On this page, you'll find policy recipes that can help you understand policy mechanisms and govern your organization's entities.
While most examples use the PERMIT
action, it can be switched to FORBID
if you desire to invert the decision.
Permit admins to perform any action
Copy {
"when" : [
{
"criterion" : "checkPrincipalRole" ,
"args" : [ "admin" ]
}
] ,
"then" : "permit"
}
We recommend always writing more restrictive rules in a production environment.
Grant access to vault
Copy {
"when" : [
{
"criterion" : "checkPrincipalRole" ,
"args" : [ "admin" ]
} ,
{
"criterion" : "checkAction" ,
"args" : [ "grantPermission" ] ,
} ,
{
"criterion" : "checkResource" ,
"args" : [ "vault" ]
} ,
{
"criterion" : "checkPermission" ,
"args" : [ "wallet:read" , "wallet:create" , "wallet:import" ]
}
] ,
"then" : "permit"
}
Permit users from a group to access an accounts group
This policy recipe gives access to users from the group engineering
to all accounts in the group engineering-test-accounts
.
Copy {
"when" : [
{
"criterion" : "checkPrincipalGroup" ,
"args" : [ "engineering" ]
} ,
{
"criterion" : "checkAccountGroup" ,
"args" : [ "engineering-test-accounts" ]
}
] ,
"then" : "permit"
}
Forbid transfers to specific destination addresses
This recipe forbids signing transactions on Ethereum and Polygon to a list of specific addresses.
Copy {
"when" : [
{
"criterion" : "checkAction" ,
"args" : [ "signTransaction" ]
} ,
{
"criterion" : "checkDestinationAddress" ,
"args" : [ "0xd56C620Fcc69867957b7Fb3Fc35b24a64a9728Df" , "0x48cfBED7c8ff97Bbc9C4bBE07064446059e0dCDe" ]
} ,
{
"criterion" : "checkIntentChainId" ,
"args" : [ "1" , "137" ]
}
] ,
"then" : "forbid"
}
Require approval for a member to transfer ERC-721 or ERC-1155 tokens
This is a policy recipe that mandates approvals from two specific users when a user with a member
role attempts to transfer ERC-721 or ERC-1155 tokens.
Copy {
"when" : [
{
"criterion" : "checkPrincipalRole" ,
"args" : [ "member" ]
} ,
{
"criterion" : "checkAction" ,
"args" : [ "signTransaction" ]
} ,
{
"criterion" : "checkIntentType" ,
"args" : [ "transferErc721" , "transferErc1155" ]
} ,
{
"criterion" : "checkApprovals" ,
"args" : [
{
"approvalCount" : 2 ,
"countPrincipal" : false ,
"approvalEntityType" : "Narval::User" ,
"entityIds" : [
"50832cf8-89ae-489d-9ffa-e1d8ad650253" ,
"0e53cbaa-2f89-4e18-886a-f2550c835580"
]
}
]
}
] ,
"then" : "permit"
}
Permit anyone to perform native transfers of up to 1 MATIC every 24 hours
Copy {
"when" : [
{
"criterion" : "checkAction" ,
"args" : [ "signTransaction" ]
} ,
{
"criterion" : "checkIntentType" ,
"args" : [ "transferNative" ]
} ,
{
"criterion" : "checkIntentToken" ,
"args" : [ "eip155:137/slip44:966" ]
} ,
{
"criterion" : "checkSpendingLimit" ,
"args" : {
"limit" : "1000000000000000000" ,
"operator" : "lte" ,
"timeWindow" : {
"type" : "rolling" ,
"value" : 86400
} ,
"filters" : {
"perPrincipal" : true ,
"tokens" : [ "eip155:137/slip44:966" ]
}
}
}
] ,
"then" : "permit"
}
Require approval for members of a group to transfer more than 1 MATIC every 24 hours
Copy {
"when" : [
{
"criterion" : "checkPrincipalGroup" ,
"args" : [ "treasury-group-id" ]
} ,
{
"criterion" : "checkSpendingLimit" ,
"args" : {
"limit" : "1000000000000000000" ,
"operator" : "gte" ,
"timeWindow" : {
"type" : "rolling" ,
"value" : 86400
} ,
"filters" : {
"userGroups" : [ "treasury-group-id" ] ,
"tokens" : [ "eip155:1/slip44:966" ]
}
}
} ,
{
"criterion" : "checkApprovals" ,
"args" : [
{
"approvalCount" : 1 ,
"countPrincipal" : false ,
"approvalEntityType" : "Narval::UserRole" ,
"entityIds" : [ "admin" ]
}
]
}
] ,
"then" : "permit"
}
Last updated 3 months ago