sample.yaml

service: https://sample.yaml
identityProvider:
tags:
  admins:
    - userid:maria
policies:
  -
    id: "1"
    description: This policy allows 'userid:foo' to update any resource
    principals:
      - userid:foo
      - tag:admins
    actions:
      - update
    resources:
      - <.*>
    effect: allow
  -
    id: "2"
    description: This policy rejects everything from planet mars
    principals:
      - <.*>
    actions:
      - <.*>
    resources:
      - <.*>
    conditions:
      planet:
        type: StringEqualCondition
        options:
          equals: mars
    effect: deny
  -
    id: "3"
    description: This policy allow read from localhost
    principals:
      - <.*>
    actions:
      - read
    resources:
      - <.*>
    conditions:
      ip:
        type: CIDRCondition
        options:
            cidr: 127.0.0.0/8
    effect: allow
  -
    id: "4"
    description: Only owner
    principals:
      - <.*>
    actions:
      - <.*>
    resources:
      - <.*>
    conditions:
      owner:
        type: MatchPrincipalsCondition
    effect: allow
  -
    id: "5"
    description: Admins on Mozilla domain
    principals:
      - group:admins
    actions:
      - create
    resources:
      - <.*>
    conditions:
      domain:
        type: StringMatchCondition
        options:
          matches: .*\.mozilla\.org
    effect: allow
  -
    id: "6"
    description: Editors can update PTO
    principals:
      - role:editor
    actions:
      - update
    resources:
      - pto