Amazon Verified Permissions policy stores - Amazon Verified Permissions

Amazon Verified Permissions policy stores

A policy store is a container for policies and policy templates. In each policy store, you can create a schema that is used to validate policies added to the policy store. In addition, you can turn on policy validation. If you add a policy to a policy store with policy validation enabled, the entity types, common types, and actions defined in the policy are validated against the schema and invalid policies are rejected.

We recommend creating one policy store per application, or one policy store per tenant for multi-tenant applications. You must specify a policy store when making an authorization request.

We recommend using namespaces to Cedar entities in your policy stores to prevent ambiguity. A namespace is a string prefix for a type, separated by a pair of colons (::) as a delimiter. For example MyApplicationNamespace::exampleType. Verified Permissions supports one namespace per policy store. These namespaces help keep things straight when you’re working with multiple similar applications. For example, in multi-tenant applications, using a namespace to append the name of the tenant to the types defined in the schema will make them distinct from their similar counterparts used by the other tenants. When looking at the logs for the authorization requests, you’ll be able to easily indentify the tenant that processed the authorization request. For more information, see Namespaces in the Cedar policy language Reference Guide.