Updating a KACLS Endpoint Perimeter
KACLS endpoint perimeters are the policies that allow or disallow the wrap, unwrap, and takeout_unwrap operations. Refer to Access Policies for details.
Updating a perimeter requires understanding of Open Policy Agent.
Use the PATCH /v1/cckm/GoogleWorkspaceCSE/endpoints/{id}/perimeters API to update KACLS endpoint perimeters.
Sample Custom Policies
This section describes various scenarios in which custom policies can be applied.
Different Primary and Secondary Email Addresses
If you are using a different email address for the identity provider apart from the Google Workspace domain email address, then you can apply the following custom policy. Where:
authentication.google_emailis your Google Workspace domain email address. In this document, this email Id is referred to as the primary email address.authentication.emailis your identity provider email address. In this document, this email Id is referred to as the secondary email address.package example default allow = false allow { input.authentication.google_email lower(input.authorization.email) == lower(input.authentication.google_email) } allow { not input.authentication.google_email lower(input.authorization.email) == lower(input.authentication.email) } allow { input.perimeter_id == "takeout" }
Allowing File Encryption/Decryption to a Specific User
If only a user (with the email address user@domain) should be able to encrypt/decrypt a file, a custom policy similar to the following can be used:
package example
default allow = false
allow {
input.authentication.email == "user@domain"
input.authorization.email == "user@domain"
}
allow {
input.perimeter_id == "takeout"
}
Allowing File Encryption/Decryption to a List of Users
If only specific users (for example, user1 and user2) should be able to encrypt/decrypt a file, a custom policy similar to the following can be used:
package example
default allow = false
allow {
input.authentication.email == {"user1@domain.com", "user2@domain.com"}[_]
input.authorization.email == {"user1@domain.com", "user2@domain.com"}[_]
}
allow {
input.perimeter_id == "takeout"
}
Restricting File Encryption/Decryption to a List of Users of a Domain
If only specific users (for example, user3 and user4) of a domain should be restricted from encrypting/decrypting a file, a custom policy similar to the following can be used:
package example
import future.keywords
default allow = false
allow {
input.authentication.google_email users := {"user3@domain.com", "user4@domain.com"}
not input.authentication.google_email in users
lower(input.authorization.email) == lower(input.authentication.google_email)
}
allow {
not input.authentication.google_email users := {"user3@domain.com", "user4@domain.com"}
not input.authentication.email in users
lower(input.authorization.email) == lower(input.authentication.email)
}
allow {
input.perimeter_id == "takeout"
}
Syntax
curl -k '<IP>/api/v1/cckm/GoogleWorkspaceCSE/endpoints/{id}/perimeters' -X PATCH -H 'Authorization: Bearer AUTHTOKEN' --compressed
Request Parameters
| Parameter | Type | Description |
|---|---|---|
| id | string | ID of the endpoint. To find out the ID of an endpoint, refer to Viewing KACLS Endpoints. |
| AUTHTOKEN | string | Authorization token. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/GoogleWorkspaceCSE/endpoints/c1583936-7d03-4e2d-a0ae-3a1ae2d2e200/perimeters' -X PATCH -H 'Authorization: Bearer AUTHTOKEN' --compressed
package example
default allow = false
allow {
input.authorization.email == "abc@foo.com"
input.authentication.email == "abc@foo.com"
input.perimeter_id == "takeout"
}
Example Response
"package example default allow = false allow { input.authorization.email == \"abc@foo.com\" input.authentication.email == \"abc@foo.com\" input.perimeter_id == \"takeout\" }"
Response Codes
| Response Code | Description |
|---|---|
| 2xx | Success |
| 4xx | Client errors |
Refer to HTTP status codes for details.
