On this page, you'll find policy recipes that can help you understand policy mechanisms and govern your organization's entities.
Copy {
"when": [
{
"criterion": "checkPrincipalRole",
"args": ["admin"]
}
],
"then": "permit"
}
We recommend always writing more restrictive rules in a production environment.
Grant access to vault
Copy {
"when": [
{
"criterion": "checkPrincipalRole",
"args": ["admin"]
},
{
"criterion": "checkAction",
"args": ["grantPermission"],
},
{
"criterion": "checkResource",
"args": ["vault"]
},
{
"criterion": "checkPermission",
"args": ["wallet:read", "wallet:create", "wallet:import"]
}
],
"then": "permit"
} Permit users from a group to access an accounts group
This policy recipe gives access to users from the group engineering to all accounts in the group engineering-test-accounts.
Copy {
"when": [
{
"criterion": "checkPrincipalGroup",
"args": ["engineering"]
},
{
"criterion": "checkAccountGroup",
"args": ["engineering-test-accounts"]
}
],
"then": "permit"
} Forbid transfers to specific destination addresses
This recipe forbids signing transactions on Ethereum and Polygon to a list of specific addresses.
Copy {
"when": [
{
"criterion": "checkAction",
"args": ["signTransaction"]
},
{
"criterion": "checkDestinationAddress",
"args": ["0xd56C620Fcc69867957b7Fb3Fc35b24a64a9728Df", "0x48cfBED7c8ff97Bbc9C4bBE07064446059e0dCDe"]
},
{
"criterion": "checkIntentChainId",
"args": ["1", "137"]
}
],
"then": "forbid"
} Require approval for a member to transfer ERC-721 or ERC-1155 tokens
This is a policy recipe that mandates approvals from two specific users when a user with a member role attempts to transfer ERC-721 or ERC-1155 tokens.
Copy {
"when": [
{
"criterion": "checkPrincipalRole",
"args": ["member"]
},
{
"criterion": "checkAction",
"args": ["signTransaction"]
},
{
"criterion": "checkIntentType",
"args": ["transferErc721", "transferErc1155"]
},
{
"criterion": "checkApprovals",
"args": [
{
"approvalCount": 2,
"countPrincipal": false,
"approvalEntityType": "Narval::User",
"entityIds": [
"50832cf8-89ae-489d-9ffa-e1d8ad650253",
"0e53cbaa-2f89-4e18-886a-f2550c835580"
]
}
]
}
],
"then": "permit"
}
Copy {
"when": [
{
"criterion": "checkAction",
"args": ["signTransaction"]
},
{
"criterion": "checkIntentType",
"args": ["transferNative"]
},
{
"criterion": "checkIntentToken",
"args": ["eip155:137/slip44:966"]
},
{
"criterion": "checkSpendingLimit",
"args": {
"limit": "1000000000000000000",
"operator": "lte",
"timeWindow": {
"type": "rolling",
"value": 86400
},
"filters": {
"perPrincipal": true,
"tokens": ["eip155:137/slip44:966"]
}
}
}
],
"then": "permit"
} Require approval for members of a group to transfer more than 1 MATIC every 24 hours
Copy {
"when": [
{
"criterion": "checkPrincipalGroup",
"args": ["treasury-group-id"]
},
{
"criterion": "checkSpendingLimit",
"args": {
"limit": "1000000000000000000",
"operator": "gte",
"timeWindow": {
"type": "rolling",
"value": 86400
},
"filters": {
"userGroups": ["treasury-group-id"],
"tokens": ["eip155:1/slip44:966"]
}
}
},
{
"criterion": "checkApprovals",
"args": [
{
"approvalCount": 1,
"countPrincipal": false,
"approvalEntityType": "Narval::UserRole",
"entityIds": ["admin"]
}
]
}
],
"then": "permit"
}
Last updated 8 months ago