Policy templates

Templates are the recommended starting point. Every template is real, reviewed Cedar — you can edit it directly or use the visual builder.

Pick one

1. 1
   Open Policies

   Policies → New policy → From template.

2. 2
   Filter by provider + risk

   The picker groups templates by provider + a risk badge:

   • 🟢 read-only — never writes, never delete
   • 🟡 safe-default — writes allowed, deletes gated by step-up
   • 🔴 broad — pre-reviewed but everything is on; for ops bots

   

3. 3
   Save + assign

   Save the policy. Then on the App detail page, set Default policy to it.

Template catalog (high-level)

| Provider | Templates | |---|---| | GitHub | read-only, safe-default, org-pinned, repo-pinned | | Slack | read-only, safe-default, channel-pinned | | Google (Drive / Gmail / Cal / Docs / Sheets / Tasks / Contacts) | per sub-service read-only + safe-default | | Notion | read-only, write-page-content | | Linear | read-only, safe-default, team-pinned | | Stripe Connect | read-only, safe-default, billing-bot | | Discord | read-only, notification-bot | | Filesystem | read-only, subdir-read, write-subdir, extension-filter, delete-step-up, developer-sandbox | | SSH | host-pinned-read, sftp-upload, host-subdir-full, exec-step-up, delete-step-up, read-write-no-exec | | Azure | read-only, storage-read, vm-operator | | AWS | s3-read, dynamodb-read, ec2-operator | | GCP | storage-read, firestore-read, compute-operator |

Every template's Cedar is in the dashboard editor — open, edit, save.

After picking a template

You can:

• Use as-is — best for read-only flows.
• Open in visual builder → tighten one condition (e.g. only this repo) → Visual builder guide.
• Open in Cedar editor → write conditions the visual builder doesn't support → Cedar syntax guide.