ZPR
GitHub

ZPL Examples

ZPL Examples

Readable, attribute-driven policy patterns

These examples show how ZPL expresses common network policies in clear, auditable language.

ZPL Examples

A simple permission written in readable form

This shows how certain employees are allowed to access specific databases using attribute tags and single-valued attributes.

# Sales employees on managed laptops may access customer databases.
Allow department:sales employees on managed laptops to access customer databases.

Denials act as guardrails

Use the Never keyword to assert communication that should not occur.

# Interns are never allowed to access classified services.
Never allow role:intern users to access classified services.

Reusable classes

Classes make policy readable and reusable. Class names have standard plural synonyms, and attributes can be required or optional.

# Define employees with required and optional attributes.
Define employee as a user with an ID-number, roles and optional tags full-time, part-time, intern.
# Use the class in policy.
Allow employees on managed laptops to access HR-services.

Multi-valued attributes and set membership

ZPL can match on multi-valued attributes in a natural way.

(Currently unsupported in the reference compiler)

# Engineers who are also admins on managed endpoints may reach the build system.
Allow roles:{engineer, admin} users on managed endpoints to access build-services.

Circumstantial constraints

Policies can be conditioned on circumstances like time or data volume. Circumstances are evaluated at runtime and can bound when or how much communication is allowed.

(Currently unsupported in the reference compiler)

# Nightly backups only after 18:00 GMT.
Never allow backup:nightly servers to access backup-services before 18:00 GMT.
# Limit data egress per day from a service.
Allow analytics-services to access internet-gateway, limited to 10Gb/day.

Signals for auditing

Attach signals to permissions or denials to produce audit events. The message includes identities involved and the literal string you provide.

# Log top secret access events.
Allow classification:top-secret users to access classification:top-secret services, and signal "accessing" to Access-logger.

Namespaces, quoting, and comments

ZPL supports qualified names, both quote styles, and inline comments.

// Access to a specific service instance in the sales namespace.
Allow sales.Timesheet users on device-type:'laptop' endpoints to access sales.Timesheet-database.
# Demonstrate quoted strings and backslash escaping
Allow role:"O\"Malley" users to access 'name with spaces' services.