github/OpenArchiver
1
1
Fork 0
mirror of https://github.com/LogicLabs-OU/OpenArchiver.git synced 2026-04-06 00:31:57 +02:00
Code Issues 161 Packages Projects Releases Wiki Activity
Files
8aabcd805cfe8a547996302b3d545f8d697e3a4f
OpenArchiver/services/iam-service/iam-policy.html
wayneshn 8aabcd805c deploy: 24afd13858
2026-01-17 00:46:54 +00:00

112 lines
62 KiB
HTML
Raw Blame History

This file contains invisible Unicode characters
This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
<!DOCTYPE html>
<html lang="en-US" dir="ltr">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1">
<title>IAM Policy | Open Archiver Docs</title>
<meta name="description" content="Official documentation for the Open Archiver project.">
<meta name="generator" content="VitePress v1.6.4">
<link rel="preload stylesheet" href="/assets/style.BZzyQG4l.css" as="style">
<link rel="preload stylesheet" href="/vp-icons.css" as="style">
<script type="module" src="/assets/app.C_H1Hj5v.js"></script>
<link rel="preload" href="/assets/inter-roman-latin.Di8DUHzh.woff2" as="font" type="font/woff2" crossorigin="">
<link rel="modulepreload" href="/assets/chunks/theme.W0ip1Fno.js">
<link rel="modulepreload" href="/assets/chunks/framework.S-Qvb3wi.js">
<link rel="modulepreload" href="/assets/services_iam-service_iam-policy.md.BMP46V9x.lean.js">
<script defer src="https://analytics.zenceipt.com/script.js" data-website-id="2c8b452e-eab5-4f82-8ead-902d8f8b976f"></script>
<link rel="icon" href="/logo-sq.svg">
<script id="check-dark-mode">(()=>{const e=localStorage.getItem("vitepress-theme-appearance")||"auto",a=window.matchMedia("(prefers-color-scheme: dark)").matches;(!e||e==="auto"?a:e==="dark")&&document.documentElement.classList.add("dark")})();</script>
<script id="check-mac-os">document.documentElement.classList.toggle("mac",/Mac|iPhone|iPod|iPad/i.test(navigator.platform));</script>
</head>
<body>
<div id="app"><div class="Layout" data-v-6d457d7f><!--[--><!--]--><!--[--><span tabindex="-1" data-v-9f15b6e6></span><a href="#VPContent" class="VPSkipLink visually-hidden" data-v-9f15b6e6>Skip to content</a><!--]--><!----><header class="VPNav" data-v-6d457d7f data-v-06aeb22c><div class="VPNavBar" data-v-06aeb22c data-v-9f44cfca><div class="wrapper" data-v-9f44cfca><div class="container" data-v-9f44cfca><div class="title" data-v-9f44cfca><div class="VPNavBarTitle has-sidebar" data-v-9f44cfca data-v-cea99ba2><a class="title" href="/" data-v-cea99ba2><!--[--><!--]--><!--[--><img class="VPImage logo" src="/logo-sq.svg" alt data-v-384abc6c><!--]--><span data-v-cea99ba2>Open Archiver Docs</span><!--[--><!--]--></a></div></div><div class="content" data-v-9f44cfca><div class="content-body" data-v-9f44cfca><!--[--><!--]--><div class="VPNavBarSearch search" data-v-9f44cfca><!--[--><!----><div id="local-search"><button type="button" class="DocSearch DocSearch-Button" aria-label="Search"><span class="DocSearch-Button-Container"><span class="vp-icon DocSearch-Search-Icon"></span><span class="DocSearch-Button-Placeholder">Search</span></span><span class="DocSearch-Button-Keys"><kbd class="DocSearch-Button-Key"></kbd><kbd class="DocSearch-Button-Key">K</kbd></span></button></div><!--]--></div><nav aria-labelledby="main-nav-aria-label" class="VPNavBarMenu menu" data-v-9f44cfca data-v-bc890e2b><span id="main-nav-aria-label" class="visually-hidden" data-v-bc890e2b> Main Navigation </span><!--[--><!--[--><a class="VPLink link VPNavBarMenuLink" href="/" tabindex="0" data-v-bc890e2b data-v-358f64d2><!--[--><span data-v-358f64d2>Home</span><!--]--></a><!--]--><!--[--><a class="VPLink link vp-external-link-icon VPNavBarMenuLink" href="https://github.com/LogicLabs-OU/OpenArchiver" target="_blank" rel="noreferrer" tabindex="0" data-v-bc890e2b data-v-358f64d2><!--[--><span data-v-358f64d2>Github</span><!--]--></a><!--]--><!--[--><a class="VPLink link vp-external-link-icon VPNavBarMenuLink" href="https://openarchiver.com/" target="_blank" rel="noreferrer" tabindex="0" data-v-bc890e2b data-v-358f64d2><!--[--><span data-v-358f64d2>Website</span><!--]--></a><!--]--><!--[--><a class="VPLink link vp-external-link-icon VPNavBarMenuLink" href="https://discord.gg/MTtD7BhuTQ" target="_blank" rel="noreferrer" tabindex="0" data-v-bc890e2b data-v-358f64d2><!--[--><span data-v-358f64d2>Discord</span><!--]--></a><!--]--><!--]--></nav><!----><div class="VPNavBarAppearance appearance" data-v-9f44cfca data-v-1a8fd632><button class="VPSwitch VPSwitchAppearance" type="button" role="switch" title aria-checked="false" data-v-1a8fd632 data-v-77125d61 data-v-44c0c9c3><span class="check" data-v-44c0c9c3><span class="icon" data-v-44c0c9c3><!--[--><span class="vpi-sun sun" data-v-77125d61></span><span class="vpi-moon moon" data-v-77125d61></span><!--]--></span></span></button></div><!----><div class="VPFlyout VPNavBarExtra extra" data-v-9f44cfca data-v-cb22ae83 data-v-ce17dc3c><button type="button" class="button" aria-haspopup="true" aria-expanded="false" aria-label="extra navigation" data-v-ce17dc3c><span class="vpi-more-horizontal icon" data-v-ce17dc3c></span></button><div class="menu" data-v-ce17dc3c><div class="VPMenu" data-v-ce17dc3c data-v-a0929307><!----><!--[--><!--[--><!----><div class="group" data-v-cb22ae83><div class="item appearance" data-v-cb22ae83><p class="label" data-v-cb22ae83>Appearance</p><div class="appearance-action" data-v-cb22ae83><button class="VPSwitch VPSwitchAppearance" type="button" role="switch" title aria-checked="false" data-v-cb22ae83 data-v-77125d61 data-v-44c0c9c3><span class="check" data-v-44c0c9c3><span class="icon" data-v-44c0c9c3><!--[--><span class="vpi-sun sun" data-v-77125d61></span><span class="vpi-moon moon" data-v-77125d61></span><!--]--></span></span></button></div></div></div><!----><!--]--><!--]--></div></div></div><!--[--><!--]--><button type="button" class="VPNavBarHamburger hamburger" aria-label="mobile navigation" aria-expanded="false" aria-controls="VPNavScreen" data-v-9f44cfca data-v-42f375ed><span class="container" data-v-42f375ed><span class="top" data-v-42f375ed></span><span class="middle" data-v-42f375ed></span><span class="bottom" data-v-42f375ed></span></span></button></div></div></div></div><div class="divider" data-v-9f44cfca><div class="divider-line" data-v-9f44cfca></div></div></div><!----></header><div class="VPLocalNav has-sidebar empty" data-v-6d457d7f data-v-e17e33c6><div class="container" data-v-e17e33c6><button class="menu" aria-expanded="false" aria-controls="VPSidebarNav" data-v-e17e33c6><span class="vpi-align-left menu-icon" data-v-e17e33c6></span><span class="menu-text" data-v-e17e33c6>Menu</span></button><div class="VPLocalNavOutlineDropdown" style="--vp-vh:0px;" data-v-e17e33c6 data-v-bab32157><button data-v-bab32157>Return to top</button><!----></div></div></div><aside class="VPSidebar" data-v-6d457d7f data-v-91b447a8><div class="curtain" data-v-91b447a8></div><nav class="nav" id="VPSidebarNav" aria-labelledby="sidebar-aria-label" tabindex="-1" data-v-91b447a8><span class="visually-hidden" id="sidebar-aria-label" data-v-91b447a8> Sidebar Navigation </span><!--[--><!--]--><!--[--><div class="no-transition group" data-v-6b998b36><section class="VPSidebarItem level-0" data-v-6b998b36 data-v-5f79b55d><div class="item" role="button" tabindex="0" data-v-5f79b55d><div class="indicator" data-v-5f79b55d></div><h2 class="text" data-v-5f79b55d>User Guides</h2><!----></div><div class="items" data-v-5f79b55d><!--[--><div class="VPSidebarItem level-1 is-link" data-v-5f79b55d data-v-5f79b55d><div class="item" data-v-5f79b55d><div class="indicator" data-v-5f79b55d></div><a class="VPLink link link" href="/" data-v-5f79b55d><!--[--><p class="text" data-v-5f79b55d>Get Started</p><!--]--></a><!----></div><!----></div><div class="VPSidebarItem level-1 is-link" data-v-5f79b55d data-v-5f79b55d><div class="item" data-v-5f79b55d><div class="indicator" data-v-5f79b55d></div><a class="VPLink link link" href="/user-guides/installation.html" data-v-5f79b55d><!--[--><p class="text" data-v-5f79b55d>Installation</p><!--]--></a><!----></div><!----></div><div class="VPSidebarItem level-1 is-link" data-v-5f79b55d data-v-5f79b55d><div class="item" data-v-5f79b55d><div class="indicator" data-v-5f79b55d></div><a class="VPLink link link" href="/user-guides/integrity-check.html" data-v-5f79b55d><!--[--><p class="text" data-v-5f79b55d>Email Integrity Check</p><!--]--></a><!----></div><!----></div><section class="VPSidebarItem level-1 collapsible collapsed is-link" data-v-5f79b55d data-v-5f79b55d><div class="item" tabindex="0" data-v-5f79b55d><div class="indicator" data-v-5f79b55d></div><a class="VPLink link link" href="/user-guides/email-providers/" data-v-5f79b55d><!--[--><h3 class="text" data-v-5f79b55d>Email Providers</h3><!--]--></a><div class="caret" role="button" aria-label="toggle section" tabindex="0" data-v-5f79b55d><span class="vpi-chevron-right caret-icon" data-v-5f79b55d></span></div></div><div class="items" data-v-5f79b55d><!--[--><div class="VPSidebarItem level-2 is-link" data-v-5f79b55d data-v-5f79b55d><div class="item" data-v-5f79b55d><div class="indicator" data-v-5f79b55d></div><a class="VPLink link link" href="/user-guides/email-providers/imap.html" data-v-5f79b55d><!--[--><p class="text" data-v-5f79b55d>Generic IMAP Server</p><!--]--></a><!----></div><!----></div><div class="VPSidebarItem level-2 is-link" data-v-5f79b55d data-v-5f79b55d><div class="item" data-v-5f79b55d><div class="indicator" data-v-5f79b55d></div><a class="VPLink link link" href="/user-guides/email-providers/google-workspace.html" data-v-5f79b55d><!--[--><p class="text" data-v-5f79b55d>Google Workspace</p><!--]--></a><!----></div><!----></div><div class="VPSidebarItem level-2 is-link" data-v-5f79b55d data-v-5f79b55d><div class="item" data-v-5f79b55d><div class="indicator" data-v-5f79b55d></div><a class="VPLink link link" href="/user-guides/email-providers/microsoft-365.html" data-v-5f79b55d><!--[--><p class="text" data-v-5f79b55d>Microsoft 365</p><!--]--></a><!----></div><!----></div><div class="VPSidebarItem level-2 is-link" data-v-5f79b55d data-v-5f79b55d><div class="item" data-v-5f79b55d><div class="indicator" data-v-5f79b55d></div><a class="VPLink link link" href="/user-guides/email-providers/eml.html" data-v-5f79b55d><!--[--><p class="text" data-v-5f79b55d>EML Import</p><!--]--></a><!----></div><!----></div><div class="VPSidebarItem level-2 is-link" data-v-5f79b55d data-v-5f79b55d><div class="item" data-v-5f79b55d><div class="indicator" data-v-5f79b55d></div><a class="VPLink link link" href="/user-guides/email-providers/pst.html" data-v-5f79b55d><!--[--><p class="text" data-v-5f79b55d>PST Import</p><!--]--></a><!----></div><!----></div><div class="VPSidebarItem level-2 is-link" data-v-5f79b55d data-v-5f79b55d><div class="item" data-v-5f79b55d><div class="indicator" data-v-5f79b55d></div><a class="VPLink link link" href="/user-guides/email-providers/mbox.html" data-v-5f79b55d><!--[--><p class="text" data-v-5f79b55d>Mbox Import</p><!--]--></a><!----></div><!----></div><!--]--></div></section><section class="VPSidebarItem level-1 collapsible collapsed" data-v-5f79b55d data-v-5f79b55d><div class="item" role="button" tabindex="0" data-v-5f79b55d><div class="indicator" data-v-5f79b55d></div><h3 class="text" data-v-5f79b55d>Settings</h3><div class="caret" role="button" aria-label="toggle section" tabindex="0" data-v-5f79b55d><span class="vpi-chevron-right caret-icon" data-v-5f79b55d></span></div></div><div class="items" data-v-5f79b55d><!--[--><div class="VPSidebarItem level-2 is-link" data-v-5f79b55d data-v-5f79b55d><div class="item" data-v-5f79b55d><div class="indicator" data-v-5f79b55d></div><a class="VPLink link link" href="/user-guides/settings/system.html" data-v-5f79b55d><!--[--><p class="text" data-v-5f79b55d>System</p><!--]--></a><!----></div><!----></div><!--]--></div></section><section class="VPSidebarItem level-1 collapsible collapsed" data-v-5f79b55d data-v-5f79b55d><div class="item" role="button" tabindex="0" data-v-5f79b55d><div class="indicator" data-v-5f79b55d></div><h3 class="text" data-v-5f79b55d>Upgrading and Migration</h3><div class="caret" role="button" aria-label="toggle section" tabindex="0" data-v-5f79b55d><span class="vpi-chevron-right caret-icon" data-v-5f79b55d></span></div></div><div class="items" data-v-5f79b55d><!--[--><div class="VPSidebarItem level-2 is-link" data-v-5f79b55d data-v-5f79b55d><div class="item" data-v-5f79b55d><div class="indicator" data-v-5f79b55d></div><a class="VPLink link link" href="/user-guides/upgrade-and-migration/upgrade.html" data-v-5f79b55d><!--[--><p class="text" data-v-5f79b55d>Upgrading</p><!--]--></a><!----></div><!----></div><div class="VPSidebarItem level-2 is-link" data-v-5f79b55d data-v-5f79b55d><div class="item" data-v-5f79b55d><div class="indicator" data-v-5f79b55d></div><a class="VPLink link link" href="/user-guides/upgrade-and-migration/meilisearch-upgrade.html" data-v-5f79b55d><!--[--><p class="text" data-v-5f79b55d>Meilisearch Upgrade</p><!--]--></a><!----></div><!----></div><!--]--></div></section><!--]--></div></section></div><div class="no-transition group" data-v-6b998b36><section class="VPSidebarItem level-0" data-v-6b998b36 data-v-5f79b55d><div class="item" role="button" tabindex="0" data-v-5f79b55d><div class="indicator" data-v-5f79b55d></div><h2 class="text" data-v-5f79b55d>API Reference</h2><!----></div><div class="items" data-v-5f79b55d><!--[--><div class="VPSidebarItem level-1 is-link" data-v-5f79b55d data-v-5f79b55d><div class="item" data-v-5f79b55d><div class="indicator" data-v-5f79b55d></div><a class="VPLink link link" href="/api/" data-v-5f79b55d><!--[--><p class="text" data-v-5f79b55d>Overview</p><!--]--></a><!----></div><!----></div><div class="VPSidebarItem level-1 is-link" data-v-5f79b55d data-v-5f79b55d><div class="item" data-v-5f79b55d><div class="indicator" data-v-5f79b55d></div><a class="VPLink link link" href="/api/authentication.html" data-v-5f79b55d><!--[--><p class="text" data-v-5f79b55d>Authentication</p><!--]--></a><!----></div><!----></div><div class="VPSidebarItem level-1 is-link" data-v-5f79b55d data-v-5f79b55d><div class="item" data-v-5f79b55d><div class="indicator" data-v-5f79b55d></div><a class="VPLink link link" href="/api/rate-limiting.html" data-v-5f79b55d><!--[--><p class="text" data-v-5f79b55d>Rate Limiting</p><!--]--></a><!----></div><!----></div><div class="VPSidebarItem level-1 is-link" data-v-5f79b55d data-v-5f79b55d><div class="item" data-v-5f79b55d><div class="indicator" data-v-5f79b55d></div><a class="VPLink link link" href="/api/auth.html" data-v-5f79b55d><!--[--><p class="text" data-v-5f79b55d>Auth</p><!--]--></a><!----></div><!----></div><div class="VPSidebarItem level-1 is-link" data-v-5f79b55d data-v-5f79b55d><div class="item" data-v-5f79b55d><div class="indicator" data-v-5f79b55d></div><a class="VPLink link link" href="/api/archived-email.html" data-v-5f79b55d><!--[--><p class="text" data-v-5f79b55d>Archived Email</p><!--]--></a><!----></div><!----></div><div class="VPSidebarItem level-1 is-link" data-v-5f79b55d data-v-5f79b55d><div class="item" data-v-5f79b55d><div class="indicator" data-v-5f79b55d></div><a class="VPLink link link" href="/api/dashboard.html" data-v-5f79b55d><!--[--><p class="text" data-v-5f79b55d>Dashboard</p><!--]--></a><!----></div><!----></div><div class="VPSidebarItem level-1 is-link" data-v-5f79b55d data-v-5f79b55d><div class="item" data-v-5f79b55d><div class="indicator" data-v-5f79b55d></div><a class="VPLink link link" href="/api/ingestion.html" data-v-5f79b55d><!--[--><p class="text" data-v-5f79b55d>Ingestion</p><!--]--></a><!----></div><!----></div><div class="VPSidebarItem level-1 is-link" data-v-5f79b55d data-v-5f79b55d><div class="item" data-v-5f79b55d><div class="indicator" data-v-5f79b55d></div><a class="VPLink link link" href="/api/integrity.html" data-v-5f79b55d><!--[--><p class="text" data-v-5f79b55d>Integrity Check</p><!--]--></a><!----></div><!----></div><div class="VPSidebarItem level-1 is-link" data-v-5f79b55d data-v-5f79b55d><div class="item" data-v-5f79b55d><div class="indicator" data-v-5f79b55d></div><a class="VPLink link link" href="/api/search.html" data-v-5f79b55d><!--[--><p class="text" data-v-5f79b55d>Search</p><!--]--></a><!----></div><!----></div><div class="VPSidebarItem level-1 is-link" data-v-5f79b55d data-v-5f79b55d><div class="item" data-v-5f79b55d><div class="indicator" data-v-5f79b55d></div><a class="VPLink link link" href="/api/storage.html" data-v-5f79b55d><!--[--><p class="text" data-v-5f79b55d>Storage</p><!--]--></a><!----></div><!----></div><div class="VPSidebarItem level-1 is-link" data-v-5f79b55d data-v-5f79b55d><div class="item" data-v-5f79b55d><div class="indicator" data-v-5f79b55d></div><a class="VPLink link link" href="/api/jobs.html" data-v-5f79b55d><!--[--><p class="text" data-v-5f79b55d>Jobs</p><!--]--></a><!----></div><!----></div><!--]--></div></section></div><div class="no-transition group" data-v-6b998b36><section class="VPSidebarItem level-0 has-active" data-v-6b998b36 data-v-5f79b55d><div class="item" role="button" tabindex="0" data-v-5f79b55d><div class="indicator" data-v-5f79b55d></div><h2 class="text" data-v-5f79b55d>Services</h2><!----></div><div class="items" data-v-5f79b55d><!--[--><div class="VPSidebarItem level-1 is-link" data-v-5f79b55d data-v-5f79b55d><div class="item" data-v-5f79b55d><div class="indicator" data-v-5f79b55d></div><a class="VPLink link link" href="/services/" data-v-5f79b55d><!--[--><p class="text" data-v-5f79b55d>Overview</p><!--]--></a><!----></div><!----></div><div class="VPSidebarItem level-1 is-link" data-v-5f79b55d data-v-5f79b55d><div class="item" data-v-5f79b55d><div class="indicator" data-v-5f79b55d></div><a class="VPLink link link" href="/services/storage-service.html" data-v-5f79b55d><!--[--><p class="text" data-v-5f79b55d>Storage Service</p><!--]--></a><!----></div><!----></div><div class="VPSidebarItem level-1 is-link" data-v-5f79b55d data-v-5f79b55d><div class="item" data-v-5f79b55d><div class="indicator" data-v-5f79b55d></div><a class="VPLink link link" href="/services/ocr-service.html" data-v-5f79b55d><!--[--><p class="text" data-v-5f79b55d>OCR Service</p><!--]--></a><!----></div><!----></div><section class="VPSidebarItem level-1 has-active" data-v-5f79b55d data-v-5f79b55d><div class="item" role="button" tabindex="0" data-v-5f79b55d><div class="indicator" data-v-5f79b55d></div><h3 class="text" data-v-5f79b55d>IAM Service</h3><!----></div><div class="items" data-v-5f79b55d><!--[--><div class="VPSidebarItem level-2 is-link" data-v-5f79b55d data-v-5f79b55d><div class="item" data-v-5f79b55d><div class="indicator" data-v-5f79b55d></div><a class="VPLink link link" href="/services/iam-service/iam-policy.html" data-v-5f79b55d><!--[--><p class="text" data-v-5f79b55d>IAM Policies</p><!--]--></a><!----></div><!----></div><!--]--></div></section><!--]--></div></section></div><!--]--><!--[--><!--]--></nav></aside><div class="VPContent has-sidebar" id="VPContent" data-v-6d457d7f data-v-413f3f32><div class="VPDoc has-sidebar has-aside" data-v-413f3f32 data-v-29334b8c><!--[--><!--]--><div class="container" data-v-29334b8c><div class="aside" data-v-29334b8c><div class="aside-curtain" data-v-29334b8c></div><div class="aside-container" data-v-29334b8c><div class="aside-content" data-v-29334b8c><div class="VPDocAside" data-v-29334b8c data-v-0970baee><!--[--><!--]--><!--[--><!--]--><nav aria-labelledby="doc-outline-aria-label" class="VPDocAsideOutline" data-v-0970baee data-v-1cf7166c><div class="content" data-v-1cf7166c><div class="outline-marker" data-v-1cf7166c></div><div aria-level="2" class="outline-title" id="doc-outline-aria-label" role="heading" data-v-1cf7166c>On this page</div><ul class="VPDocOutlineItem root" data-v-1cf7166c data-v-c6ed6775><!--[--><!--]--></ul></div></nav><!--[--><!--]--><div class="spacer" data-v-0970baee></div><!--[--><!--]--><!----><!--[--><!--]--><!--[--><!--]--></div></div></div></div><div class="content" data-v-29334b8c><div class="content-container" data-v-29334b8c><!--[--><!--]--><main class="main" data-v-29334b8c><div style="position:relative;" class="vp-doc _services_iam-service_iam-policy" data-v-29334b8c><div><h1 id="iam-policy" tabindex="-1">IAM Policy <a class="header-anchor" href="#iam-policy" aria-label="Permalink to &quot;IAM Policy&quot;"></a></h1><p>This document provides a guide to creating and managing IAM policies in Open Archiver. It is intended for developers and administrators who need to configure granular access control for users and roles.</p><h2 id="policy-structure" tabindex="-1">Policy Structure <a class="header-anchor" href="#policy-structure" aria-label="Permalink to &quot;Policy Structure&quot;"></a></h2><p>IAM policies are defined as an array of JSON objects, where each object represents a single permission rule. The structure of a policy object is as follows:</p><div class="language-json vp-adaptive-theme"><button title="Copy Code" class="copy"></button><span class="lang">json</span><pre class="shiki shiki-themes github-light github-dark vp-code" tabindex="0"><code><span class="line"><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">{</span></span>
<span class="line"><span style="--shiki-light:#005CC5;--shiki-dark:#79B8FF;"> &quot;action&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">: </span><span style="--shiki-light:#032F62;--shiki-dark:#9ECBFF;">&quot;read&quot;</span><span style="--shiki-light:#B31D28;--shiki-light-font-style:italic;--shiki-dark:#FDAEB7;--shiki-dark-font-style:italic;"> OR</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;"> [</span><span style="--shiki-light:#032F62;--shiki-dark:#9ECBFF;">&quot;read&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">, </span><span style="--shiki-light:#032F62;--shiki-dark:#9ECBFF;">&quot;create&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">],</span></span>
<span class="line"><span style="--shiki-light:#005CC5;--shiki-dark:#79B8FF;"> &quot;subject&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">: </span><span style="--shiki-light:#032F62;--shiki-dark:#9ECBFF;">&quot;ingestion&quot;</span><span style="--shiki-light:#B31D28;--shiki-light-font-style:italic;--shiki-dark:#FDAEB7;--shiki-dark-font-style:italic;"> OR</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;"> [</span><span style="--shiki-light:#032F62;--shiki-dark:#9ECBFF;">&quot;ingestion&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">, </span><span style="--shiki-light:#032F62;--shiki-dark:#9ECBFF;">&quot;dashboard&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">],</span></span>
<span class="line"><span style="--shiki-light:#005CC5;--shiki-dark:#79B8FF;"> &quot;conditions&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">: {</span></span>
<span class="line"><span style="--shiki-light:#005CC5;--shiki-dark:#79B8FF;"> &quot;field_name&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">: </span><span style="--shiki-light:#032F62;--shiki-dark:#9ECBFF;">&quot;value&quot;</span></span>
<span class="line"><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;"> },</span></span>
<span class="line"><span style="--shiki-light:#005CC5;--shiki-dark:#79B8FF;"> &quot;inverted&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">: </span><span style="--shiki-light:#005CC5;--shiki-dark:#79B8FF;">false</span><span style="--shiki-light:#B31D28;--shiki-light-font-style:italic;--shiki-dark:#FDAEB7;--shiki-dark-font-style:italic;"> OR</span><span style="--shiki-light:#005CC5;--shiki-dark:#79B8FF;"> true</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">,</span></span>
<span class="line"><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">}</span></span></code></pre></div><ul><li><code>action</code>: The action(s) to be performed on the subject. Can be a single string or an array of strings.</li><li><code>subject</code>: The resource(s) or entity on which the action is to be performed. Can be a single string or an array of strings.</li><li><code>conditions</code>: (Optional) A set of conditions that must be met for the permission to be granted.</li><li><code>inverted</code>: (Optional) When set to <code>true</code>, this inverts the rule, turning it from a &quot;can&quot; rule into a &quot;cannot&quot; rule. This is useful for creating exceptions to broader permissions.</li></ul><h2 id="actions" tabindex="-1">Actions <a class="header-anchor" href="#actions" aria-label="Permalink to &quot;Actions&quot;"></a></h2><p>The following actions are available for use in IAM policies:</p><ul><li><code>manage</code>: A wildcard action that grants all permissions on a subject (<code>create</code>, <code>read</code>, <code>update</code>, <code>delete</code>, <code>search</code>, <code>sync</code>).</li><li><code>create</code>: Allows the user to create a new resource.</li><li><code>read</code>: Allows the user to view a resource.</li><li><code>update</code>: Allows the user to modify an existing resource.</li><li><code>delete</code>: Allows the user to delete a resource.</li><li><code>search</code>: Allows the user to search for resources.</li><li><code>sync</code>: Allows the user to synchronize a resource.</li></ul><h2 id="subjects" tabindex="-1">Subjects <a class="header-anchor" href="#subjects" aria-label="Permalink to &quot;Subjects&quot;"></a></h2><p>The following subjects are available for use in IAM policies:</p><ul><li><code>all</code>: A wildcard subject that represents all resources.</li><li><code>archive</code>: Represents archived emails.</li><li><code>ingestion</code>: Represents ingestion sources.</li><li><code>settings</code>: Represents system settings.</li><li><code>users</code>: Represents user accounts.</li><li><code>roles</code>: Represents user roles.</li><li><code>dashboard</code>: Represents the dashboard.</li></ul><h2 id="advanced-conditions-with-mongodb-style-queries" tabindex="-1">Advanced Conditions with MongoDB-Style Queries <a class="header-anchor" href="#advanced-conditions-with-mongodb-style-queries" aria-label="Permalink to &quot;Advanced Conditions with MongoDB-Style Queries&quot;"></a></h2><p>Conditions are the key to creating fine-grained access control rules. They are defined as a JSON object where each key represents a field on the subject, and the value defines the criteria for that field.</p><p>All conditions within a single rule are implicitly joined with an <strong>AND</strong> logic. This means that for a permission to be granted, the resource must satisfy <em>all</em> specified conditions.</p><p>The power of this system comes from its use of a subset of <a href="https://www.mongodb.com/docs/manual/" target="_blank" rel="noreferrer">MongoDB&#39;s query language</a>, which provides a flexible and expressive way to define complex rules. These rules are translated into native queries for both the PostgreSQL database (via Drizzle ORM) and the Meilisearch engine.</p><h3 id="supported-operators-and-examples" tabindex="-1">Supported Operators and Examples <a class="header-anchor" href="#supported-operators-and-examples" aria-label="Permalink to &quot;Supported Operators and Examples&quot;"></a></h3><p>Here is a detailed breakdown of the supported operators with examples.</p><h4 id="eq-equal" tabindex="-1"><code>$eq</code> (Equal) <a class="header-anchor" href="#eq-equal" aria-label="Permalink to &quot;`$eq` (Equal)&quot;"></a></h4><p>This is the default operator. If you provide a simple key-value pair, it is treated as an equality check.</p><div class="language-json vp-adaptive-theme"><button title="Copy Code" class="copy"></button><span class="lang">json</span><pre class="shiki shiki-themes github-light github-dark vp-code" tabindex="0"><code><span class="line"><span style="--shiki-light:#6A737D;--shiki-dark:#6A737D;">// This rule...</span></span>
<span class="line"><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">{ </span><span style="--shiki-light:#005CC5;--shiki-dark:#79B8FF;">&quot;status&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">: </span><span style="--shiki-light:#032F62;--shiki-dark:#9ECBFF;">&quot;active&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;"> }</span></span>
<span class="line"></span>
<span class="line"><span style="--shiki-light:#6A737D;--shiki-dark:#6A737D;">// ...is equivalent to this:</span></span>
<span class="line"><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">{ </span><span style="--shiki-light:#005CC5;--shiki-dark:#79B8FF;">&quot;status&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">: { </span><span style="--shiki-light:#005CC5;--shiki-dark:#79B8FF;">&quot;$eq&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">: </span><span style="--shiki-light:#032F62;--shiki-dark:#9ECBFF;">&quot;active&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;"> } }</span></span></code></pre></div><p><strong>Use Case</strong>: Grant access to an ingestion source only if its status is <code>active</code>.</p><h4 id="ne-not-equal" tabindex="-1"><code>$ne</code> (Not Equal) <a class="header-anchor" href="#ne-not-equal" aria-label="Permalink to &quot;`$ne` (Not Equal)&quot;"></a></h4><p>Matches documents where the field value is not equal to the specified value.</p><div class="language-json vp-adaptive-theme"><button title="Copy Code" class="copy"></button><span class="lang">json</span><pre class="shiki shiki-themes github-light github-dark vp-code" tabindex="0"><code><span class="line"><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">{ </span><span style="--shiki-light:#005CC5;--shiki-dark:#79B8FF;">&quot;provider&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">: { </span><span style="--shiki-light:#005CC5;--shiki-dark:#79B8FF;">&quot;$ne&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">: </span><span style="--shiki-light:#032F62;--shiki-dark:#9ECBFF;">&quot;pst_import&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;"> } }</span></span></code></pre></div><p><strong>Use Case</strong>: Allow a user to see all ingestion sources except for PST imports.</p><h4 id="in-in-array" tabindex="-1"><code>$in</code> (In Array) <a class="header-anchor" href="#in-in-array" aria-label="Permalink to &quot;`$in` (In Array)&quot;"></a></h4><p>Matches documents where the field value is one of the values in the specified array.</p><div class="language-json vp-adaptive-theme"><button title="Copy Code" class="copy"></button><span class="lang">json</span><pre class="shiki shiki-themes github-light github-dark vp-code" tabindex="0"><code><span class="line"><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">{</span></span>
<span class="line"><span style="--shiki-light:#005CC5;--shiki-dark:#79B8FF;"> &quot;id&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">: {</span></span>
<span class="line"><span style="--shiki-light:#005CC5;--shiki-dark:#79B8FF;"> &quot;$in&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">: [</span><span style="--shiki-light:#032F62;--shiki-dark:#9ECBFF;">&quot;INGESTION_ID_1&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">, </span><span style="--shiki-light:#032F62;--shiki-dark:#9ECBFF;">&quot;INGESTION_ID_2&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">]</span></span>
<span class="line"><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;"> }</span></span>
<span class="line"><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">}</span></span></code></pre></div><p><strong>Use Case</strong>: Grant an auditor access to a specific list of ingestion sources.</p><h4 id="nin-not-in-array" tabindex="-1"><code>$nin</code> (Not In Array) <a class="header-anchor" href="#nin-not-in-array" aria-label="Permalink to &quot;`$nin` (Not In Array)&quot;"></a></h4><p>Matches documents where the field value is not one of the values in the specified array.</p><div class="language-json vp-adaptive-theme"><button title="Copy Code" class="copy"></button><span class="lang">json</span><pre class="shiki shiki-themes github-light github-dark vp-code" tabindex="0"><code><span class="line"><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">{ </span><span style="--shiki-light:#005CC5;--shiki-dark:#79B8FF;">&quot;provider&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">: { </span><span style="--shiki-light:#005CC5;--shiki-dark:#79B8FF;">&quot;$nin&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">: [</span><span style="--shiki-light:#032F62;--shiki-dark:#9ECBFF;">&quot;pst_import&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">, </span><span style="--shiki-light:#032F62;--shiki-dark:#9ECBFF;">&quot;eml_import&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">] } }</span></span></code></pre></div><p><strong>Use Case</strong>: Hide all manual import sources from a specific user role.</p><h4 id="lt-lte-less-than-less-than-or-equal" tabindex="-1"><code>$lt</code> / <code>$lte</code> (Less Than / Less Than or Equal) <a class="header-anchor" href="#lt-lte-less-than-less-than-or-equal" aria-label="Permalink to &quot;`$lt` / `$lte` (Less Than / Less Than or Equal)&quot;"></a></h4><p>Matches documents where the field value is less than (<code>$lt</code>) or less than or equal to (<code>$lte</code>) the specified value. This is useful for numeric or date-based comparisons.</p><div class="language-json vp-adaptive-theme"><button title="Copy Code" class="copy"></button><span class="lang">json</span><pre class="shiki shiki-themes github-light github-dark vp-code" tabindex="0"><code><span class="line"><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">{ </span><span style="--shiki-light:#005CC5;--shiki-dark:#79B8FF;">&quot;sentAt&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">: { </span><span style="--shiki-light:#005CC5;--shiki-dark:#79B8FF;">&quot;$lt&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">: </span><span style="--shiki-light:#032F62;--shiki-dark:#9ECBFF;">&quot;2024-01-01T00:00:00.000Z&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;"> } }</span></span></code></pre></div><h4 id="gt-gte-greater-than-greater-than-or-equal" tabindex="-1"><code>$gt</code> / <code>$gte</code> (Greater Than / Greater Than or Equal) <a class="header-anchor" href="#gt-gte-greater-than-greater-than-or-equal" aria-label="Permalink to &quot;`$gt` / `$gte` (Greater Than / Greater Than or Equal)&quot;"></a></h4><p>Matches documents where the field value is greater than (<code>$gt</code>) or greater than or equal to (<code>$gte</code>) the specified value.</p><div class="language-json vp-adaptive-theme"><button title="Copy Code" class="copy"></button><span class="lang">json</span><pre class="shiki shiki-themes github-light github-dark vp-code" tabindex="0"><code><span class="line"><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">{ </span><span style="--shiki-light:#005CC5;--shiki-dark:#79B8FF;">&quot;sentAt&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">: { </span><span style="--shiki-light:#005CC5;--shiki-dark:#79B8FF;">&quot;$lt&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">: </span><span style="--shiki-light:#032F62;--shiki-dark:#9ECBFF;">&quot;2024-01-01T00:00:00.000Z&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;"> } }</span></span></code></pre></div><h4 id="exists" tabindex="-1"><code>$exists</code> <a class="header-anchor" href="#exists" aria-label="Permalink to &quot;`$exists`&quot;"></a></h4><p>Matches documents that have (or do not have) the specified field.</p><div class="language-json vp-adaptive-theme"><button title="Copy Code" class="copy"></button><span class="lang">json</span><pre class="shiki shiki-themes github-light github-dark vp-code" tabindex="0"><code><span class="line"><span style="--shiki-light:#6A737D;--shiki-dark:#6A737D;">// Grant access only if a &#39;lastSyncStatusMessage&#39; exists</span></span>
<span class="line"><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">{ </span><span style="--shiki-light:#005CC5;--shiki-dark:#79B8FF;">&quot;lastSyncStatusMessage&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">: { </span><span style="--shiki-light:#005CC5;--shiki-dark:#79B8FF;">&quot;$exists&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">: </span><span style="--shiki-light:#005CC5;--shiki-dark:#79B8FF;">true</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;"> } }</span></span></code></pre></div><h2 id="inverted-rules-creating-exceptions-with-cannot" tabindex="-1">Inverted Rules: Creating Exceptions with <code>cannot</code> <a class="header-anchor" href="#inverted-rules-creating-exceptions-with-cannot" aria-label="Permalink to &quot;Inverted Rules: Creating Exceptions with `cannot`&quot;"></a></h2><p>By default, all rules are &quot;can&quot; rules, meaning they grant permissions. However, you can create a &quot;cannot&quot; rule by adding <code>&quot;inverted&quot;: true</code> to a policy object. This is extremely useful for creating exceptions to broader permissions.</p><p>A common pattern is to grant broad access and then use an inverted rule to carve out a specific restriction.</p><p><strong>Use Case</strong>: Grant a user access to all ingestion sources <em>except</em> for one specific source.</p><p>This is achieved with two rules:</p><ol><li>A &quot;can&quot; rule that grants <code>read</code> access to the <code>ingestion</code> subject.</li><li>An inverted &quot;cannot&quot; rule that denies <code>read</code> access for the specific ingestion <code>id</code>.</li></ol><div class="language-json vp-adaptive-theme"><button title="Copy Code" class="copy"></button><span class="lang">json</span><pre class="shiki shiki-themes github-light github-dark vp-code" tabindex="0"><code><span class="line"><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">[</span></span>
<span class="line"><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;"> {</span></span>
<span class="line"><span style="--shiki-light:#005CC5;--shiki-dark:#79B8FF;"> &quot;action&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">: </span><span style="--shiki-light:#032F62;--shiki-dark:#9ECBFF;">&quot;read&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">,</span></span>
<span class="line"><span style="--shiki-light:#005CC5;--shiki-dark:#79B8FF;"> &quot;subject&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">: </span><span style="--shiki-light:#032F62;--shiki-dark:#9ECBFF;">&quot;ingestion&quot;</span></span>
<span class="line"><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;"> },</span></span>
<span class="line"><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;"> {</span></span>
<span class="line"><span style="--shiki-light:#005CC5;--shiki-dark:#79B8FF;"> &quot;inverted&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">: </span><span style="--shiki-light:#005CC5;--shiki-dark:#79B8FF;">true</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">,</span></span>
<span class="line"><span style="--shiki-light:#005CC5;--shiki-dark:#79B8FF;"> &quot;action&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">: </span><span style="--shiki-light:#032F62;--shiki-dark:#9ECBFF;">&quot;read&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">,</span></span>
<span class="line"><span style="--shiki-light:#005CC5;--shiki-dark:#79B8FF;"> &quot;subject&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">: </span><span style="--shiki-light:#032F62;--shiki-dark:#9ECBFF;">&quot;ingestion&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">,</span></span>
<span class="line"><span style="--shiki-light:#005CC5;--shiki-dark:#79B8FF;"> &quot;conditions&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">: {</span></span>
<span class="line"><span style="--shiki-light:#005CC5;--shiki-dark:#79B8FF;"> &quot;id&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">: </span><span style="--shiki-light:#032F62;--shiki-dark:#9ECBFF;">&quot;SPECIFIC_INGESTION_ID_TO_EXCLUDE&quot;</span></span>
<span class="line"><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;"> }</span></span>
<span class="line"><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;"> }</span></span>
<span class="line"><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">]</span></span></code></pre></div><h2 id="policy-evaluation-logic" tabindex="-1">Policy Evaluation Logic <a class="header-anchor" href="#policy-evaluation-logic" aria-label="Permalink to &quot;Policy Evaluation Logic&quot;"></a></h2><p>The system evaluates policies by combining all relevant rules for a user. The logic is simple:</p><ul><li>A user has permission if at least one <code>can</code> rule allows it.</li><li>A permission is denied if a <code>cannot</code> (<code>&quot;inverted&quot;: true</code>) rule explicitly forbids it, even if a <code>can</code> rule allows it. <code>cannot</code> rules always take precedence.</li></ul><h3 id="dynamic-policies-with-placeholders" tabindex="-1">Dynamic Policies with Placeholders <a class="header-anchor" href="#dynamic-policies-with-placeholders" aria-label="Permalink to &quot;Dynamic Policies with Placeholders&quot;"></a></h3><p>To create dynamic policies that are specific to the current user, you can use the <code>${user.id}</code> placeholder in the <code>conditions</code> object. This placeholder will be replaced with the ID of the current user at runtime.</p><h2 id="special-permissions-for-user-and-role-management" tabindex="-1">Special Permissions for User and Role Management <a class="header-anchor" href="#special-permissions-for-user-and-role-management" aria-label="Permalink to &quot;Special Permissions for User and Role Management&quot;"></a></h2><p>It is important to note that while <code>read</code> access to <code>users</code> and <code>roles</code> can be granted granularly, any actions that modify these resources (<code>create</code>, <code>update</code>, <code>delete</code>) are restricted to Super Admins.</p><p>A user must have the <code>{ &quot;action&quot;: &quot;manage&quot;, &quot;subject&quot;: &quot;all&quot; }</code> permission (Typically a Super Admin role) to manage users and roles. This is a security measure to prevent unauthorized changes to user accounts and permissions.</p><h2 id="policy-examples" tabindex="-1">Policy Examples <a class="header-anchor" href="#policy-examples" aria-label="Permalink to &quot;Policy Examples&quot;"></a></h2><p>Here are several examples based on the default roles in the system, demonstrating how to combine actions, subjects, and conditions to achieve specific access control scenarios.</p><h3 id="administrator" tabindex="-1">Administrator <a class="header-anchor" href="#administrator" aria-label="Permalink to &quot;Administrator&quot;"></a></h3><p>This policy grants a user full access to all resources using wildcards.</p><div class="language-json vp-adaptive-theme"><button title="Copy Code" class="copy"></button><span class="lang">json</span><pre class="shiki shiki-themes github-light github-dark vp-code" tabindex="0"><code><span class="line"><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">[</span></span>
<span class="line"><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;"> {</span></span>
<span class="line"><span style="--shiki-light:#005CC5;--shiki-dark:#79B8FF;"> &quot;action&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">: </span><span style="--shiki-light:#032F62;--shiki-dark:#9ECBFF;">&quot;manage&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">,</span></span>
<span class="line"><span style="--shiki-light:#005CC5;--shiki-dark:#79B8FF;"> &quot;subject&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">: </span><span style="--shiki-light:#032F62;--shiki-dark:#9ECBFF;">&quot;all&quot;</span></span>
<span class="line"><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;"> }</span></span>
<span class="line"><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">]</span></span></code></pre></div><h3 id="end-user" tabindex="-1">End-User <a class="header-anchor" href="#end-user" aria-label="Permalink to &quot;End-User&quot;"></a></h3><p>This policy allows a user to view the dashboard, create new ingestion sources, and fully manage the ingestion sources they own.</p><div class="language-json vp-adaptive-theme"><button title="Copy Code" class="copy"></button><span class="lang">json</span><pre class="shiki shiki-themes github-light github-dark vp-code" tabindex="0"><code><span class="line"><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">[</span></span>
<span class="line"><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;"> {</span></span>
<span class="line"><span style="--shiki-light:#005CC5;--shiki-dark:#79B8FF;"> &quot;action&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">: </span><span style="--shiki-light:#032F62;--shiki-dark:#9ECBFF;">&quot;read&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">,</span></span>
<span class="line"><span style="--shiki-light:#005CC5;--shiki-dark:#79B8FF;"> &quot;subject&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">: </span><span style="--shiki-light:#032F62;--shiki-dark:#9ECBFF;">&quot;dashboard&quot;</span></span>
<span class="line"><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;"> },</span></span>
<span class="line"><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;"> {</span></span>
<span class="line"><span style="--shiki-light:#005CC5;--shiki-dark:#79B8FF;"> &quot;action&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">: </span><span style="--shiki-light:#032F62;--shiki-dark:#9ECBFF;">&quot;create&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">,</span></span>
<span class="line"><span style="--shiki-light:#005CC5;--shiki-dark:#79B8FF;"> &quot;subject&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">: </span><span style="--shiki-light:#032F62;--shiki-dark:#9ECBFF;">&quot;ingestion&quot;</span></span>
<span class="line"><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;"> },</span></span>
<span class="line"><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;"> {</span></span>
<span class="line"><span style="--shiki-light:#005CC5;--shiki-dark:#79B8FF;"> &quot;action&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">: </span><span style="--shiki-light:#032F62;--shiki-dark:#9ECBFF;">&quot;manage&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">,</span></span>
<span class="line"><span style="--shiki-light:#005CC5;--shiki-dark:#79B8FF;"> &quot;subject&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">: </span><span style="--shiki-light:#032F62;--shiki-dark:#9ECBFF;">&quot;ingestion&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">,</span></span>
<span class="line"><span style="--shiki-light:#005CC5;--shiki-dark:#79B8FF;"> &quot;conditions&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">: {</span></span>
<span class="line"><span style="--shiki-light:#005CC5;--shiki-dark:#79B8FF;"> &quot;userId&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">: </span><span style="--shiki-light:#032F62;--shiki-dark:#9ECBFF;">&quot;${user.id}&quot;</span></span>
<span class="line"><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;"> }</span></span>
<span class="line"><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;"> },</span></span>
<span class="line"><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;"> {</span></span>
<span class="line"><span style="--shiki-light:#005CC5;--shiki-dark:#79B8FF;"> &quot;action&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">: </span><span style="--shiki-light:#032F62;--shiki-dark:#9ECBFF;">&quot;manage&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">,</span></span>
<span class="line"><span style="--shiki-light:#005CC5;--shiki-dark:#79B8FF;"> &quot;subject&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">: </span><span style="--shiki-light:#032F62;--shiki-dark:#9ECBFF;">&quot;archive&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">,</span></span>
<span class="line"><span style="--shiki-light:#005CC5;--shiki-dark:#79B8FF;"> &quot;conditions&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">: {</span></span>
<span class="line"><span style="--shiki-light:#005CC5;--shiki-dark:#79B8FF;"> &quot;ingestionSource.userId&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">: </span><span style="--shiki-light:#032F62;--shiki-dark:#9ECBFF;">&quot;${user.id}&quot;</span><span style="--shiki-light:#6A737D;--shiki-dark:#6A737D;"> // also needs to give permission to archived emails created by the user</span></span>
<span class="line"><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;"> }</span></span>
<span class="line"><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;"> }</span></span>
<span class="line"><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">]</span></span></code></pre></div><h3 id="global-read-only-auditor" tabindex="-1">Global Read-Only Auditor <a class="header-anchor" href="#global-read-only-auditor" aria-label="Permalink to &quot;Global Read-Only Auditor&quot;"></a></h3><p>This policy grants read and search access across most of the application&#39;s resources, making it suitable for an auditor who needs to view data without modifying it.</p><div class="language-json vp-adaptive-theme"><button title="Copy Code" class="copy"></button><span class="lang">json</span><pre class="shiki shiki-themes github-light github-dark vp-code" tabindex="0"><code><span class="line"><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">[</span></span>
<span class="line"><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;"> {</span></span>
<span class="line"><span style="--shiki-light:#005CC5;--shiki-dark:#79B8FF;"> &quot;action&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">: [</span><span style="--shiki-light:#032F62;--shiki-dark:#9ECBFF;">&quot;read&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">, </span><span style="--shiki-light:#032F62;--shiki-dark:#9ECBFF;">&quot;search&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">],</span></span>
<span class="line"><span style="--shiki-light:#005CC5;--shiki-dark:#79B8FF;"> &quot;subject&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">: [</span><span style="--shiki-light:#032F62;--shiki-dark:#9ECBFF;">&quot;ingestion&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">, </span><span style="--shiki-light:#032F62;--shiki-dark:#9ECBFF;">&quot;archive&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">, </span><span style="--shiki-light:#032F62;--shiki-dark:#9ECBFF;">&quot;dashboard&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">, </span><span style="--shiki-light:#032F62;--shiki-dark:#9ECBFF;">&quot;users&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">, </span><span style="--shiki-light:#032F62;--shiki-dark:#9ECBFF;">&quot;roles&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">]</span></span>
<span class="line"><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;"> }</span></span>
<span class="line"><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">]</span></span></code></pre></div><h3 id="ingestion-admin" tabindex="-1">Ingestion Admin <a class="header-anchor" href="#ingestion-admin" aria-label="Permalink to &quot;Ingestion Admin&quot;"></a></h3><p>This policy grants full control over all ingestion sources and archives, but no other resources.</p><div class="language-json vp-adaptive-theme"><button title="Copy Code" class="copy"></button><span class="lang">json</span><pre class="shiki shiki-themes github-light github-dark vp-code" tabindex="0"><code><span class="line"><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">[</span></span>
<span class="line"><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;"> {</span></span>
<span class="line"><span style="--shiki-light:#005CC5;--shiki-dark:#79B8FF;"> &quot;action&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">: </span><span style="--shiki-light:#032F62;--shiki-dark:#9ECBFF;">&quot;manage&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">,</span></span>
<span class="line"><span style="--shiki-light:#005CC5;--shiki-dark:#79B8FF;"> &quot;subject&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">: </span><span style="--shiki-light:#032F62;--shiki-dark:#9ECBFF;">&quot;ingestion&quot;</span></span>
<span class="line"><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;"> }</span></span>
<span class="line"><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">]</span></span></code></pre></div><h3 id="auditor-for-specific-ingestion-sources" tabindex="-1">Auditor for Specific Ingestion Sources <a class="header-anchor" href="#auditor-for-specific-ingestion-sources" aria-label="Permalink to &quot;Auditor for Specific Ingestion Sources&quot;"></a></h3><p>This policy demonstrates how to grant access to a specific list of ingestion sources using the <code>$in</code> operator.</p><div class="language-json vp-adaptive-theme"><button title="Copy Code" class="copy"></button><span class="lang">json</span><pre class="shiki shiki-themes github-light github-dark vp-code" tabindex="0"><code><span class="line"><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">[</span></span>
<span class="line"><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;"> {</span></span>
<span class="line"><span style="--shiki-light:#005CC5;--shiki-dark:#79B8FF;"> &quot;action&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">: [</span><span style="--shiki-light:#032F62;--shiki-dark:#9ECBFF;">&quot;read&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">, </span><span style="--shiki-light:#032F62;--shiki-dark:#9ECBFF;">&quot;search&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">],</span></span>
<span class="line"><span style="--shiki-light:#005CC5;--shiki-dark:#79B8FF;"> &quot;subject&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">: </span><span style="--shiki-light:#032F62;--shiki-dark:#9ECBFF;">&quot;ingestion&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">,</span></span>
<span class="line"><span style="--shiki-light:#005CC5;--shiki-dark:#79B8FF;"> &quot;conditions&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">: {</span></span>
<span class="line"><span style="--shiki-light:#005CC5;--shiki-dark:#79B8FF;"> &quot;id&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">: {</span></span>
<span class="line"><span style="--shiki-light:#005CC5;--shiki-dark:#79B8FF;"> &quot;$in&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">: [</span><span style="--shiki-light:#032F62;--shiki-dark:#9ECBFF;">&quot;INGESTION_ID_1&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">, </span><span style="--shiki-light:#032F62;--shiki-dark:#9ECBFF;">&quot;INGESTION_ID_2&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">]</span></span>
<span class="line"><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;"> }</span></span>
<span class="line"><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;"> }</span></span>
<span class="line"><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;"> }</span></span>
<span class="line"><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">]</span></span></code></pre></div><h3 id="limit-access-to-a-specific-mailbox" tabindex="-1">Limit Access to a Specific Mailbox <a class="header-anchor" href="#limit-access-to-a-specific-mailbox" aria-label="Permalink to &quot;Limit Access to a Specific Mailbox&quot;"></a></h3><p>This policy grants a user access to a specific ingestion source, but only allows them to see emails belonging to a single user within that source.</p><p>This is achieved by defining two specific <code>can</code> rules: The rule grants <code>read</code> and <code>search</code> access to the <code>archive</code> subject, but the <code>userEmail</code> must match.</p><div class="language-json vp-adaptive-theme"><button title="Copy Code" class="copy"></button><span class="lang">json</span><pre class="shiki shiki-themes github-light github-dark vp-code" tabindex="0"><code><span class="line"><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">[</span></span>
<span class="line"><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;"> {</span></span>
<span class="line"><span style="--shiki-light:#005CC5;--shiki-dark:#79B8FF;"> &quot;action&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">: [</span><span style="--shiki-light:#032F62;--shiki-dark:#9ECBFF;">&quot;read&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">, </span><span style="--shiki-light:#032F62;--shiki-dark:#9ECBFF;">&quot;search&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">],</span></span>
<span class="line"><span style="--shiki-light:#005CC5;--shiki-dark:#79B8FF;"> &quot;subject&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">: </span><span style="--shiki-light:#032F62;--shiki-dark:#9ECBFF;">&quot;archive&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">,</span></span>
<span class="line"><span style="--shiki-light:#005CC5;--shiki-dark:#79B8FF;"> &quot;conditions&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">: {</span></span>
<span class="line"><span style="--shiki-light:#005CC5;--shiki-dark:#79B8FF;"> &quot;userEmail&quot;</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">: </span><span style="--shiki-light:#032F62;--shiki-dark:#9ECBFF;">&quot;user1@example.com&quot;</span></span>
<span class="line"><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;"> }</span></span>
<span class="line"><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;"> }</span></span>
<span class="line"><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">]</span></span></code></pre></div></div></div></main><footer class="VPDocFooter" data-v-29334b8c data-v-a014c1de><!--[--><!--]--><!----><nav class="prev-next" aria-labelledby="doc-footer-aria-label" data-v-a014c1de><span class="visually-hidden" id="doc-footer-aria-label" data-v-a014c1de>Pager</span><div class="pager" data-v-a014c1de><a class="VPLink link pager-link prev" href="/services/ocr-service.html" data-v-a014c1de><!--[--><span class="desc" data-v-a014c1de>Previous page</span><span class="title" data-v-a014c1de>OCR Service</span><!--]--></a></div><div class="pager" data-v-a014c1de><!----></div></nav></footer><!--[--><!--]--></div></div></div><!--[--><!--]--></div></div><!----><!--[--><!--]--></div></div>
<script>window.__VP_HASH_MAP__=JSON.parse("{\"api_archived-email.md\":\"rYKCgF6R\",\"api_auth.md\":\"BqZ6wN0q\",\"api_authentication.md\":\"CyDXtQYg\",\"api_dashboard.md\":\"lu70c-Pf\",\"api_index.md\":\"DFnFK07E\",\"api_ingestion.md\":\"Cfl_b04u\",\"api_integrity.md\":\"CTx79Yjz\",\"api_jobs.md\":\"1HdD59Aa\",\"api_rate-limiting.md\":\"a1m1O0N8\",\"api_search.md\":\"B8tLtEbg\",\"api_storage.md\":\"DKUKvFrO\",\"enterprise_audit-log_api.md\":\"BVTisviS\",\"enterprise_audit-log_audit-service.md\":\"BSa897FH\",\"enterprise_audit-log_guide.md\":\"CV4dRt8z\",\"enterprise_audit-log_index.md\":\"D4TEa94R\",\"index.md\":\"9PKJf5H1\",\"services_iam-service_iam-policy.md\":\"BMP46V9x\",\"services_index.md\":\"BLn224J3\",\"services_ocr-service.md\":\"aPypYfme\",\"services_storage-service.md\":\"Bgos1Y2E\",\"summary.md\":\"5seSND4L\",\"user-guides_email-providers_eml.md\":\"a288N17s\",\"user-guides_email-providers_google-workspace.md\":\"BWo_12De\",\"user-guides_email-providers_imap.md\":\"DnuaRv-0\",\"user-guides_email-providers_index.md\":\"C3XNPTNj\",\"user-guides_email-providers_mbox.md\":\"Cavm6di7\",\"user-guides_email-providers_microsoft-365.md\":\"QHHVfYxW\",\"user-guides_email-providers_pst.md\":\"c6jOF8P1\",\"user-guides_installation.md\":\"wSyVr6UW\",\"user-guides_integrity-check.md\":\"v2rGD4e_\",\"user-guides_settings_system.md\":\"DZw4puzm\",\"user-guides_troubleshooting_cors-errors.md\":\"DJT7M9F5\",\"user-guides_upgrade-and-migration_meilisearch-upgrade.md\":\"xQXm1E12\",\"user-guides_upgrade-and-migration_upgrade.md\":\"DieppEdN\"}");window.__VP_SITE_DATA__=JSON.parse("{\"lang\":\"en-US\",\"dir\":\"ltr\",\"title\":\"Open Archiver Docs\",\"description\":\"Official documentation for the Open Archiver project.\",\"base\":\"/\",\"head\":[],\"router\":{\"prefetchLinks\":true},\"appearance\":true,\"themeConfig\":{\"search\":{\"provider\":\"local\"},\"logo\":{\"src\":\"/logo-sq.svg\"},\"nav\":[{\"text\":\"Home\",\"link\":\"/\"},{\"text\":\"Github\",\"link\":\"https://github.com/LogicLabs-OU/OpenArchiver\"},{\"text\":\"Website\",\"link\":\"https://openarchiver.com/\"},{\"text\":\"Discord\",\"link\":\"https://discord.gg/MTtD7BhuTQ\"}],\"sidebar\":[{\"text\":\"User Guides\",\"items\":[{\"text\":\"Get Started\",\"link\":\"/\"},{\"text\":\"Installation\",\"link\":\"/user-guides/installation\"},{\"text\":\"Email Integrity Check\",\"link\":\"/user-guides/integrity-check\"},{\"text\":\"Email Providers\",\"link\":\"/user-guides/email-providers/\",\"collapsed\":true,\"items\":[{\"text\":\"Generic IMAP Server\",\"link\":\"/user-guides/email-providers/imap\"},{\"text\":\"Google Workspace\",\"link\":\"/user-guides/email-providers/google-workspace\"},{\"text\":\"Microsoft 365\",\"link\":\"/user-guides/email-providers/microsoft-365\"},{\"text\":\"EML Import\",\"link\":\"/user-guides/email-providers/eml\"},{\"text\":\"PST Import\",\"link\":\"/user-guides/email-providers/pst\"},{\"text\":\"Mbox Import\",\"link\":\"/user-guides/email-providers/mbox\"}]},{\"text\":\"Settings\",\"collapsed\":true,\"items\":[{\"text\":\"System\",\"link\":\"/user-guides/settings/system\"}]},{\"text\":\"Upgrading and Migration\",\"collapsed\":true,\"items\":[{\"text\":\"Upgrading\",\"link\":\"/user-guides/upgrade-and-migration/upgrade\"},{\"text\":\"Meilisearch Upgrade\",\"link\":\"/user-guides/upgrade-and-migration/meilisearch-upgrade\"}]}]},{\"text\":\"API Reference\",\"items\":[{\"text\":\"Overview\",\"link\":\"/api/\"},{\"text\":\"Authentication\",\"link\":\"/api/authentication\"},{\"text\":\"Rate Limiting\",\"link\":\"/api/rate-limiting\"},{\"text\":\"Auth\",\"link\":\"/api/auth\"},{\"text\":\"Archived Email\",\"link\":\"/api/archived-email\"},{\"text\":\"Dashboard\",\"link\":\"/api/dashboard\"},{\"text\":\"Ingestion\",\"link\":\"/api/ingestion\"},{\"text\":\"Integrity Check\",\"link\":\"/api/integrity\"},{\"text\":\"Search\",\"link\":\"/api/search\"},{\"text\":\"Storage\",\"link\":\"/api/storage\"},{\"text\":\"Jobs\",\"link\":\"/api/jobs\"}]},{\"text\":\"Services\",\"items\":[{\"text\":\"Overview\",\"link\":\"/services/\"},{\"text\":\"Storage Service\",\"link\":\"/services/storage-service\"},{\"text\":\"OCR Service\",\"link\":\"/services/ocr-service\"},{\"text\":\"IAM Service\",\"items\":[{\"text\":\"IAM Policies\",\"link\":\"/services/iam-service/iam-policy\"}]}]}]},\"locales\":{},\"scrollOffset\":134,\"cleanUrls\":false}");</script>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink