Policies

Overview

Identity and Access Management policies manage the resources and actions used by identities. Policies are composed of statements that specify permissions.

Permission for the iam:policies action is required to interact with policies. Any user that is part of the admins team or the Administrator policy will have this permission. Otherwise, IAM custom policies can be created to assign this permission.

Chef-Managed Policies

Chef-managed policies are provided by Chef and are integral to the operation of Chef Automate. The policy statements in Chef-managed policies cannot be changed.

Custom Policies

Custom policies are policies that you create for your own needs. You can add, edit, and delete policy statements in your custom policies. Chef Automate ships with two custom policies, Compliance Viewers and Compliance Editors, which you can edit like other custom policies.

Managing Policies

Creating Policies

Custom policies can only be created using the Policies API.

Deleting Policies

Navigate to Policies in the Settings tab. Then open the menu at the end of the table row and select Delete Policy.

Policy Membership

The policy membership can be changed for both Chef-Managed and Custom policies. The only exception is that the admins team cannot be removed from the Administrator policy.

Adding Members to Policies

To add members to a policy, navigate to Policies in the Settings tab and locate the policy. Navigate to the policy’s detail page and use the Add Members button. Select local users or teams from the list, or use the Add Member Expression button to add API Tokens, and SAML or LDAP users or groups.

Removing Members from Policies

To remove members from a policy, navigate to Policies in the Settings tab and locate the policy. Navigate to the policy’s detail page and select the Members tab. Then locate the member to remove and use the menu at the end of the table row to remove the user.

Changing Policy Details

For custom policies, use the Policies API to change the policy name, statements, and projects.