Denies access
If a policy contains forbid
for the effect of the policy, it constrains
permissions instead of granting permissions.
Important
During authorization, if both a permit
and forbid
policy
are enforced, the forbid
takes precedence.
The following examples use the attributes defined in the hypothetical application
called PhotoFlash described in the Example schema
This example shows how you might create a policy that denies the user alice
from performing all actions
except readOnly
on any resource.
forbid ( principal == User::"alice", action, resource ) unless { action.readOnly };
This example shows how you might create a policy that denies access to all resources that have a private
attribute unless the principal has the owner
attribute for the
resource.
forbid ( principal, action, resource ) when { resource.private } unless { principal == resource.owner };