# Example Policies

{% hint style="warning" %}
These are only some sample policies to help you build your own
{% endhint %}

## Admin

Full admin across all resources.

<details>

<summary>role</summary>

```yaml
name: administrator
policy:
  - action: '*'
    resource: '*'
    effect: allow
```

</details>

## Full access for data namespace

Allow full access for all services and resources beginning with *blue*.

<details>

<summary>role</summary>

```yaml
name: blue-things
policy:
  - action:
      - iam:List*
      - iam:Get*
    resource: iam:*
    effect: allow
  - action:
      - environments:Get*
      - environments:List*
      - environments:AccessEnvironment
    resource: environments:*
    effect: allow
  - action:
      - kafka:*
      - schemas:*
      - kafka-connect:*
      - kubernetes:*
      - applications:*
    resource:
      - kafka:topic:*/*/blue-*
      - kafka:consumer-group:*/*/blue-*
      - kafka:acl:*/*/*/user/blue-*
      - schemas:schema:*/*/blue-*
      - kafka-connect:cluster:*/*
      - kafka-connect:connector:*/*/blue-*
      - sql-streaming:processor:*/*/*/blue-*
      - kubernetes:cluster:*/*
      - kubernetes:namespace:*/*/*
    effect: allow
  - action:
      - alerts:*
      - data-policies:*
    resource:
      - alerts:alert:*/*/blue-*
      - alerts:event:*/*/*
      - data-policies:policy:*/blue-*
    effect: allow

```

</details>

## Explore a data namespace

Allow read only access for topics and schemas beginning with *la*.

<details>

<summary>role</summary>

```yaml
name: public-data-explorer
policy:
  - action:
      - environments:ListEnvironments
      - environments:GetEnvironmentDetails
      - environments:AccessEnvironment
    resource: environments:environment:global*
    effect: allow
  - action:
      - kafka:ListTopics
      - kafka:ListTopicDependants
      - kafka:GetTopicDetails
      - kafka:ReadTopicData
    resource: kafka:topic:*/kafka/la-*
    effect: allow
  - action:
      - schemas:ListSchemas
      - schemas:ListSchemaDependants
      - schemas:GetSchemaDetails
    resource: schemas:schema:*/*/la-*
    effect: allow
```

</details>

## Connect Operator

Allow operators to restart connectors and list & get IAM resource only.

{% hint style="info" %}
No access to data!
{% endhint %}

<details>

<summary>role</summary>

```yaml
name: global-connector-operator
policy:
  - action:
      - iam:List*
      - iam:Get*
    resource: iam:*
    effect: allow
  - action:
      - environments:Get*
      - environments:List*
      - environments:AccessEnvironment
    resource: environments:*
    effect: allow
  - action:
      - kafka-connect:List*
      - kafka-connect:GetClusterDetails
      - kafka-connect:GetConnectorDetails
      - kafka-connect:StartConnector
      - kafka-connect:StopConnector
    resource:
      - kafka-connect:cluster:*/*
      - kafka-connect:connector:*/*/*
    effect: allow

```

</details>

## Explicit no access to production

Explicitly deny access to environments with names starting with `prod-`.

<details>

<summary>roles</summary>

```yaml
name: no-access-prod-name-prefix
policy:
  - action: environments:AccessEnvironment
    resource: environments:environment:prod-*
    effect: deny
```

</details>

## Developer access

Allow developers access to topics, schemas, sql processors, consumer groups, acls, quotas, connectors for *us-dev*.

<details>

<summary>role</summary>

```yaml
name: us-dev-permissions
policy:
  - action:
      - iam:List*
      - iam:Get*
    resource: iam:*
    effect: allow
  - action:
      - environments:Get*
      - environments:List*
    resource: environments:*
    effect: allow
  - action: environments:AccessEnvironment
    resource: environments:environment:us-dev
    effect: allow
  - action:
      - kafka:*
      - schemas:*
      - kafka-connect:*
      - kubernetes:*
      - applications:*
    resource:
      - kafka:topic:us-dev/*
      - kafka:consumer-group:us-dev/*
      - kafka:acl:us-dev/*
      - kafka:quota:us-dev/*
      - schemas:schema:us-dev/*
      - kafka-connect:cluster:us-dev/*
      - kafka-connect:connector:us-dev/*
      - sql-streaming:sql-processor:us-dev/*
      - kubernetes:cluster:us-dev/*
      - kubernetes:namespace:us-dev/*
    effect: allow
  - action:
      - alerts:*
      - data-policies:*
    resource:
      - alerts:channel:us-dev/*
      - alerts:event:us-dev/*
      - alerts:rule:us-dev/*
      - data-policies:policy:us-dev/*
    effect: allow

```

</details>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.lenses.io/latest/devx/6.0/user-guide/iam/example-policies.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.