chapter nine

9 Implementing policies with Cedar

This chapter covers

Designing and refining a Cedar schema as the foundation for policy authoring
Writing core Cedar policies, including rules for ownership, viewers, managers, and teams
Applying standard authorization patterns like discretionary, membership, and relationship permissions
Enforcing global constraints and enhancing policies with templates and overrides
Mapping real-world requests to Cedar evaluation and testing policies for correctness

At ACME Corp, the identity team has just finished deploying Cedar across the company’s Customer Collaboration platform. Chapter 7 provided the foundation: Cedar’s schema, syntax, and the PARC model for understanding policies. Now, it’s time to move from theory to practice.

ACME’s needs are varied. Engineers in the R&D group share design documents that must be editable only by their owners and managers. The legal department reviews contracts that should be visible to the entire legal team, but not to other employees. Account managers share marketing materials with customers, sometimes granting short-term access to external collaborators. And, in keeping with ACME’s zero-trust mandate, all access to critical resources must come from company-managed devices, with stricter constraints outside business hours.

9.1 From primer to practice

9.2 Modeling your schema first

9.2.1 ACME’s core entities and actions

9.2.2 How schema shapes policies

9.2.3 Updating schema as your system evolves

9.3 Authoring ACME’s core policies

9.3.1 Permit view if on the right team

9.3.2 Owner can do all

9.3.3 Manager of owner can view and edit

9.4 Where does Cedar find data about entities?

9.5 Applying Cedar’s policy patterns

9.5.1 Discretionary permissions

9.5.2 Membership permissions

9.5.3 Relationship permissions

9.5.4 Mixing patterns for PBAC

9.6 Layering global constraints

9.7 Using policy templates and overrides

9.7.1 Templates

9.7.2 Overrides

9.8 Mapping requests to Cedar evaluations

9.9 From concept to policy

9.10 Summary