allow ANDing (or negating) rules in custom policies
Open, Needs TriagePublic
Actions

Assigned To

None

Authored By

	ralph.van.etten
	Feb 18 2015, 10:01 AM

Description

I was thinking about how to allow clients to have access to our phabricator and I think what is missing is the possibility to AND policy rules.

It would be nice if you can create rules like:

"allow" "members of projects" "myclient" AND "members of projects" "project1" AND "signers of legalpad documents" "L1"
"if no rules match": deny

So you can only access the object when you are member of myclient AND project1 AND have signed the legal pad document.

What would fit the current Edit Policy UI and accomplices the same is allowing to negate a rule so you can explicitly deny access to anyone who has not signed "L1" or is a member of a project :

"deny" NOT "signers of legalpad documents" "L1"
"deny" NOT "member of" "project1, myclient"
If No Rules Match: "allow"

Also, if you can AND (or negate) policy rules and you threat projects as namespaces, I think it is already close to a solution for T3820.

Related Objects

Mentioned Here: T3820: Implement top-level "Spaces" that provide policy isolation to groups of objects

Event Timeline

ralph.van.etten created this task.Feb 18 2015, 10:01 AM

ralph.van.etten raised the priority of this task from to Needs Triage.

ralph.van.etten updated the task description. (Show Details)

ralph.van.etten added a subscriber: ralph.van.etten.

chad added a project: Policy.Feb 18 2015, 4:43 PM

eadler added a subscriber: eadler.Apr 14 2016, 5:48 AM

Herald added a subscriber: amckinley. · View Herald TranscriptSep 9 2019, 5:08 PM

allow ANDing (or negating) rules in custom policiesOpen, Needs TriagePublicActions

Description

Related Objects

Event Timeline

allow ANDing (or negating) rules in custom policies
Open, Needs TriagePublic
Actions