23 Jan 2025 09:35 AM
How can you restrict read access to settings for a user group with the "Standard User" policy applied?
Solved! Go to Solution.
23 Jan 2025 09:36 AM
There are basically two mechanisms to consider. If for example one of the default policies you are using with a user group is too permissive or too restrictive, you can consider constricting or relaxing that permission through a separate custom policy that you can then apply to the same group.
Say you do not want users of a group with default “Standard User” policy applied to be able to read settings, even though this is granted through that policy. You can create a new custom policy with:
DENY settings:objects:read, settings:schemas:read, app-settings:objects:read;
And assign it to the same group.
Another powerful mechanism for restricting permissions granted through default policies (or even own custom policies) is using policy boundaries. These help further restrict group permissions by allowing you to add your specific business-specific conditions.
For example, say a number of your user groups have the “Storage All Grail Data Read” permission applied but you only want to allow read access to a specific bucket. In that case, you can create a new policy boundary with the following condition:
Storage:bucket-name="myBucketNameHere";