1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
|
---
title: "Access Control Rule Guide"
description: "A reference guide on access control rule operators"
summary: "This section contains a reference guide on access control rule operators."
date: 2022-10-19T14:09:22+11:00
draft: false
images: []
weight: 220
toc: true
seo:
title: "" # custom title (optional)
description: "" # custom description (recommended)
canonical: "" # custom canonical URL (optional)
noindex: false # false (default) or true
---
## Operators
Rule operators are effectively words which alter the behavior of particular access control rules. The following table
is a guide on their use.
| Operator | Effect |
|:-------------:|:--------------------------------------------------------------:|
| `equal` | Matches when the item value is equal to the provided value |
| `not equal` | Matches when the item value is not equal to the provided value |
| `present` | Matches when the item is present with any value |
| `absent` | Matches when the item is not present at all |
| `pattern` | Matches when the item matches the regex pattern |
| `not pattern` | Matches when the item doesn't match the regex pattern |
## Multi-level Logical Criteria
Criteria which is described as multi-level logical criteria indicates that it is a list of lists. The first level i.e.
the list least indented to the right will be referred to the `OR-list`, and the list most indented to the right will be
referred to the `AND-list`.
The OR-list matches if any of the criteria from it's AND-list's matches; in other words, a *__logical OR__*. The
AND-list matches if all of it's criteria matches the given request; in other words, a *__logical AND__*.
In addition to these rules, if the AND-list only needs one item, it can be represented without the second level.
### Examples
#### List of Lists
The following examples show various abstract examples to express a rule that matches either c, or a AND b;
i.e `(a AND b) OR (c)`. In relation to access control rules all of these should be treated the same. This format should
not be used for the configuration item type `list(list(object))`, see [List of List Objects](#list-of-list-objects)
instead.
##### Fully Expressed
```yaml {title="configuration.yml"}
rule:
- - 'a'
- 'b'
- - 'c'
```
##### Omitted Level
```yaml {title="configuration.yml"}
rule:
- - 'a'
- 'b'
- 'c'
```
##### Compact
```yaml {title="configuration.yml"}
rule:
- ['a', 'b']
- ['c']
```
##### Compact with Omitted Level
```yaml {title="configuration.yml"}
rule:
- ['a', 'b']
- 'c'
```
##### Super Compact
```yaml {title="configuration.yml"}
rule: [['a', 'b'], ['c']]
```
#### List of List Objects
The following examples show various abstract examples that mirror the above rules however the AND-list is a list of
objects where the key is named `value`. This format should only be used for the configuration item type
`list(list(object))`, see [List of Lists](#list-of-lists) if you're not looking for a `list(list(object))`
##### Fully Expressed
```yaml {title="configuration.yml"}
rule:
- - value: 'a'
- value: 'b'
- - value: 'c'
```
##### Omitted Level
```yaml {title="configuration.yml"}
rule:
- - 'a'
- 'b'
- value: 'c'
```
##### Compact
```yaml {title="configuration.yml"}
rule:
- ['a', 'b']
- ['c']
```
##### Compact with Omitted Level
```yaml {title="configuration.yml"}
rule:
- ['a', 'b']
- 'c'
```
##### Super Compact
```yaml {title="configuration.yml"}
rule: [['a', 'b'], ['c']]
```
|
