feat(iam): add dynamic ${user.email} resolution and case-insensitive userEmail matching across IAM evaluators #120

New Issue

MrUnknownDE · 2026-04-05T16:16:38+02:00

MrUnknownDE commented

2026-04-05 16:16:38 +02:00

Originally created by @coltondick on 10/31/2025

I opened an issue a couple weeks back raising an problem with the limited flexibility of the IAM policies. I found it's limited scope to be quite tedious having to create a single user policy per use. I had initially assumed the ${user.email} would work just making assumptions from the documentation. However, I was surprised to find out that this didn't work. Adding support for ${user.email} reduces role duplication and makes for an overall better experience.

Previously you had to define the policy as follows and then replicate it per user:

[
  {
    "action": [
      "read",
      "search"
    ],
    "subject": "archive",
    "conditions": {
      "userEmail": "kevinh@example.com"
    }
  },
  {
    "action": [
      "read",
      "search"
    ],
    "subject": [
      "dashboard",
      "ingestion"
    ]
  }
]

Now we can define the policy as follows:

[
  {
    "action": [
      "read",
      "search"
    ],
    "subject": "archive",
    "conditions": {
      "userEmail": "${user.email}"
    }
  },
  {
    "action": [
      "read",
      "search"
    ],
    "subject": [
      "dashboard",
      "ingestion"
    ]
  }
]

*Originally created by @coltondick on 10/31/2025* I opened an [issue](https://github.com/LogicLabs-OU/OpenArchiver/issues/185) a couple weeks back raising an problem with the limited flexibility of the IAM policies. I found it's limited scope to be quite tedious having to create a single user policy per use. I had initially assumed the `${user.email}` would work just making assumptions from the documentation. However, I was surprised to find out that this didn't work. Adding support for `${user.email}` reduces role duplication and makes for an overall better experience. Previously you had to define the policy as follows and then replicate it per user: ```json [ { "action": [ "read", "search" ], "subject": "archive", "conditions": { "userEmail": "kevinh@example.com" } }, { "action": [ "read", "search" ], "subject": [ "dashboard", "ingestion" ] } ] ``` Now we can define the policy as follows: ```json [ { "action": [ "read", "search" ], "subject": "archive", "conditions": { "userEmail": "${user.email}" } }, { "action": [ "read", "search" ], "subject": [ "dashboard", "ingestion" ] } ] ```

MrUnknownDE closed this issue

2026-04-05 16:16:38 +02:00

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github/OpenArchiver#120