Overview

A policy governs resource access within an org to a set of principals. It enables fine-grained authorization rules to define the minimum amount of permissions required when accessing resources of the platform.

A policy consists of:

  • A resource, and
  • One or more bindings

Resource

A resource is a Control Plane object (e.g., secret, workload, GVC, etc.).

A policy can be configured to target all or specific resources within your org.

For example, a policy can target all the GVCs within your org, or specifically GVC A and GVC B.

Specific resources can be assigned directly or dynamically (using a query).

Bindings

A binding is a mapping between:

  • A set of permissions (e.g., create, delete, etc.), and
  • Principal membership

The set of permissions that can be assigned to a policy are unique to each resource.

Principals can be users, groups, service accounts, and identities.

Examples

  • Allow a user or group access to the console
  • Allow a service account to execute CLI commands
  • Allow an identity access to reveal a secret. The identity can then be associated with a workload. The workload’s containers will have permissions to access the secret and use it as an environment variable.

Reference

Visit the policy reference page.