RFC: Policy.yaml backend module

Hey everbody,

here is a little RFC for a Policy.yaml backend module.
Your comments and ideas are very welcome!

Kind regards,

Current State

Currently it is hard to find out what do you can do with the Policy.yaml. You have to know what you can use as a matcher and so on.


What we plan to do is to create a new little backend module to generate a Policy.yaml. This backend module should be a part of a new Flowpack-Package (e.g. Flowpack.Neos.Security)
With the module, it should be possible to build the Policy.yaml with a form.

Here is a screenshot how it could look like:

We have already begun to implement the package:


Really cool idea, maybe @bwaidelich or @andi can help to shape the idea to a nice UI.

Based on our focus on UX, I think we need to make it simple, may string like “isType({0})” can be replace by small phrase like “Is of Type”, …


really cool idea, indeed. There are some things that came to my mind:

  • Obviously we need a nice way to write that back to the Policy.yaml. However, you never can do this in production, this has to be a development-only tool/module
  • It would be really cool to select the values based on some nice editors. E.g. select the node type from the available node types in the system
  • We have to check the logical operators in the matcher expressions. I fear not everything you can model with the example above is really supported by the matcher. But that’s a general issue we have to look into, to find out which combinations make sense and which shouldn’t be possible

Regarding the UI I’m probably not the right person to make that nicer. However, I’m definitely in to give feedback and help with conceptual questions.

Again, thank you so much for pushing this!


It’s fine for a first version to have to copy paste the generated Policy.yaml

Maybe we can check with @dimaip if we can have access to the ember stuff he’s doing for the NodeType “Wizard”

I have the feeling that’s if we found a way to have a really natural speaking interface it will be awesome, let’s see what can be done, I’m not enough in the technical part to be sure if it’s possible or not.

Yeah sure, I just need a bit more effort to get it done, currently editor refactoring is very naive, I still need to refactor validators and other things: https://github.com/neos/neos-development-collection/commit/f7849fe04e5f6dc7c095b02d6f6627b233c12850

Hey guys,

I’m looking for an extension which configures the user rights. maybe this would be suitable …

is there any news about the stand?

Best greetings

@steffenmatthes Thanks for bringing this up again, but this is not really related to backend modules, is it? IMO it’s better to open a new thread rather than hijacking a 2-year-old one :wink:

As to your question: Roles are an application concept. You should be able to assign roles at “runtime” (like via the Neos User Management) but it won’t be possible to change roles at runtime for a couple of reasons (security, caching for example).
What you are probably looking for is a concept we call user groups, so that you could specify s.th. like “User A has role NewsEditor in this part of the tree”.
Hopefully we’ll be able to tackle this with https://github.com/neos/flow-development-collection/issues/593 at some point, but it’s quite a complex topic.
In the meantime you can either solve it with multiple roles or a custom implementation of “user groups”.