IAM policy statement syntax and examples
This page uses some simple examples to give you a quick overview of how to work with IAM policy statements.
-
For a generated list of all supported values for each IAM service, permission, and condition, see IAM services reference.
-
These examples use Dynatrace Settings service (
settings
), which enables you to manage the following permissions:schemas:read
objects:read
objects:write
It supports condition
settings:schemaId
, which supports operators=
,!=
, andIN
.
Syntax
In its most basic form, a policy statement starts with the ALLOW
keyword, which is followed by the service (in these examples, settings
), and then a permission (such as schemas:read
). A statement can include an optional condition.
ALLOW <service>
:<permission>
WHERE <condition>
;
Example 1: simple statement
In this example, a user that belongs to a group to which this policy is assigned has read access to all schemas in the Dynatrace settings
service.
ALLOW settings:schemas:read;
Example 2: condition - single value
This example modifies example 1 by adding a condition to limit read access to just one specific schema in the Dynatrace settings
service.
ALLOW settings:schemas:read WHERE settings:schemaId = "builtin:container.monitoring-rule";
The condition is added to this example statement by adding keyword WHERE
followed by the condition, which consists of three parts:
- condition name (
settings:schemaId
) - condition operator (
=
) - condition value (
"builtin:container.monitoring-rule"
)
So this statement says a user that belongs to a group to which this policy is assigned can read schemas in the settings
service, but only if the schema is equal to builtin:container.monitoring-rule
.
If you instead used the condition operator !=
, it would mean that a user that belongs to a group to which this policy is assigned can read schemas in the settings
service, but only if the schema is NOT equal to builtin:container.monitoring-rule
.
Example 3: condition - list of values
This example modifies example 2 to show how to use the IN
operator with a list of values.
ALLOW settings:schemas:read WHERE settings:schemaId IN ("builtin:container.monitoring-rule", "builtin:container.built-in-monitoring-rule");
The condition value in this case takes form of a list of schema IDs enclosed with parentheses and delimited with commas.
So this statement says a user that belongs to a group to which this policy is assigned can read schemas in the settings
service, but only if the schema ID is in this list, and then it defines a comma-separated list of two schema IDs:
("builtin:container.monitoring-rule", "builtin:container.built-in-monitoring-rule")
Example 4: statements on separate lines
Each policy can have multiple statements.
Example policy with two statements:
ALLOW settings:objects:read;
ALLOW settings:objects:write WHERE settings:schemaId = "builtin:container.monitoring-rule";
In this example, a user that belongs to a group to which this policy is assigned can:
- read all
objects
in thesettings
service (there is no condition in the first statement) - write
objects
in thesettings
service only wheresettings:schemaId
is equal tobuiltin:container.monitoring-rule
Example 5: statements combined
Instead of listing permission statements on separate lines, you can combine statements into one line:
ALLOW settings:objects:read, settings:objects:write WHERE settings:schemaId = "builtin:container.monitoring-rule";
A policy with this statement grants read and write access to builtin:container.monitoring-rule
, with the WHERE condition applying to both.
Date and time conditions
The following are simple examples of how to work with time-based conditions in IAM policy statements.
For global:date
, global:date-time
, and global:time-of-day
, the value needs to be specified with a time zone according to ISO/WD 8601-1. Following ISO/WD 8601-1, the character Z
is used to designate that the date is in UTC.
Day of week
The policy is active on specific days of the week (GMT time zone).
Example:
ALLOW service:resource:permission WHERE global:week-day = "Monday";
Operators: =
, IN
Date
The policy is active during a specified date range. Time zone must be specified.
Example:
ALLOW service:resource:permission WHERE global:date > "2022-05-03Z" AND global:date < "2022-05-05Z";
Operators: <
, >
, =
Date and time
The policy is active according to a specified date and time. Time zone must be specified.
Example:
ALLOW service:resource:permission WHERE global:date-time > "2022-05-03T05:00:00+01:00";
Operators: <
, >
Time of day
The policy is active each day during a specified time range. Time zone must be specified.
Example:
ALLOW service:resource:permission WHERE global:time-of-day > "09:00+01:00" AND global:time-of-day < "17:00+01:00";
Operators: <
, >