Identity ACL

The following recursive protos allow for arbitrary nesting of logical operators when constructing an EnclaveIdentityExpectation-based ACL. Such ACLs can be evaluated against a set of identities belonging to an enclave to make authorization decisions.

An ACL is represented by a top-level IdentityAclPredicate. A predicate can either be a singular EnclaveIdentityExpectation, or a nested IdentityAclGroup, which contains a list of predicates as well as a logical operator (OR, AND, or NOT):

  • An OR-group is satisfied if any of the embedded predicates are satisfied.
  • An AND-group is satisfied if all of the embedded predicates are satisfied.
  • A NOT-group is required to have only a single embedded predicate and is satisfied if the embedded predicate is not satisfied.

An EnclaveIdentityExpectation predicate is satisfied if it is matched by any of a given set of enclave identities.


Represents either a group of predicates or a single expectation.

Field Type Description Required
acl_group IdentityAclGroup (oneof) No
expectation EnclaveIdentityExpectation (oneof) No


Represents a group of ACL predicates.

Field Type Description Required
predicates IdentityAclPredicate[]

The predicates that make up this group. Must be non-empty.

type GroupType

The type of this ACL group.



Possible logical operators to use when evaluating the results of matching |predicates| against a set of identities.

Name Description

Evaluates to true iff any predicates match.


Evaluates to true iff all predicates match.


Evaluates to true iff no predicates match. |predicates| must have exactly one element.