Amazon Verified Permissions policy store schema

A schema is a declaration of the structure of the entity types supported by your application, and the actions your application may provide in authorization requests.

For more information, see Cedar schema format in the Cedar policy language Reference Guide.

Note

The use of schemas in Verified Permissions is optional, but they are highly recommended for production software. When you create a new policy, Verified Permissions can use the schema to validate the entities and attributes referenced in the scope and conditions to avoid typos and mistakes in policies that can lead to confusing system behavior. If you activate policy validation, then all new policies must conform with the schema.

AWS Management Console

To create a schema

Open the Verified Permissions console at https://console.aws.amazon.com/verifiedpermissions/. Choose your policy store.
In the navigation pane on the left, choose Schema.
Choose Create schema.

AWS CLI

To submit a new schema, or overwrite an existing schema by using the AWS CLI.

You can create a policy store by running a AWS CLI command similar to the following example.

Consider a schema that contains the following Cedar content:


{
    "MySampleNamespace": {
        "actions": {
            "remoteAccess": {
                "appliesTo": {
                    "principalTypes": [ "Employee" ]
                }
            }
        },
        "entityTypes": {
            "Employee": {
                "shape": {
                    "type": "Record",
                    "attributes": {
                        "jobLevel": {"type": "Long"},
                        "name": {"type": "String"}
                    }
                }
            }
        }
    }
}

You must first escape the JSON into a single line string, and preface it with a declaration of its data type: cedarJson. The following example uses the following contents of schema.json file that contains the escaped version of the JSON schema.

Note

The example here is line wrapped for readability. You must have the entire file on a single line for the command to accept it.


{"cedarJson": "{\"MySampleNamespace\": {\"actions\": {\"remoteAccess\": {\"appliesTo\": 
{\"principalTypes\": [\"Employee\"]}}},\"entityTypes\": {\"Employee\": {\"shape\": 
{\"attributes\": {\"jobLevel\": {\"type\": \"Long\"},\"name\": {\"type\": \"String\"}},
\"type\": \"Record\"}}}}}"}


$ aws verifiedpermissions put-schema \
    --definition file://schema.json \
    --policy-store PSEXAMPLEabcdefg111111
{
    "policyStoreId": "PSEXAMPLEabcdefg111111",
    "namespaces": [
        "MySampleNamespace"
    ],
    "createdDate": "2023-07-17T21:07:43.659196+00:00",
    "lastUpdatedDate": "2023-08-16T17:03:53.081839+00:00"
}

AWS SDKs

You can create a policy store using the PutSchema API. For more information, see PutSchema in the Amazon Verified Permissions API Reference Guide.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Deleting policy stores

Editing schema - Visual