-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathpolicyString
More file actions
33 lines (28 loc) · 1.64 KB
/
policyString
File metadata and controls
33 lines (28 loc) · 1.64 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
subject.organization_id = SimpleAttribute(String)
subject.department = SimpleAttribute(String)
subject.assigned_organizations = ListAttribute(String)
resource.organization = SimpleAttribute(String)
resource.creator = SimpleAttribute(String)
resource.origin = SimpleAttribute(String)
resource.type = SimpleAttribute(String)
resource.destination_organization = SimpleAttribute(String)
action.id = SimpleAttribute(String)
/*//Policy("Simple policy with ownership rule, origin and destination restriction") := when (action.id === "view") apply FirstApplicable to (
// Rule("Ownership rule") := permit iff (resource.creator === subject.id),
// Rule("Origin") := deny iff ((subject.organization_id === resource.destination_organization) & !(resource.origin in subject.assigned_organizations)),
// Rule("Organization restriction") := permit iff ((resource.origin === subject.organization_id) & ("Accounting" === subject.department)),
// Rule("Default deny") := deny
)*/
/*
Policy("Simple Policy") := when (action.id === "view") apply FirstApplicable to (
Rule("Ownership rule") := permit iff (resource.creator === subject.id),
Rule("Origin") := deny iff (!(subject.organization_id === resource.destination_organization)),
//Rule("Organization restriction") := permit iff ("Accounting" === subject.department),
//Rule("permit") := permit
Rule("Default deny") := deny
)
*/
Policy("assigned organisations") := when (action.id === "view") apply FirstApplicable to (
Rule("Edocs Rule") := permit iff ((resource.organization in subject.assigned_organizations) | (subject.id gt resource.creator)),
Rule("deny") := deny
)