search

Policy expression language reference

At Skyflow, we have developed a strongly-typed, human-readable language that is used to author complex, granular access control rules. This language makes use of parameterized variables and code snippets so that users can author policies without any prior context.

As shown in the following representation of the policy language grammar, the sentence contains a decision, action, resource, redaction formats when reading data and conditions, represented as parameterized variables.

policy_expression_language

Based on the specific policy being authored, the policy sentence can take many forms as follows:

READ column policy

Example:

ALLOW READ ON persons.name.last_name WITH REDACTION = PLAIN_TEXT

READ columns with row filter policy

Example:

ALLOW READ ON persons.phone_numbers.*, persons.nationality WITH REDACTION = PLAIN_TEXT WHERE persons.nationality = 'COLOMBIAN'

CREATE, UPDATE, DELETE columns with row filter policy

Example:

ALLOW UPDATE ON payments.consumers.* WHERE consumers.region = ‘North America’

TOKENIZATION, DETOKENIZATION on tables policy

Example:

ALLOW TOKENIZATION
ALLOW DETOKENIZATION

Policy examples

Consent-based sharing for contact tracing.

ALLOW READ ON patients.contact.* WHERE patients.consent_given = ‘TRUE’

Allow doctors to see data for only those patients they are assigned to.

ALLOW READ ON patients.medication, patients.doctor_notes, patients.last_name WITH REDACTION = PLAIN_TEXT WHERE patients.doctor_id = ‘17828345839uhj’

Tokenization, Detokenization permission per table.

ALLOW TOKENIZATION
ALLOW DETOKENIZATION

Mask SSN for Customer Agent.

ALLOW READ ON consumers.ssn WITH REDACTION = MASKED