How-to
Use wildcards in rules
Goal
Write rules that apply to groups of identities rather than enumerating each one individually.
Wildcard syntax
| Pattern | Matches | Example |
|---|---|---|
* | Any sequence of characters | *@example.com matches any email at example.com |
? | Exactly one character | agent?.acme.com matches agent1, agent2, etc. |
| literal | Exact match (case-insensitive) | [email protected] matches only that identity |
Common patterns
Allow everyone from a domain
await policies.AddPolicyRuleAsync(new PolicyRule(
Sender: "*@example.com",
Destination: "self",
Realm: "default",
Direction: "inbound",
Effect: "allow")); Allow any acme.com subdomain agent
await policies.AddPolicyRuleAsync(new PolicyRule(
Sender: "*.acme.com",
Destination: "self",
Realm: "default",
Direction: "inbound",
Effect: "allow")); Allow a generic agent identity prefix
// Match any generic agent name starting with this prefix
await policies.AddPolicyRuleAsync(new PolicyRule(
Sender: "web0-bliss-cyan-*",
Destination: "self",
Realm: "default",
Direction: "inbound",
Effect: "allow")); Match anything (use sparingly)
await policies.AddPolicyRuleAsync(new PolicyRule(
Sender: "*",
Destination: "self",
Realm: "default",
Direction: "inbound",
Effect: "allow")); Wildcards in the destination
The same syntax works in the destination column:
// Allow our agent to send messages to any agent under acme.com
await policies.AddPolicyRuleAsync(new PolicyRule(
Sender: "self",
Destination: "*.acme.com",
Realm: "default",
Direction: "outbound",
Effect: "allow")); Combining wildcard allow with literal deny
A common pattern: allow a whole domain, but block specific bad actors within it:
// Allow everyone from example.com
await policies.AddPolicyRuleAsync(new PolicyRule(
"*@example.com", "self", "default", "inbound", "allow"));
// Block one specific account
await policies.AddPolicyRuleAsync(new PolicyRule(
"[email protected]", "self", "default", "inbound", "deny")); Because deny always wins, [email protected] is blocked while everyone else from example.com is allowed.
See also
- The authorization model Concept
- Allow a specific sender How-to
- Deny a specific sender How-to