Policies

6min
Policies are an important component of Kubeark Identity, allowing you to define the rules and procedures that govern how the users can interact with the platform, including authentication and enrollment flows, user attributes and others.
Event-matcher policy
This policy is used by the events subsystem. You can use this policy to match events by multiple different criteria, to choose when you get notified.
Expression Policy
This evaluates an expression or a set of expressions to determine if the policy should be allowed or denied. These expressions can reference context data, which includes data about the user, device, and other relevant information. Expression policies allow for greater flexibility and customization in managing access and permissions.
The passing of the policy is determined by the return value of the code. Use
Text
return True
return True
﻿
to pass a policy and
Text
return False
return False
﻿
to fail it.
﻿Available functions:﻿
 ak_message (message: str) - Add a message, visible by the end user. This can be used to show the reason why they were denied
Example:
YAML
ak_message("Access denied")
return False
ak_message("Access denied")
return False
﻿
regex_match(value: Any, regex: str) -> bool - check if value matches Regular Expression
 Example:
YAML
return regex_match(request.user.username, '.*admin.*')
return regex_match(request.user.username, '.*admin.*')
﻿
Password-Expiry Policy
This policy aims to ensure that users change their passwords regularly by setting an expiration period for passwords. When a password has reached the specified time limit, the policy expires the password, and the user is required to set a new password. This helps enhance the security of the system by reducing the risk of password breaches or attacks.
Password Policy
This policy allows you to specify password rules, such as length and required characters. The following rules can be set:
Minimum amount of uppercase characters.
Minimum amount of lowercase characters.
Minimum amount of symbols characters.
Minimum length.
Symbol charset (define which characters are counted as symbols).
Reputation Policy
This policy describes the ability to track failed login attempts based on the source IP and attempted username. The policy stores these values as scores, where each failed login attempt results in a decrease of the client IP and targeted username scores by one.
This policy can be used, for example, to prompt clients with a low score to pass a captcha before they can continue.
To make sure this policy is executed correctly, set Re-evaluate policies when using it with a flow\
User Delete/Login/Logout stage
Users