Practical JavaScript usage examples
Ranger policy condition examples provide JavaScript snippets for implementing access control based on tags, user attributes, groups, roles, and time. Use these templates to enforce complex authorization logic, such as attribute-based comparisons and time-restricted data access.
| Use case | Policy conditions |
|---|---|
| Tag-based policy conditions | |
| Check if resource has PII tag and sensitivity level is high | ctx.hasTag('PII') && parseInt(ctx.tagAttr('sensitiveLevel')) >=
10 |
| Check if any tag has a specific owner | ctx.tagAttr('owner').split(',').includes('john.doe') |
| Verify user clearance against tag sensitivity | parseInt(ctx.userAttr('clearanceLevel')) >=
Math.max(...ctx.tagAttr('sensitiveLevel').split(',').map(Number)) |
| User attribute conditions | |
| Check user department and clearance | ctx.userAttr('department') === 'FINANCE' &&
parseInt(ctx.userAttr('clearanceLevel')) >= 5 |
| Verify user has required attributes | ctx.hasUserAttr('clearanceLevel') &&
ctx.hasUserAttr('department') |
| Group-based conditions | |
| Check if user is in privileged group with specific department attribute | ctx.isInGroup('privileged_users') &&
ctx.ugAttr('department').split(',').includes('SECURITY') |
| Verify group attributes match requirements | ctx.hasUgAttr('costCenter') && ctx.ugAttr('region') ===
'US' |
| Role-based Conditions | |
| Check if user has admin or analyst role | ctx.isInRole('admin') || ctx.isInRole('analyst') |
| Ensure user has at least one role | ctx.isInAnyRole() |
| Time-based conditions | |
| Business hours access only | ctx.isAccessTimeBetween('09:00', '17:00') |
| Weekend restriction | !ctx.isAccessTimeBetween('2023/04/01 00:00', '2023/04/02
23:59') |
| Complex combined conditions | |
| Multi-factor authorization |
|
| Department-based data access |
|
