Denies access

If a policy contains forbid for the effect of the policy, it constrains permissions instead of granting permissions.

Important

During authorization, if both a permit and forbid policy are enforced, the forbid takes precedence.

The following examples use the attributes defined in the hypothetical application called PhotoFlash described in the Example schema section of the Cedar policy language Reference Guide.

This example shows how you might create a policy that denies the user alice from performing all actions except readOnly on any resource.


forbid (
  principal == User::"alice",
  action,
  resource
)
unless {
  action.readOnly
};

This example shows how you might create a policy that denies access to all resources that have a private attribute unless the principal has the owner attribute for the resource.


forbid (
  principal,
  action,
  resource
)
when {
  resource.private
}
unless {
  principal == resource.owner
};

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Allows access for attributes of an entity (ABAC)

Policy templates