Create your first Verified Permissions policy store - Amazon Verified Permissions

Create your first Verified Permissions policy store

When you sign in to the Verified Permissions console for the first time, you can choose how to create your first policy store and Cedar policy. Follow the sign-in procedure appropriate to your user type as described in the topic How to sign in to AWS in the AWS Sign-In User Guide. On the Console Home page, select the Amazon Verified Permissions service. Choose Get started.

Creating a sample policy store

If this is your first time using Verified Permissions, we recommend using one of the sample policy stores to familiarize yourself with how Verified Permissions works. The sample policy stores provide pre-defined policies and a schema.

To create a policy store using the Sample policy store configuration method
  1. In the Verified Permissions console, select Create new policy store.

  2. In the Starting options section, choose Sample policy store.

  3. In the Sample project section, choose the type of sample Verified Permissions application to use. For this tutorial, choose the PhotoFlash policy store.

  4. A namespace for the schema of your sample policy store is automatically generated based on the sample project you chose.

  5. Choose Create policy store.

    Your policy store is created with policies, policy templates, and a schema for the sample policy store.

The diagram below illustrates the relationships between the PhotoFlash sample policy store actions and the resource types that they apply to.

PhotoFlash entity relationships

Creating template-linked policies for a sample policy store

The PhotoFlash sample policy store includes policies, policy templates, and a schema. You can create template-linked policies based on the policy templates included with the sample policy store.

To create template-linked policies for the sample policy store
  1. Open the Verified Permissions console at https://console.aws.amazon.com/verifiedpermissions/. Choose your policy store.

  2. In the navigation pane on the left, choose Policies.

  3. Choose Create policy and then choose Create template-linked policy.

  4. Choose the radio button next to the policy template with the description Grant full access to non-private shared photos and then choose Next.

  5. For Principal, enter PhotoFlash::User::"Alice". For Resource, enter PhotoFlash::Album::"Bob-Vacation-Album".

  6. Choose Create template-linked policy.

    The new template-linked policy is displayed under Policies.

  7. Create another template-linked policy for the PhotoFlash sample policy store. Choose Create policy and then choose Create template-linked policy.

  8. Choose the radio button next to the policy template with the description Grant limited access to non-private shared photos and then choose Next.

  9. For Principal, enter PhotoFlash::FriendGroup::"MySchoolFriends". For Resource, enter PhotoFlash::Album::"Alice’s favorite album".

  10. Choose Create template-linked policy.

    The new template-linked policy is displayed under Policies.

We will test the new template-linked policies in the next section of the tutorial. For more examples of values you can use to create a template-linked policy for PhotoFlash, see PhotoFlash template-linked policy examples.

Testing a sample policy store

After creating your sample policy store and template-linked policies, you can test the sample Verified Permissions static policies and your new template-linked policies by running a simulated authorization request using the Verified Permissions test bench.

Depending on when you created your sample policy store, your policy templates might differ from the references in this procedure. Before you start this part of the tutorial, check that you have each policy template that follows in your PhotoFlash example policy store. If your policy doesn't align with these policies, edit the existing policies or create a new policy store from the Sample project option PhotoFlash.

Grant full access to non-private shared photos

permit ( principal in ?principal, action in PhotoFlash::Action::"FullPhotoAccess", resource in ?resource ) when { resource.IsPrivate == false };

Grant limited access to non-private shared photos

permit ( principal in ?principal, action in PhotoFlash::Action::"LimitedPhotoAccess", resource in ?resource ) when { resource.IsPrivate == false };
To test sample policy store policies
  1. Open the Verified Permissions console at https://console.aws.amazon.com/verifiedpermissions/. Choose your policy store.

  2. In the navigation pane on the left, choose Test bench.

  3. Choose Visual mode.

  4. In the Principal section, choose PhotoFlash::User from the principal types in your schema. Type an identifier for the user in the text box. For example, Alice.

  5. Do not choose Add a parent for the principal.

  6. For the Account: Entity attribute, make sure that the PhotoFlash::Account entity is selected. Type an identifier for the account. For example, Alice-account.

  7. In the Resource section, choose the PhotoFlash::Photo resource type. Type an identifier for the photo in the text box. For example, photo.jpeg.

  8. Choose Add a parent and choose PhotoFlash::Account for the entity type. Type the same identifier for the parent account for the photo that you specified in the Account: Entity field for the user. For example, Alice-account.

  9. In the Action section, choose PhotoFlash::Action::"ViewPhoto" from the list of valid actions.

  10. In the Additional entities section, choose Add this entity to add the suggested account entity.

  11. Choose Run authorization request at the top of the page to simulate the authorization request for the Cedar policies in the sample policy store. The test bench should display the decision to allow the request.

The following table provides additional values for the principal, resource, and action you can test with the Verified Permissions test bench. The table includes the authorization request decision based on the static policies included with the PhotoFlash sample policy store and the template-linked policies you created in the previous section.

Principal value Principal Account: Entity value Resource value Resource parent value Action Authorization decision
PhotoFlash::User | Alice PhotoFlash::Account | Alice-account PhotoFlash::Photo | photo.jpeg PhotoFlash::Account | Bob-account PhotoFlash::Action::"ViewPhoto" Deny
PhotoFlash::User | Alice PhotoFlash::Account | Alice-account PhotoFlash::Photo | photo.jpeg PhotoFlash::Account | Alice-account PhotoFlash::Action::"ViewPhoto" Allow
PhotoFlash::User | Alice PhotoFlash::Account | Alice-account PhotoFlash::Photo | Bob-photo.jpeg PhotoFlash::Album | Bob-Vacation-Album PhotoFlash::Action::"ViewPhoto" Allow
PhotoFlash::User | Alice PhotoFlash::Account | Alice-account PhotoFlash::Photo | Bob-photo.jpeg PhotoFlash::Album | Bob-Vacation-Album PhotoFlash::Action::"DeletePhoto" Deny
PhotoFlash::User | Alice PhotoFlash::Account | Alice-account PhotoFlash::Photo | Bob-photo.jpeg, IsPrivate: Boolean | true PhotoFlash::Album | Bob-Vacation-Album PhotoFlash::Action::"ViewPhoto" Deny
PhotoFlash::User | Jane, PhotoFlash::FriendGroup | MySchoolFriends PhotoFlash::Account | Jane-account PhotoFlash::Photo | photo.jpeg PhotoFlash::Album | Alice’s favorite album PhotoFlash::Action::"ViewPhoto" Allow
PhotoFlash::User | Jane, PhotoFlash::FriendGroup | MySchoolFriends PhotoFlash::Account | Jane-account PhotoFlash::Photo | photo.jpeg PhotoFlash::Album | Alice’s favorite album PhotoFlash::Action::"DeletePhoto" Deny