Policy global conditions

Global conditions (with the global: prefix) are conditions that can be applied to any policy statement because they are not service-specific. Service-specific conditions supported by each service are documented in service reference.

Environment and user conditions

global:environmentId

Global condition global:environmentId returns the environmentId for services within the environment's scope.

global:userId

Global condition global:userId returns the user ID of the user making the request.

global:userGroup

Global condition global:userGroup returns a list of groups IDs the user is a member of

global:usernameDomain

Global condition global:usernameDomain returns the domain of the user.

Date and time global conditions

The following are simple examples of how to work with time-based conditions in policy statements.

global:date

Global condition global:date is used as in the following example.

ALLOW service:resource:permission WHERE global:date > "2022-05-03Z" AND global:date < "2022-05-05Z";

In this example the policy grants access on the 4th of May 2022 in the UTC time zone.

Operators: <, >, =

See Date and time formats below for details on date and time formats.

global:date-time

Global condition global:date-time is used as in the following example.

ALLOW service:resource:permission WHERE global:date-time > "2022-05-03T05:00:00+01:00";

Operators: <, >

See Date and time formats below for details on date and time formats.

global:time-of-day

Global condition global:time-of-day is used as in the following example.

ALLOW service:resource:permission WHERE global:time-of-day > "09:00+01:00" AND global:time-of-day < "17:00+01:00";

Operators: <, >

See Date and time formats below for details on date and time formats.

global:week-day

Global condition global:week-day is used as in the following example.

ALLOW service:resource:permission WHERE global:week-day = "Monday";

Operators: =, IN

See Date and time formats below for details on date and time formats.

Date and time formats

For global:date, global:date-time, and global:time-of-day, specify the value with a time zone according to ISO/WD 8601-1, where the character Z is used to designate that the date is in UTC.

The policy is active on specific days of the week (GMT time zone).

Example:

ALLOW service:resource:permission WHERE global:week-day = "Monday";

Operators: =, IN

The policy is active during a specified date range. The time zone must be specified.

Example:

ALLOW service:resource:permission WHERE global:date > "2022-05-03Z" AND global:date < "2022-05-05Z";

In this example the policy grants access on the 4th of May 2022 in UTC time zone. Operators: <, >, =

The policy is active according to a specified date and time. The time zone must be specified.

Example:

ALLOW service:resource:permission WHERE global:date-time > "2022-05-03T05:00:00+01:00";

Operators: <, >

The policy is active each day during a specified time range. The time zone must be specified.

Example:

ALLOW service:resource:permission WHERE global:time-of-day > "09:00+01:00" AND global:time-of-day < "17:00+01:00";

Operators: <, >