--- layout: docs page_title: Sentinel ACL Policies (Enterprise) description: >- Sentinel allows you to include conditional logic in access control policies. Learn how Consul can use Sentinel policies to extend the ACL system's capabilities for controlling key-value (KV) write access. --- # Sentinel for KV ACL Policy Enforcement Consul 1.0 adds integration with [Sentinel](https://hashicorp.com/sentinel) for policy enforcement. Sentinel policies help extend the ACL system in Consul beyond the static "read", "write", and "deny" policies to support full conditional logic and integration with external systems. ## Sentinel in Consul Sentinel policies are applied during writes to the KV Store. An optional `sentinel` field specifying code and enforcement level can be added to [ACL policy definitions](/docs/security/acl/acl-rules#sentinel-integration) for Consul KV. The following policy ensures that the value written during a KV update must end with "dc1". ```go key "datacenter_name" { policy = "write" sentinel { code = < If the `enforcementlevel` property is not set, it defaults to "hard-mandatory". ## Imports Consul imports all the [standard imports](https://docs.hashicorp.com/sentinel/imports/) from Sentinel _except_ [`http`](https://docs.hashicorp.com/sentinel/imports/http). All functions in these imports are available to be used in policies. ## Injected Variables Consul passes some context as variables into Sentinel, which are available to use inside any policies you write. #### Variables injected during KV store writes | Variable Name | Type | Description | | ------------- | -------- | ---------------------- | | `key` | `string` | Key being written | | `value` | `string` | Value being written | | `flags` | `uint64` | [Flags](/api-docs/kv#flags) | ## Sentinel Examples The following are two examples of ACL policies with Sentinel rules. ### Required Key Suffix ```go key "dc1" { policy = "write" sentinel { code = < ### Restricted Update Time ```go key "haproxy_version" { policy = "write" sentinel { code = < 8 and time.now.hour < 17 } EOF } } ```