ACL policy setup help

Hi, I’m trying to setup an ACL (which is a topic which has been little precisely documented so far)

My users share a workspace but some of them must not be able to write/upload to some subdirectories. I can’t use distinct workspaces because the main goal is about sharing and all users must be able search for all the documents (which, AFAICT, is not possible if data is split across multiple workspaces). (Actually, using workspaces make it possible without messing around with ACL)

As a consequence, I’m trying to setup an ACL and after quite some reading of rest.swagger.json and policies.go I end up with this:

{
  "id": "role-selected-directory",
  "description": "Limit this role to specific directory",
  "subjects": [
    "role:SemiEditor"
  ],
  "resources": [
    "acl"
  ],
  "actions": [
    "write"
  ],
  "effect": "deny",
  "conditions": {
    "NodeMetaPath": {
      "jsonOptions": "{\"matches\":\"this-%placeholder%-directory\"}",
      "type": "StringMatchCondition"
    }
  }
}

Two questions:

  1. Does it feel “ok”?
  2. How to insert/import this policy? There is no command for that (only cells-acl-create) nor UI. Only using the API? But there is apparently no such thing like PutPolicy endpoint in the FLOSS version !?

Optional third question:
3. Can this %placeholder% exist in the future? :slight_smile:

In one word: yes, the ability to Create/Update policies is in the ED version only.
As you are advanced user, the workaround would be to add define your own default policies via the go code and recompiling.
-c

Thank you for the confirmation.