Warrant Query Language
The Warrant Query Language (WQL) is a declarative, SQL-like language used to query Warrant for a set of resources (e.g. documents, users, permissions, etc.) matching one or more access rule requirements. Some useful queries the language can express are:
- List all documents
user:Ais avieweron. - List all users who are
editors ofdocument:finance-report. - List all resources
user:malicioushas access to. - List all users who have the permission
view-financial-reporting. - and many more...
Syntax and Format
A query is composed of a select clause and (optionally) either a for clause or a where clause (depending on the select clause):
select permission
where user:tony-stark is member
Select Clause
The select clause specifies whether a query should return objects or subjects.
Selecting Objects
To select objects, a select clause should be in the following format:
select <objectTypes>
Where <objectTypes> is a comma separated list of one or more object types that resulting objects must match. To select objects matching any object type, pass a wildcard (*) for <objectTypes>.
Selecting Subjects
To select subjects, a select clause should be in the following format:
select <relations> of type <subjectTypes>
Where <relations> is a comma separated list of one or more relations that resulting subjects must possess either explicitly or implicitly (more on this below), and <subjectTypes> is a comma separated list of one or more object types that all resulting subjects must match. To match any relation or any subject type, pass a wildcard (*) for the <relations> or <subjectTypes> properties respectively.
Where Clause
When selecting objects (e.g. select tenant), use a where clause to specify a <subject> (in the format <subjectType>:<subjectId>) and a comma separated list of one or more <relations> the <subject> must have on all of the resulting objects. To select objects on which <subject> has any relation, pass a wildcard (*) for <relations>.
select <objectTypes>
where <subject> is <relations>
For Clause
When selecting subjects (e.g. select member of type user), use a for clause to specify an <object> (in the format <objectType>:<objectId>) on which all resulting subjects must have one or more of the <relations> specified in the select clause.
select <relations> of type <subjectTypes>
for <object>
Implicit vs. Explicit Results
A query can optionally include the explicit keyword immediately following the select keyword to indicate that the query should only return results explicitly matching any <relations> filters. Explicit results are results for which a warrant matching the <relations> filters in the query explicitly exists in Warrant. Implicit results are results which may implicitly match the query's <relations> filters through a combination of other warrants and inherited relations specified by an object type. Without the explicit keyword specified, a query will return both explicit and implicit results.
select explicit viewer of type user for document:doc1
select viewer of type user for document:doc1
Examples
select document where user:1 is viewer
select explicit document where user:1 is viewer
select document where user:1 is *
select * where user:1 is *
select viewer of type user for document:doc1
select explicit viewer of type user for document:doc1
select * of type user for document:doc1
select * of type * for document:doc1