Skip to main content

Create a policy

The underpinning of Aserto's authorization model is a policy.

Policies are authored, stored, and versioned as code in a git repository.

Add a policy#

Add a policy

When you click on “Add a policy”, you'll go through a short workflow to select a git repository for your policy, and name that policy in the Aserto console.

The first step is to select a connection to a source code control system. Since you don't yet have any, you'll want to click the "Add connection" button.

This will take you to the Connections page. Notice that you already have two system connections - one to the Aserto Registry, and the other to the (multi-tenant) Aserto Authorizer.

connections

Click the "Add a connection" button close to the top right corner. This will bring up a modal for adding a connection to a provider. Note that Aserto supports GitHub as a source code provider, but allows you to connect to it either over an OAuth2 flow, or using a Personal Access Token (PAT).

The easiest path is to select "github" as the source code provider, give the connection a name (like github-<youraccount>), and click "Add connection". To connect using a Personal Access Token (PAT), follow these instructions.

note

If you are managing an Aserto tenant for an organization, we recommend using a GitHub "bot account" to sign in with, and using a Personal Access Token which has access to your GitHub organization.

Once you complete GitHub’s OAuth2 consent flow, go back to the Policies page, and click "Add a policy" again, and select your newly created connection in the first step.

Next, you'll be asked to select an organization & repo. Select the “New (using template)” radio button, and select the policy-peoplefinder template.

create from template

Note

Your user must have sufficient permissions to create a secret in this GitHub repo (which may be controlled by the organization you choose to create the repo in).

Name your new repository something like policy-peoplefinder. Finally, name your policy with a descriptive name (e.g. peoplefinder). You’ll use this name later with the CLI.

name policy

Congratulations! You now have a clone of the policy-peoplefinder policy template in your GitHub account, hooked up to Aserto. Later, you’re going to modify this policy repository to change the authorization policy of the PeopleFinder application. But first, we want to connect to your Auth0 tenant and sync your users into the Aserto authorizer.