Session Domain
The session domain controls whether a session may be established and, if so, what recording obligations apply to it. It is evaluated before a shell, exec, direct-tcpip, or sftp subsystem is started. The obligation returned by the policy instructs the enforcer which recording backends to activate for that session. Each action below indicates the service that calls it.
Contracts
All contracts include Subject, see Subject claims.
session:start
Evaluated when a new session is being established, before any channel is opened. The decision controls whether the session is permitted at all.
Resource — workspace being accessed.
| Field | Description |
|---|---|
id | Workspace name. Required. |
type | Resource type. The value is workspace. |
attributes.owner | Username of the workspace owner. Required. |
attributes.blueprint | Blueprint the workspace was launched from. Optional. |
Context
| Field | Description |
|---|---|
session_type | shell, tcpip, exec, or sftp. Required. |
session_source | ssh-proxy or api-server. Required. |
Obligations
| Key | Description |
|---|---|
record | Name of the session to record: shell, exec, direct-tcpip, or sftp. Use none to disable recording. |
session:list
Evaluated when a caller requests a list of sessions. The scope of the listing is determined by which resource fields are present.
Resource — workspace to filter by.
| Field | Description |
|---|---|
id | Workspace name. Optional — omit to list across workspaces. |
type | Resource type. The value is workspace. |
attributes.owner | Username of the workspace owner. Optional — omit to list sessions for all owners; required when id is set. |
Context — none.
Obligations — none; allow or deny only.
Example policy
package session
import rego.v1
import data.common
default allow := false
# admins may start any session
allow if input.subject.username in common.admin_users
# users may start sessions on workspaces they own or are permitted to access
allow if {
input.action == "session:start"
input.subject.roles[_] == "user"
}
# --- session:start obligations ---
# record the session for non-admin users; the obligation value names the session type
obligations["record"] := input.context.session_type if {
input.action == "session:start"
not input.subject.username in common.admin_users
}
# explicitly disable recording for admin sessions
obligations["record"] := "none" if {
input.action == "session:start"
input.subject.username in common.admin_users
}
This example demonstrates the following patterns:
- Admins (usernames in
common.admin_users) may start any session and are explicitly exempted from recording viarecord: none. - Users with the
userrole may start sessions on any workspace. Therecordobligation is set to thesession_typevalue, naming the session to be recorded. - Recording obligations name the session to record (
shell,exec,direct-tcpip,sftp) or use"none"to disable recording entirely. When therecordkey is absent from the result the session is not recored. session_sourceis available in context and can be used to apply stricter rules to API-server-initiated sessions versus SSH-proxy-initiated ones.