Cedar Policies
JITSudo uses the Cedar policy language for fine-grained, tenant-isolated authorization. Policies determine whether access requests are auto-approved, require manual review, or are denied.
How Policies Work
Section titled “How Policies Work”- Fail-closed — requests are denied by default unless a policy explicitly permits them
- Priority-based — rules are grouped by priority (higher priority evaluated first); lower priorities cannot override higher priority decisions
- Tenant-isolated — policies are scoped to a tenant via
tenant_id
Policy Structure
Section titled “Policy Structure”Policies are stored in a decomposed format in the database, then assembled into Cedar text for evaluation. The key fields are:
| Field | Description |
|---|---|
effect | permit or forbid |
principal_scope_type | any, eq, in, is, is_in |
principal_entity_type / principal_entity_id | Who the policy applies to |
action_scope_type | any, eq, in |
action_ids | Array of action names |
resource_scope_type | any, eq, in, is, is_in |
resource_entity_type / resource_entity_id | What resource the policy applies to |
conditions | Raw Cedar when / unless clauses |
approval_mode | auto (skip review), require (needs approval), break_glass |
approval_timeout | Duration after which unapproved requests expire |
Cedar Entity Types
Section titled “Cedar Entity Types”| Entity | Type | Description |
|---|---|---|
| Principal | User | The user making the request |
| Action | Action | The action being requested |
| Resource | AwsAccount | AWS account |
| Resource | AwsPermissionSet | IAM Identity Center permission set |
| Resource | AwsS3Bucket | S3 bucket |
| Resource | AwsRdsInstance | RDS database instance |
| Resource | AwsEc2Instance | EC2 compute instance |
Managing Policies via API
Section titled “Managing Policies via API”# Create a policy rulecurl -X POST https://jitsudo.example.com/v1/policy-rules \ -H "X-API-Key: <api-key>" \ -H "X-Tenant-ID: <tenant-uuid>" \ -H "Content-Type: application/json" \ -d '{ "name": "auto-approve-dev", "description": "Auto-approve dev account access for engineering", "effect": "permit", "principal_scope_type": "in", "principal_entity_type": "User", "principal_entity_id": "group:engineering", "action_scope_type": "eq", "action_ids": ["request_access"], "resource_scope_type": "eq", "resource_entity_type": "AwsAccount", "resource_entity_id": "123456789012", "conditions": "context.duration_seconds <= 14400", "approval_mode": "auto", "priority": 100 }'
# Get the assembled Cedar textcurl https://jitsudo.example.com/v1/policy-rules/<id>/raw \ -H "X-API-Key: <api-key>" \ -H "X-Tenant-ID: <tenant-uuid>"Evaluation
Section titled “Evaluation”When a request is submitted, the policy engine:
- Loads all policy rules for the tenant, ordered by priority (highest first)
- Evaluates Cedar policies against the request context
- Returns a decision with:
permitted(bool),matching_policies(UUIDs),reason, andapproval_mode - Short-circuits at the first matching priority group — lower priority rules don’t override