1.1.0
Iam policies implementation for create roles and manage permissions
Repository
Current version released
4 years ago
iam-policies
About
Define an allowed or denied set of actions against a set of resources with optional context and conditions.
Deny rules trump allow rules.
This is a fork of @ddt/iam updated with new functionalities.
Install
npm install --save iam-policiesOr
yarn add iam-policiesUsage
const {Role}=require('iam-policies')
const role = new Role([
{
effect: 'allow', // optional, defaults to allow
resources: ['secrets:${user.id}:*'],
actions: ['read', 'write'],
},
{
resources: ['secrets:{${user.bestfriends}}:*'],
actions: ['read'],
},
{
effect: 'deny',
resources: ['secrets:admin:*'],
actions: ['read'],
},
])
const adminRole = new Role([
{
effect: 'allow',
resources: ['*'],
actions: ['*'],
},
{
resources: ['secrets:{${user.bestfriends}}:*'],
actions: ['read'],
},
{
effect: 'deny',
resources: ['secrets:admin:*'],
actions: ['read'],
},
])
const context = { user: { id: 456, bestfriends: [123, 563, 1211] } }
// true
role.can('read', 'secrets:563:sshhh', context)
// false
role.can('read', 'secrets:admin:super-secret', context)
const friendsWithAdminContext = { user: { id: 456, bestfriends: ['admin'] } }
// false
role.can('read', 'secrets:admin:super-secret', friendsWithAdminContext)
const adminRole = new Role([
{
resources: ['*'],
actions: ['*'],
},
])
// true
adminRole.can('read', 'someResource')
// true
adminRole.can('write', 'otherResource')
const conditions={
"greatherThan":function(data,expected){
return data>expected
}
}
const roleWithCondition = new Role([
{
effect: 'allow', // optional, defaults to allow
resources: ['secrets:*'],
actions: ['read', 'write'],
conditions: {
"greatherThan":{
'user.age':18
}
}
},
], conditions)
// true
console.log(roleWithCondition.can('read', 'secrets:sshhh', { user: { age: 19 } }))
// false
console.log(roleWithCondition.can('read', 'secrets:admin:super-secret', { user: { age: 18 } }))