Reference Matches

This section describes features that are coming in 3.3.

The reference-matches condition allows you to constrain a policy statement so that it applies to entities that match a given Reference. This condition supports regular expressions, allowing you to focus in on a single Reference or wildcard expressions within an Reference.

In Cloud CMS, a Reference is a string that uniquely locates an item within the system. It takes on a structure that looks like one of the following:

{type}://{platformId}/{id}
{type}://{platformId}/{datastoreId}/{objectId}
node://{platformId}/{repositoryId}/{branchId}/{nodeId}
association://{platformId}/{repositoryId}/{branchId}/{associationId}

Configuration

{
    "type": "reference-matches",
    "config": {
        "reference": "{value regex}"
    }
}

Sample #1

This policy document grants the Consumer role to a specific piece of content with the Reference:

node://11eccae4c69a226e69b1/7498bb23d34a7a269680/d4acbca1eb26b19ee020/46ba5e0d79b83aac97ec

Where:

  • platform ID = 11eccae4c69a226e69b1
  • repository ID = 7498bb23d34a7a269680
  • branch ID = d4acbca1eb26b19ee020
  • node ID = 46ba5e0d79b83aac97ec

The policy might look like this:

{
    "title": "My Sample Policy",
    "statements": [{
        "action": "grant",
        "roles": ["consumer"],
        "conditions": [{
            "type": "reference-matches",
            "config": {
                "id": "node://11eccae4c69a226e69b1/7498bb23d34a7a269680/d4acbca1eb26b19ee020/46ba5e0d79b83aac97ec"
            }
        }]
    }]
}

Sample #2

Suppose we want to grant access to ALL nodes within a given branch. In this case, the branch we want to constrain to is d4acbca1eb26b19ee020.

We can use regex for that:

{
    "title": "My Sample Policy",
    "statements": [{
        "action": "grant",
        "roles": ["consumer"],
        "conditions": [{
            "type": "reference-matches",
            "config": {
                "id": "node://11eccae4c69a226e69b1/7498bb23d34a7a269680/d4acbca1eb26b19ee020/.*"
            }
        }]
    }]
}

Sample #3

Or we can constrain to all branches within a given repository (7498bb23d34a7a269680):

{
    "title": "My Sample Policy",
    "statements": [{
        "action": "grant",
        "roles": ["consumer"],
        "conditions": [{
            "type": "reference-matches",
            "config": {
                "id": "node://11eccae4c69a226e69b1/7498bb23d34a7a269680/.*"
            }
        }]
    }]
}