Skip to main content

Overview

Security policies in TruSec define who can access what resources and under what conditions. Policies use a declarative syntax that’s easy to read and maintain.

Policy Structure

Every policy consists of three main components: 
{
  "effect": "allow",
  "principals": ["user:*"],
  "actions": ["read"],
  "resources": ["documents/*"],
  "conditions": {}
}
FieldDescription
effectallow or deny
principalsWho the policy applies to
actionsWhat operations are permitted
resourcesWhich resources are affected
conditionsOptional constraints

Creating Policies

Basic Policy

Allow users to read their own profile: 
const policy = await trusec.policies.create({
  name: 'user-read-own-profile',
  effect: 'allow',
  principals: ['user:${self}'],
  actions: ['read'],
  resources: ['users/${self}'],
});

Role-Based Policy

Allow admins to manage all users: 
const policy = await trusec.policies.create({
  name: 'admin-manage-users',
  effect: 'allow',
  principals: ['role:admin'],
  actions: ['create', 'read', 'update', 'delete'],
  resources: ['users/*'],
});

Conditional Policy

Allow access only during business hours: 
const policy = await trusec.policies.create({
  name: 'business-hours-only',
  effect: 'allow',
  principals: ['role:employee'],
  actions: ['read', 'write'],
  resources: ['internal-docs/*'],
  conditions: {
    time: {
      after: '09:00',
      before: '17:00',
      timezone: 'America/New_York',
      weekdays: ['monday', 'tuesday', 'wednesday', 'thursday', 'friday'],
    },
  },
});

Condition Types

Restrict access based on time of day, day of week, or date ranges.
{
  "time": {
    "after": "09:00",
    "before": "17:00",
    "weekdays": ["monday", "friday"]
  }
}
Restrict access to specific IP addresses or CIDR ranges.
{
  "ip": {
    "allowlist": ["192.168.1.0/24", "10.0.0.0/8"]
  }
}
Restrict access based on geographic location.
{
  "geo": {
    "countries": ["US", "CA", "GB"],
    "exclude": ["RU", "CN"]
  }
}
Restrict based on user or resource attributes.
{
  "attributes": {
    "user.department": "engineering",
    "user.verified": true
  }
}

Policy Evaluation

TruSec evaluates policies in the following order:
1

Explicit Deny

Any explicit deny policy takes precedence over all other policies.
2

Explicit Allow

If no deny policy matches, check for matching allow policies.
3

Default Deny

If no policies match, access is denied by default.

Policy Sets

Group related policies into policy sets for easier management: 
const policySet = await trusec.policySets.create({
  name: 'engineering-team-access',
  description: 'Access policies for engineering team members',
  policies: [
    'pol_read_repos',
    'pol_write_code',
    'pol_deploy_staging',
  ],
});

// Attach to a role
await trusec.roles.attachPolicySet({
  roleId: 'role_engineering',
  policySetId: policySet.id,
});

Testing Policies

Use the policy simulator to test your policies before deploying: 
const result = await trusec.policies.simulate({
  principal: 'user:user_123',
  action: 'delete',
  resource: 'documents/confidential/budget.pdf',
  context: {
    time: '2024-01-15T14:30:00Z',
    ip: '192.168.1.100',
  },
});

console.log(result.allowed); // false
console.log(result.matchedPolicies); // ['deny-confidential-delete']
Always test policies in a sandbox environment before applying them to production.