-
Notifications
You must be signed in to change notification settings - Fork 35
/
minder.fga
98 lines (80 loc) · 3.37 KB
/
minder.fga
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
#
# Copyright 2023 Stacklok, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License")
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# N.B. The OpenFGA language parser is a bit finicky, and does not like
# un-terminated apostrophes, and only allows comments at the beginning
# of blocks. I am sure these will be fixed over time.
#
# See https://github.com/openfga/language/issues/24 for some details.
model
schema 1.1
type user
type group
relations
define member: [user, group#member] or admin
define admin: [user, group#member]
# We use per-resource-type permissions off of "project" because
# we do not allow granting permissions on individual resources, only
# on projects. This allows us to minimize the amount of state we
# need to keep consistent between OpenFGA and the main database.
type project
relations
define parent: [project]
# Defines the `admin` role for this project.
define admin: [user, group#member] or admin from parent
# Defines the `editor` role for this project.
define editor: [user, group#member] or admin or editor from parent
# Defines a `viewer` or `read-only` role for this project.
define viewer: [user, group#member] or editor or viewer from parent
# Defines a role that's only allowed to write rule types and profiles (create, update, delete)
define policy_writer: [user, group#member] or policy_writer from parent
# Defines a role that's only allowed to manage roles.
define permissions_manager: [user, group#member] or permissions_manager from parent
define get: viewer
define create: admin
define update: admin
define delete: admin
define role_list: admin or permissions_manager
define role_assignment_list: admin or permissions_manager
define role_assignment_create: admin or permissions_manager
define role_assignment_update: admin or permissions_manager
define role_assignment_remove: admin or permissions_manager
define repo_get: viewer
define repo_create: editor
define repo_update: editor
define repo_delete: editor
define remote_repo_get: editor
define entity_reconcile: editor
define artifact_get: viewer
define artifact_create: editor
define artifact_update: editor
define artifact_delete: editor
define pr_get: viewer
define pr_create: editor
define pr_update: editor
define pr_delete: editor
define provider_get: viewer
define provider_create: admin
define provider_update: admin
define provider_delete: admin
define rule_type_get: viewer
define rule_type_create: editor or policy_writer
define rule_type_update: editor or policy_writer
define rule_type_delete: editor or policy_writer
define profile_get: viewer
define profile_create: editor or policy_writer
define profile_update: editor or policy_writer
define profile_delete: editor or policy_writer
define profile_status_get: viewer
define entity_reconciliation_task_create: editor