creating-service-policies
- New Service Policy via UI
- New Service Policy via CLI
- On the left side nav bar, click "Ziti Policies"
- On the top nav bar, click "Service Policies"
- In the top right corner of the screen click the "plus" image to add a new Service Policy
- Choose a name for the Service Policy, such as "My Service Policy"
- Select "Dial" or "Bind" in the Type dropdown
- Dial policies allow identities to use or connect to the service
- Bind policies allow identities to host or provide the service
- Enter the services you want to include in the policy
- Specific services can be referenced by ID or name using
@
. For example, a service calledssh
can be referenced using@ssh
. - Services can be referenced by role attribute using
#
. For example, any service which has thesales
role attribute will be included if#sales
is included in the service roles list.
- Specific services can be referenced by ID or name using
- Enter the identities you want to include in the policy
- Specific identities can be referenced by ID or name using
@
. For example, as identity calledjsmith-desktop
can be referenced using@jsmith-desktop
. - Identities can be referenced by role attribute using
#
. For example, any identity which has thesales
role attribute will be included if#sales
is included in the identities roles list.
- Specific identities can be referenced by ID or name using
- Specify the role semantic
- If you select
Has Any Role
then if you specify multiple roles then all entities which include any of the roles will be included. - If you select
Must Have All Roles
, then if you specify multiple roles then only entities which include all of the given roles will be included
- If you select
- Click save
To create a Service Policy using the CLI issue the following commands.
-
To use the CLI, you'll need to be logged in. Link to instructions
-
Create a service policy named
my-policy
which allows all identities to dial/connect to all services.ziti edge create service-policy my-policy Dial --identity-roles '#all' --service-roles '#all'