How-to
Add a user-level rule
Goal
Add a rule that fires whenever a specific user identity is involved in a message, regardless of which agent is doing the sending or receiving.
When to use a user-level rule
- You want a rule that applies whether the user sends directly or via a relay
- The rule expresses the user's intent ("no message acting on alice's behalf may reach payment-gateway")
- You want the rule to survive across sessions and across agent instances
Code
using HexaEight.Bridge;
using HexaEight.Bridge.Authorization;
// Compute the sha512 hash of the user identity (lowercased)
string aliceHash = PolicyRule.Sha512Hex("[email protected]");
// Rule: no inbound from anyone to alice
await policies.AddPolicyRuleAsync(new PolicyRule(
Sender: "*",
Destination: "[email protected]",
Realm: $"user:{aliceHash}",
Direction: "inbound",
Effect: "deny")); Rule that allows specific traffic for a user
// Alice's policy: only acme-bot can send to her
await policies.AddPolicyRuleAsync(new PolicyRule(
Sender: "acme-bot.example.com",
Destination: "[email protected]",
Realm: $"user:{aliceHash}",
Direction: "inbound",
Effect: "allow")); How user-level rules fire
Tier 1 (user-level) rules fire when:
- The wire sender is alice (alice sent directly), OR
- The OriginalSender claim is alice (alice's message arrived via a relay), OR
- The FinalRecipient claim is alice (the message is destined for alice)
See also
- The authorization model Concept
- Allow a specific sender How-to
- Forward a message to a final recipient How-to