IAM Policy JSON - Limit access to a specific mailbox based on dynamic email #66

New Issue

MrUnknownDE · 2026-04-05T16:16:21+02:00

MrUnknownDE commented

2026-04-05 16:16:21 +02:00

Originally created by @DamnWhat on 1/11/2026

Hi,

The problem we are facing

we have one ingestion which is our M365 Tenant, and we want each end-user to be able to only see their emails. We want to work with conditions to limit the access to a specific mailbox. The documentation mentioned the usage of userEmail with a hardcoded email address. This works, but we do not want to create a policy for each user to only see their emails.

Is it possible to have an IAM Policy where the userEmail is not hardcoded in the JSON? For example have a placeholder variable like ${user.email} the same way the documentation mentioned with ${user.id}?

What our current JSON looks like

[
	{
		"action": "read",
		"subject": "dashboard"
	},
	{
		"action": "read",
		"subject": "ingestion"
	},
	{
		"action": ["read", "search"],
		"subject": "archive",
		"conditions": {
			"userEmail": "user.email@company.com"
		}
	}
]

What we thought could work, but it does not

[
	{
		"action": "read",
		"subject": "dashboard"
	},
	{
		"action": "read",
		"subject": "ingestion"
	},
	{
		"action": ["read", "search"],
		"subject": "archive",
		"conditions": {
			"userEmail": "${user.email}"
		}
	}
]

*Originally created by @DamnWhat on 1/11/2026* Hi, ### The problem we are facing we have one ingestion which is our M365 Tenant, and we want each end-user to be able to **only** see their emails. We want to work with conditions to limit the access to a specific mailbox. The documentation mentioned the usage of userEmail with a hardcoded email address. **This works**, but we do not want to create a policy for each user to only see their emails. Is it possible to have an IAM Policy where the userEmail is not hardcoded in the JSON? For example have a placeholder variable like ${user.email} the same way the documentation mentioned with ${user.id}? ### What our current JSON looks like ``` [ { "action": "read", "subject": "dashboard" }, { "action": "read", "subject": "ingestion" }, { "action": ["read", "search"], "subject": "archive", "conditions": { "userEmail": "user.email@company.com" } } ] ``` ### What we thought could work, but it does not ``` [ { "action": "read", "subject": "dashboard" }, { "action": "read", "subject": "ingestion" }, { "action": ["read", "search"], "subject": "archive", "conditions": { "userEmail": "${user.email}" } } ] ```

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github/OpenArchiver#66