FinancialApp Schema The FinancialApp schema defines the structure of entities, actions, and their relationships for the AWS Verified Permissions demo. This schema is written in JSON format and loaded into AVP to enable type checking and validation of Cedar policies.
Complete Schema Definition { "FinancialApp" : { "entityTypes" : { "User" : { "shape" : { "type" : "Record" , "attributes" : { "department" : { "type" : "String" , "required" : true }, "clearance_level" : { "type" : "Long" , "required" : true } } }, "memberOfTypes" : [ "Role" ] }, "Document" : { "shape" : { "type" : "Record" , "attributes" : { "classification" : { "type" : "String" , "required" : true }, "department" : { "type" : "String" , "required" : true } } } }, "Role" : { "memberOfTypes" : [] } }, "actions" : { "Read" : { "appliesTo" : { "principalTypes" : [ "User" ], "resourceTypes" : [ "Document" ] } }, "Edit" : { "appliesTo" : { "principalTypes" : [ "User" ], "resourceTypes" : [ "Document" ] } }, "Delete" : { "appliesTo" : { "principalTypes" : [ "User" ], "resourceTypes" : [ "Document" ] } } } } }
Namespace All entities and actions in this demo are namespaced under FinancialApp. This allows you to organize your authorization model and avoid naming conflicts.
Example entity reference:
FinancialApp::User::"alice" FinancialApp::Action::"Read" FinancialApp::Document::"Q4-Report-2024"
Entity Types The schema defines three entity types: User, Document, and Role.
User Entity Represents a user in the system who can perform actions on resources.
Schema Definition
Attributes
Example Entity
Usage in Policy
"User" : { "shape" : { "type" : "Record" , "attributes" : { "department" : { "type" : "String" , "required" : true }, "clearance_level" : { "type" : "Long" , "required" : true } } }, "memberOfTypes" : [ "Role" ] }
Attribute Type Required Description departmentString Yes The user’s department (e.g., “Finance”, “HR”, “Sales”) clearance_levelLong Yes Security clearance level (1-3, higher = more access)
{ "identifier" : { "entityType" : "FinancialApp::User" , "entityId" : "alice" }, "attributes" : { "department" : { "string" : "Finance" }, "clearance_level" : { "long" : 2 } }, "parents" : [ { "entityType" : "FinancialApp::Role" , "entityId" : "Analyst" } ] }
permit ( principal in FinancialApp::Role::"Analyst", action == FinancialApp::Action::"Read", resource ) when { principal.department == resource.department && principal.clearance_level >= 2 };
Key Feature : The "memberOfTypes": ["Role"] field allows Users to be members of Roles. This enables role-based access control (RBAC) using the principal in Role::"RoleName" syntax.
Document Entity Represents a document or resource that can be accessed by users.
Schema Definition
Attributes
Example Entity
Usage in Policy
"Document" : { "shape" : { "type" : "Record" , "attributes" : { "classification" : { "type" : "String" , "required" : true }, "department" : { "type" : "String" , "required" : true } } } }
Attribute Type Required Description classificationString Yes Security level (e.g., “confidential”, “restricted”, “internal”) departmentString Yes Owning department (e.g., “Finance”, “HR”, “Sales”)
{ "identifier" : { "entityType" : "FinancialApp::Document" , "entityId" : "Q4-Report-2024" }, "attributes" : { "department" : { "string" : "Finance" }, "classification" : { "string" : "confidential" } }, "parents" : [] }
forbid ( principal, action == FinancialApp::Action::"Delete", resource ) when { resource.classification == "confidential" };
Role Entity Represents a role that users can be assigned to (e.g., Analyst, Admin, Auditor).
"Role" : { "memberOfTypes" : [] }
Roles are simple entities used for grouping users. They don’t have attributes but serve as parent entities for Users.
Example Roles in the Demo:
FinancialApp::Role::"Analyst"FinancialApp::Role::"Admin"FinancialApp::Role::"Auditor"
Actions The schema defines three actions that users can perform on documents.
Read Action "Read" : { "appliesTo" : { "principalTypes" : [ "User" ], "resourceTypes" : [ "Document" ] } }
Allows viewing or reading a document. Most restrictive action - typically granted to most users.
Edit Action "Edit" : { "appliesTo" : { "principalTypes" : [ "User" ], "resourceTypes" : [ "Document" ] } }
Allows modifying a document. Requires higher privileges than Read.
Delete Action "Delete" : { "appliesTo" : { "principalTypes" : [ "User" ], "resourceTypes" : [ "Document" ] } }
Allows permanently removing a document. Most privileged action - typically restricted to Admins.
Demo Data The demo includes three users and three documents:
Users
Alice Garcia Role : AnalystDepartment : FinanceClearance : Level 2Example analyst user with department-level access
Bob Torres Role : AdminDepartment : FinanceClearance : Level 3Administrator with elevated privileges
Carol Mendez Role : AuditorDepartment : HRClearance : Level 1Auditor with cross-department read access
Documents
Q4-Report-2024 Department : FinanceClassification : confidentialQuarterly financial report
HR-Payroll-2024 Department : HRClassification : restrictedEmployee payroll information
Sales-Dashboard Department : SalesClassification : internalSales metrics and analytics
Entity Construction in Code When calling AVP’s IsAuthorized API, you need to pass entity data. Here’s how it’s done in the Lambda function:
entities = [ # User entity with attributes and role membership { "identifier" : { "entityType" : "FinancialApp::User" , "entityId" : "alice" }, "attributes" : { "department" : { "string" : "Finance" }, "clearance_level" : { "long" : 2 }, }, # User is a member of the Analyst role "parents" : [ { "entityType" : "FinancialApp::Role" , "entityId" : "Analyst" } ] }, # Document entity with attributes { "identifier" : { "entityType" : "FinancialApp::Document" , "entityId" : "Q4-Report-2024" }, "attributes" : { "department" : { "string" : "Finance" }, "classification" : { "string" : "confidential" }, }, "parents" : [] } ]
The parents array is critical for RBAC. Without it, policies using principal in Role::"RoleName" won’t work.
Schema Validation AWS Verified Permissions uses the schema to validate:
Policy Syntax
Ensures entity types, actions, and attributes referenced in policies exist in the schema
Type Safety
Validates that attributes are compared with correct types (e.g., comparing clearance_level with a number, not a string)
Required Attributes
Ensures all required attributes are provided when calling IsAuthorized
Relationships
Validates that entity relationships (like memberOfTypes) are correct
Extending the Schema You can extend this schema for more complex scenarios:
Adding Attributes "User" : { "shape" : { "type" : "Record" , "attributes" : { "department" : { "type" : "String" , "required" : true }, "clearance_level" : { "type" : "Long" , "required" : true }, "manager" : { "type" : "EntityOrCommon" , "name" : "User" , "required" : false }, "email" : { "type" : "String" , "required" : false } } } }
Adding Actions "actions" : { "Read" : { ... }, "Edit" : { ... }, "Delete" : { ... }, "Share" : { "appliesTo" : { "principalTypes" : [ "User" ], "resourceTypes" : [ "Document" ] } }, "Archive" : { "appliesTo" : { "principalTypes" : [ "User" ], "resourceTypes" : [ "Document" ] } } }
Adding Entity Types "entityTypes" : { "User" : { ... }, "Document" : { ... }, "Role" : { ... }, "Project" : { "shape" : { "type" : "Record" , "attributes" : { "name" : { "type" : "String" , "required" : true }, "status" : { "type" : "String" , "required" : true } } }, "memberOfTypes" : [] } }
Next Steps
Policy Examples See how this schema is used in real Cedar policies
RBAC vs ABAC Learn different access control patterns using this schema
Quickstart Guide Deploy the demo and see the schema in action
Schema Reference AWS documentation on schema format