Skip to main content

CreateGroupPolicyInput

Attach an ABAC policy to a group. Each policy grants or denies one or more actions on entities whose attributes satisfy the conditions.

input CreateGroupPolicyInput {
  actions: [String!]!
  conditions: Conditions!
  effect: PolicyEffect!
}

Fields

CreateGroupPolicyInput.actions ● [String!]! non-null scalar {#actions}

What members of this group can do. Pass one or more action ids in {entity}:{verb} form. Conditions apply to every action; actions whose entity does not support a given condition simply never match. Duplicate entries are rejected.

CreateGroupPolicyInput.conditions ● Conditions! non-null scalar {#conditions}

Restrict the actions to entities whose attributes match every condition. Send the literal "*" to apply to all entities of each action's type. Per-key, send "*" to match any value or a non-empty list of strings to match a closed set. Within a policy all conditions are AND. Across policies, evaluation is OR.

CreateGroupPolicyInput.effect ● PolicyEffect! non-null enum {#effect}

ALLOW grants the actions. DENY blocks them and wins over any matching ALLOW.

Member Of

createGroupPolicy mutation ● explainPolicy query