45 lines
1.0 KiB
HTML
45 lines
1.0 KiB
HTML
<h2>Full example</h2>
|
|
<pre><code># Role-based Access Control (RBAC)
|
|
|
|
# By default, deny requests.
|
|
default allow = false
|
|
|
|
# Allow admins to do anything.
|
|
allow {
|
|
user_is_admin
|
|
}
|
|
|
|
# Allow the action if the user is granted permission to perform the action.
|
|
allow {
|
|
# Find grants for the user.
|
|
some grant
|
|
user_is_granted[grant]
|
|
|
|
# Check if the grant permits the action.
|
|
input.action == grant.action
|
|
input.type == grant.type
|
|
}
|
|
|
|
# user_is_admin is true if...
|
|
user_is_admin {
|
|
|
|
# for some `i`...
|
|
some i
|
|
|
|
# "admin" is the `i`-th element in the user->role mappings for the identified user.
|
|
data.user_roles[input.user][i] == "admin"
|
|
}
|
|
|
|
# user_is_granted is a set of grants for the user identified in the request.
|
|
# The `grant` will be contained if the set `user_is_granted` for every...
|
|
user_is_granted[grant] {
|
|
some i, j
|
|
|
|
# `role` assigned an element of the user_roles for this user...
|
|
role := data.user_roles[input.user][i]
|
|
|
|
# `grant` assigned a single grant from the grants list for 'role'...
|
|
grant := data.role_grants[role][j]
|
|
}
|
|
</code></pre>
|