55 lines
1.4 KiB
YAML
55 lines
1.4 KiB
YAML
# yaml-language-server: $schema=https://api.cerbos.dev/latest/cerbos/policy/v1/Policy.schema.json
|
|
# docs: https://docs.cerbos.dev/cerbos/latest/policies/resource_policies
|
|
|
|
apiVersion: api.cerbos.dev/v1
|
|
resourcePolicy:
|
|
resource: workspace_user
|
|
version: default
|
|
rules:
|
|
|
|
# Admins can invite new members into their own workspace
|
|
|
|
- actions:
|
|
- invite
|
|
effect: EFFECT_ALLOW
|
|
roles:
|
|
- admin
|
|
condition:
|
|
match:
|
|
expr: request.principal.workspaceIds.includes(request.resource.workspaceId)
|
|
|
|
# Admins can remove members from their own workspace
|
|
|
|
- actions:
|
|
- remove
|
|
effect: EFFECT_ALLOW
|
|
roles:
|
|
- admin
|
|
condition:
|
|
match:
|
|
expr: request.principal.workspaceIds.includes(request.resource.workspaceId)
|
|
|
|
# Admins can update member roles in their own workspace
|
|
|
|
- actions:
|
|
- update_role
|
|
effect: EFFECT_ALLOW
|
|
roles:
|
|
- admin
|
|
condition:
|
|
match:
|
|
expr: request.principal.workspaceIds.includes(request.resource.workspaceId)
|
|
|
|
# Admins and users can list/read members of their own workspace
|
|
|
|
- actions:
|
|
- list
|
|
- read
|
|
effect: EFFECT_ALLOW
|
|
roles:
|
|
- admin
|
|
- user
|
|
condition:
|
|
match:
|
|
expr: request.principal.workspaceIds.includes(request.resource.workspaceId)
|