# Example Policies
{% hint style="warning" %}
These are only some sample policies to help you build your own
{% endhint %}
## Admin
Full admin across all resources.
role
```yaml
name: administrator
policy:
- action: '*'
resource: '*'
effect: allow
```
## Full access for data namespace
Allow full access for all services and resources beginning with *blue*.
role
```yaml
name: blue-things
policy:
- action:
- iam:List*
- iam:Get*
resource: iam:*
effect: allow
- action:
- environments:Get*
- environments:List*
- environments:AccessEnvironment
resource: environments:*
effect: allow
- action:
- kafka:*
- schemas:*
- kafka-connect:*
- kubernetes:*
- applications:*
resource:
- kafka:topic:*/*/blue-*
- kafka:consumer-group:*/*/blue-*
- kafka:acl:*/*/*/user/blue-*
- schemas:schema:*/*/blue-*
- kafka-connect:cluster:*/*
- kafka-connect:connector:*/*/blue-*
- sql-streaming:processor:*/*/*/blue-*
- kubernetes:cluster:*/*
- kubernetes:namespace:*/*/*
effect: allow
- action:
- alerts:*
- data-policies:*
resource:
- alerts:alert:*/*/blue-*
- alerts:event:*/*/*
- data-policies:policy:*/blue-*
effect: allow
```
## Explore a data namespace
Allow read only access for topics and schemas beginning with *la*.
role
```yaml
name: public-data-explorer
policy:
- action:
- environments:ListEnvironments
- environments:GetEnvironmentDetails
- environments:AccessEnvironment
resource: environments:environment:global*
effect: allow
- action:
- kafka:ListTopics
- kafka:ListTopicDependants
- kafka:GetTopicDetails
- kafka:ReadTopicData
resource: kafka:topic:*/kafka/la-*
effect: allow
- action:
- schemas:ListSchemas
- schemas:ListSchemaDependants
- schemas:GetSchemaDetails
resource: schemas:schema:*/*/la-*
effect: allow
```
## Connect Operator
Allow operators to restart connectors and list & get IAM resource only.
{% hint style="info" %}
No access to data!
{% endhint %}
role
```yaml
name: global-connector-operator
policy:
- action:
- iam:List*
- iam:Get*
resource: iam:*
effect: allow
- action:
- environments:Get*
- environments:List*
- environments:AccessEnvironment
resource: environments:*
effect: allow
- action:
- kafka-connect:List*
- kafka-connect:GetClusterDetails
- kafka-connect:GetConnectorDetails
- kafka-connect:StartConnector
- kafka-connect:StopConnector
resource:
- kafka-connect:cluster:*/*
- kafka-connect:connector:*/*/*
effect: allow
```
## Explicit no access to production
Explicitly deny access to environments with names starting with `prod-`.
roles
```yaml
name: no-access-prod-name-prefix
policy:
- action: environments:AccessEnvironment
resource: environments:environment:prod-*
effect: deny
```
## Developer access
Allow developers access to topics, schemas, sql processors, consumer groups, acls, quotas, connectors for *us-dev*.
role
```yaml
name: us-dev-permissions
policy:
- action:
- iam:List*
- iam:Get*
resource: iam:*
effect: allow
- action:
- environments:Get*
- environments:List*
resource: environments:*
effect: allow
- action: environments:AccessEnvironment
resource: environments:environment:us-dev
effect: allow
- action:
- kafka:*
- schemas:*
- kafka-connect:*
- kubernetes:*
- applications:*
resource:
- kafka:topic:us-dev/*
- kafka:consumer-group:us-dev/*
- kafka:acl:us-dev/*
- kafka:quota:us-dev/*
- schemas:schema:us-dev/*
- kafka-connect:cluster:us-dev/*
- kafka-connect:connector:us-dev/*
- sql-streaming:sql-processor:us-dev/*
- kubernetes:cluster:us-dev/*
- kubernetes:namespace:us-dev/*
effect: allow
- action:
- alerts:*
- data-policies:*
resource:
- alerts:channel:us-dev/*
- alerts:event:us-dev/*
- alerts:rule:us-dev/*
- data-policies:policy:us-dev/*
effect: allow
```