PolicyRule struct {
  // Example = "success" or "error"
  Status string `json:"status"`
  // Example = ["um:group:team_id::support"]
  Agents []string `json:"agents"`
  // Example = ["um:api:op::Encrypt", "um:api:op::Decrypt"]
  Actions  []string `json:"actions"`
  // Example = ["um:user"]
  Resources []string `json:"resources"`
  // Example = [{
  //   "type": "um:auth:mfa"
  // }, {
  //   "type": "um:auth:quorum",
  //   "quorum": {
  //     "agent": "um:group:team_id::support_approvers",
  //     "exclude_current_agent": true,
  //     "min": 2
  //   }
  // }]
  Conditions []PolicyRuleCondition `json:"conditions"`
}

type PolicyRuleCondition struct {
  Type string                   `json:"type"`
  Match map[string]string       `json:"match"`
  Quorum map[string]interface{} `json:"quorum`
}
import (
    "reflect"
    "github.com/ume/api/pkg/mirror"
    "github.com/ume/api/pkg/policy/simulator"
)

func HandleSensitiveData(form *Form) {
    policy := mirror.AccessPolicy{
        Rules: []mirror.PolicyRule{
            {
                Status: "success",
                Agents: ["um:client:browser::*"]
                Actions: ["um:api:kms::GetPublicKey", "um:api:op::Encrypt"],
                Conditions: []mirror.PolicyRuleCondition{
                    {Type: "um:auth:csrf"},
                },
            },
        },
    }

    policySimulator := simulator.NewPolicySimulator()
    policyResponse := policySimulator.Eval(mirror.AccessRole{
        Policies: []mirror.AccessPolicy{policy},
    }, mirror.AccessRequest{
        Actions: ["um:api:kms::GetKey"],
        Resource: "um:kms:aws::us-west-2:*:key/*",
    })

    if policyResponse.Status == "denied" {
    // Successfully rejected access to high sensitivity keys
    }
}