search

cedar-policy / cedar

Implementation of the Cedar Policy Language
https://www.cedarpolicy.com
Apache License 2.0
889 stars 80 forks source link

Is it possible to add a custom effect? #1294

Closed tony612 closed 3 weeks ago

tony612 commented 3 weeks ago

Category

Cedar language or syntax features/changes

Describe the feature you'd like to request

I noticed now the effect only contains permit & forbid. But we may want to execute a action after the policy decision, like erasing/masking the data. The config may be like this:

forbid(
  principal == User::"alice", 
  action    == Action::"update", 
  resource  == Photo::"VacationPhoto94.jpg"
  result_action = "erase/mask"     // Define a custom result_action
);

We can get the result action erase after the policy execution and then run "erase" operation.

Is this feature in the scope of Cedar project?

Describe alternatives you've considered

Add result_action like the above policy config and support returning the result action in SDK.

Additional context

No response

Is this something that you'd be interested in working on?

cdisselkoen commented 3 weeks ago

Would it work to use policy annotations for this? So you would have something like

@result_action("erase/mask")
forbid(
  principal == User::"alice",
  ...

The SDK already returns the IDs of all matched policies with every decision, and you can use those IDs to look up the annotations of the matched policies to check their result_actions.

tony612 commented 3 weeks ago

@cdisselkoen Wow, I didn't notice the annotation syntax before. This seems work for me, I'll try. Thank you for your quick reply!