Global conditions (with the global:
prefix) are conditions that can be applied to any policy statement because they are not service-specific. Service-specific conditions supported by each service are documented in service reference.
Global condition global:environmentId
returns the environmentId for services within the environment's scope.
Global condition global:userId
returns the user ID of the user making the request.
Global condition global:userGroup
returns a list of groups IDs the user is a member of
Global condition global:usernameDomain
returns the domain of the user.
The following are simple examples of how to work with time-based conditions in policy statements.
Global condition global:date
is used as in the following example.
ALLOW service:resource:permission WHERE global:date > "2022-05-03Z" AND global:date < "2022-05-05Z";
In this example the policy grants access on the 4th of May 2022 in the UTC time zone.
Operators: <
, >
, =
See Date and time formats below for details on date and time formats.
Global condition global:date-time
is used as in the following example.
ALLOW service:resource:permission WHERE global:date-time > "2022-05-03T05:00:00+01:00";
Operators: <
, >
See Date and time formats below for details on date and time formats.
Global condition global:time-of-day
is used as in the following example.
ALLOW service:resource:permission WHERE global:time-of-day > "09:00+01:00" AND global:time-of-day < "17:00+01:00";
Operators: <
, >
See Date and time formats below for details on date and time formats.
Global condition global:week-day
is used as in the following example.
ALLOW service:resource:permission WHERE global:week-day = "Monday";
Operators: =
, !=
, IN
See Date and time formats below for details on date and time formats.
For global:date
, global:date-time
, and global:time-of-day
, specify the value with a time zone according to ISO/WD 8601-1, where the character Z
is used to designate that the date is in UTC.
The policy is active on specific days of the week (GMT time zone).
Example:
ALLOW service:resource:permission WHERE global:week-day = "Monday";
Operators: =
, !=
, IN
The policy is active during a specified date range. The time zone must be specified.
Example:
ALLOW service:resource:permission WHERE global:date > "2022-05-03Z" AND global:date < "2022-05-05Z";
In this example the policy grants access on the 4th of May 2022 in UTC time zone.
Operators: <
, >
, =
The policy is active according to a specified date and time. The time zone must be specified.
Example:
ALLOW service:resource:permission WHERE global:date-time > "2022-05-03T05:00:00+01:00";
Operators: <
, >
The policy is active each day during a specified time range. The time zone must be specified.
Example:
ALLOW service:resource:permission WHERE global:time-of-day > "09:00+01:00" AND global:time-of-day < "17:00+01:00";
Operators: <
, >