Documentation/Policies & Access Control

Policies & Access Control

Define and enforce fine-grained access policies with conditions.

Policy Basics

Policies in VeraID follow a Policy-Based Access Control (PBAC) model, allowing you to define rules that determine what actions identities can perform.

Basic Policy

{
  "name": "production-read-only",
  "description": "Read-only access to production resources",
  "effect": "ALLOW",
  "actions": ["read:*"],
  "resources": ["prod:*"],
  "conditions": []
}

Condition Types

Conditions add context-aware restrictions to your policies:

Time-Based

Restrict access to specific hours, days, or time windows. Perfect for maintenance windows.

IP & Geo

Allow or block access based on IP ranges, CIDR blocks, or geographic locations.

Rate Limiting

Enforce request limits per minute, hour, or day to prevent abuse.

Risk Score

Require low risk scores or additional verification for high-risk identities.

Condition Examples

Time-Based Condition

{
  "type": "TIME",
  "operator": "BETWEEN",
  "value": {
    "startTime": "09:00",
    "endTime": "17:00",
    "timezone": "America/New_York",
    "daysOfWeek": ["MON", "TUE", "WED", "THU", "FRI"]
  }
}

IP-Based Condition

{
  "type": "IP",
  "operator": "IN",
  "value": [
    "10.0.0.0/8",
    "192.168.1.0/24",
    "203.0.113.50"
  ]
}

Rate Limit Condition

{
  "type": "RATE_LIMIT",
  "operator": "LESS_THAN",
  "value": {
    "maxRequests": 1000,
    "windowMinutes": 60
  }
}

Policy Evaluation

When a request is made, VeraID evaluates all applicable policies:

Order	Rule	Result
1	Explicit DENY always wins	Deny
2	At least one ALLOW required	Allow
3	All conditions must pass	Allow
4	Default: Implicit deny	Deny

Evaluation Order

Policies are evaluated in priority order. Higher priority policies are checked first. Use explicit DENY policies for critical restrictions that should never be overridden.

Complete Policy Example

Full Policy with Conditions

{
  "name": "ci-cd-deploy-policy",
  "description": "Allow CI/CD deployments during business hours from office IPs",
  "effect": "ALLOW",
  "priority": 100,
  "actions": ["deploy:*", "read:config"],
  "resources": ["prod:kubernetes:*"],
  "conditions": [
    {
      "type": "TIME",
      "operator": "BETWEEN",
      "value": {
        "startTime": "06:00",
        "endTime": "22:00",
        "timezone": "UTC"
      }
    },
    {
      "type": "IP",
      "operator": "IN",
      "value": ["10.0.0.0/8", "192.168.0.0/16"]
    },
    {
      "type": "RATE_LIMIT",
      "operator": "LESS_THAN",
      "value": {
        "maxRequests": 50,
        "windowMinutes": 60
      }
    }
  ]
}