-
Notifications
You must be signed in to change notification settings - Fork 11
/
store.fga.yaml
150 lines (117 loc) · 4.06 KB
/
store.fga.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
model: |
model
schema 1.1
type user
# Each customer is modeled as an organization
type organization
relations
define member: [user]
define admin: [user]
# Each organization can have multiple applications
define application : [application]
# Admins can manage members, regular members can only view them
define can_remove_member : admin
define can_invite_member : admin
define can_view_member : admin or member
# Admins can create applications and decide which components they can use
define can_create_application : admin
type application
relations
define organization : [organization]
# All admins can modify the application, regular members can't unless they
# are explicity assigned as writers
define writer : [user] or admin from organization
define reader : writer or member from organization
# Permissions to view/delete/edit the application details
define can_view: reader or writer
define can_edit: writer
define can_delete: writer
# Permissions to manage application's credentials
define can_create_credentials : writer
define can_delete_credentials : writer
# Permissions to enable which components can the application use
define can_configure_component : writer
# Components model different features that the application's can access, for example
# a payments or purchasing module
# It's likely that for a specific use case, you'd want to have types for each concrete
# module, e.g. a 'purchasing' and 'payments' type with specific permissions
type component
relations
# This relation implies the component can be used by the organization
define organization : [organization]
# Specific applications can read/write data related to the component
define reader : [application] and application from organization
define writer : [application] and application from organization
define can_view : reader or writer
define can_write: writer
define can_delete: admin from organization
tuples:
- user: user:anne
relation: admin
object: organization:acme
- user: user:marie
relation: member
object: organization:acme
- user: organization:acme
relation: organization
object: application:1
- user: application:1
relation: application
object: organization:acme
- user: application:2
relation: application
object: organization:acme
- user: organization:acme
relation: organization
object: component:payment
- user: organization:acme
relation: organization
object: component:purchases
- user: application:1
relation: reader
object: component:payment
- user: application:2
relation: writer
object: component:payment
tests:
- name: Test permissions for users and applications
check:
- user: user:anne
object: application:1
assertions:
can_edit : true
can_delete : true
can_view : true
- user: user:marie
object: application:1
assertions:
can_edit : false
can_view : true
can_delete : false
- user: application:1
object: component:payment
assertions:
can_view : true
can_write : false
- user: application:2
object: component:payment
assertions:
can_view : true
can_write : true
- name: Test the applications anne can view
list_objects:
- user: user:anne
type: application
assertions:
can_view:
- application:1
- name: Test who can view application:1
list_users:
- object: application:1
user_filter:
- type: user
assertions:
can_view:
users:
- user:anne
- user:marie