Recipes

On this page, you'll find policy recipes that can help you understand policy mechanisms and govern your organization's entities.

While most examples use the PERMIT action, it can be switched to FORBID if you desire to invert the decision.

Permit admins to perform any action

{
  when: [
    {
      criterion: Criterion.CHECK_PRINCIPAL_ROLE,
      args: [UserRole.ADMIN]
    }
  ],
  then: Then.PERMIT
}

We recommend always writing more restrictive rules in a production environment.

Grant access to application data

{
  when: [
    {
      criterion: Criterion.CHECK_PRINCIPAL_ROLE,
      args: ['admin']
    },
    {
      criterion: Criterion.CHECK_ACTION,
      args: [Action.GRANT_PERMISSION],
    },
    {
      criterion: Criterion.CHECK_RESOURCE,
      args: ['app:user']
    }
    {
      criterion: Criterion.CHECK_PERMISSION,
      args: ['read', 'create', 'update', 'delete']
    },
  ],
  then: Then.PERMIT
}

Permit users from a group to access an accounts group

This policy recipe gives access to users from the group engineering to all accounts in the group engineering-test-accounts.

{
  when: [
    {
      criterion: Criterion.CHECK_PRINCIPAL_GROUP,
      args: ['engineering']
    }
    {
      criterion: Criterion.CHECK_ACCOUNT_GROUP,
      args: ['engineering-test-accounts']
    }
  ],
  then: Then.PERMIT
}

Forbid transfers to specific destination addresses

This recipe forbids signing transactions on Ethereum and Polygon to a list of specific addresses.

{
  when: [
    {
      criterion: Criterion.CHECK_ACTION,
      args: [Action.SIGN_TRANSACTION]
    },
    {
      criterion: Criterion.CHECK_DESTINATION_ADDRESS,
      args: ['0xd56C620Fcc69867957b7Fb3Fc35b24a64a9728Df', '0x48cfBED7c8ff97Bbc9C4bBE07064446059e0dCDe']
    },
    {
      criterion: Criterion.CHECK_INTENT_CHAIN_ID,
      args: [1, 137]
    },
  ],
  then: Then.FORBID
}

Require approval for an member to transfer ERC-721 or ERC-1155 tokens

This is a policy recipe that mandates approvals from two specific users when a user with a member role attempts to transfer ERC-721 or ERC-1155 tokens.

{
  when: [
    {
      criterion: Criterion.CHECK_PRINCIPAL_ROLE,
      args: [UserRole.MEMBER]
    },
    {
      criterion: Criterion.CHECK_ACTION,
      args: [Action.SIGN_TRANSACTION]
    },
    {
      criterion: Criterion.CHECK_INTENT_TYPE,
      args: [Intents.TRANSFER_ERC721, Intents.TRANSFER_ERC1155]
    },
    {
      criterion: Criterion.CHECK_APPROVALS,
      args: [
        {
          approvalCount: 2,
          countPrincipal: false,
          approvalEntityType: EntityType.User,
          entityIds: [
            '50832cf8-89ae-489d-9ffa-e1d8ad650253',
            '0e53cbaa-2f89-4e18-886a-f2550c835580'
          ]
        }
      ]
    }
  ],
  then: Then.PERMIT
}

Permit native transfers of up to 1 MATIC every 24 hours

{
  when: [
    {
      criterion: Criterion.CHECK_ACTION,
      args: [Action.SIGN_TRANSACTION]
    },
    {
      criterion: Criterion.CHECK_INTENT_TYPE,
      args: [Intents.TRANSFER_NATIVE]
    },
    {
      criterion: Criterion.CHECK_INTENT_TOKEN,
      args: ['eip155:137/slip44:966']
    },
    {
      criterion: Criterion.CHECK_SPENDING_LIMIT,
      args: {
        limit: '1000000000000000000',
        operator: ValueOperators.LESS_THAN_OR_EQUAL,
        timeWindow: {
          type: 'rolling',
          value: "1000000000000000000"
        }
      }
    }
  ],
  then: Then.PERMIT
}

Last updated