[][src]Module ironoxide::policy

Policy types

Policies are a list of rules which map data labels to a list of users/groups. This allows the separation of concerns when it comes to labeling data vs defining who to encrypt to.

Policies are defined using the ironcore admin console: https://admin.ironcorelabs.com/policy and are stored on the server. This allows a policy to be updated independently of any application code.

Data labeling is provided in three dimensions (category, sensitivity, dataSubject). You only need to use the dimensions that make sense for your use case. The values of the labels are arbitrary, but the example below may be instructive in selecting label names.

In addition to defining labels, a list of rules is required to map the labels to a set of users/groups. Rules are checked in the order they are defined. If a rule matches, it can produce any number of users/groups. Rules defined after the matching rule will not be processed.

The %USER% and %LOGGED_IN_USER% are special tokens that will be replaced when the policy is applied.

  • %USER% - replaced by substitute_user_id (see PolicyGrant)
  • %LOGGED_IN_USER% - replaced by the user currently authenticated to make SDK calls.

A policy could look something like:

{
 "dataSubjects": [
   "PATIENT",
   "EMPLOYEE"
 ],
 "sensitivities": [
   "RESTRICTED",
   "CLASSIFIED",
   "INTERNAL"
 ],
 "categories": [
   "HEALTH",
   "PII"
 ],
 "rules": [
   {
     "sensitivity": "RESTRICTED",
     "users": [
       "%USER%"
     ],
     "dataSubject": "PATIENT",
     "groups": [
       "group_other_%USER%",
       "group_id_doctors",
       "data_recovery"
     ],
     "category": "HEALTH"
   },
   {
     "sensitivity": "INTERNAL",
     "users": [
       "joe@ironcorelabs",
       "%LOGGED_IN_USER%"
     ],
     "groups": [
       "group_%LOGGED_IN_USER%",
       "data_recovery"
     ],
     "category": "PII"
   },
   {
     "groups": [
       "data_recovery"
     ],
   },
 ]
}

Example:

PolicyGrant::new(Some("PII".try_into()?), Some("INTERNAL".try_into()?), None, None);

If the current user of the sdk is "alice@ironcorelabs" and the PolicyGrant above is evaluated, it will match the second-to-last rule in the example policy above and will return users: [joe@ironcorelabs, alice@ironcorelabs] and groups [group_alice@ironcorelabs, data_recovery"]

The PolicyGrant PolicyGrant::new(None, None, None, None) will match the last rule in the example and will return the group [data_recovery]

Structs

Category
DataSubject
PolicyGrant

Document access granted by a policy.

Sensitivity