-
Notifications
You must be signed in to change notification settings - Fork 15
Expand file tree
/
Copy pathexternal-contributor-access-github.rego
More file actions
38 lines (28 loc) · 1.11 KB
/
external-contributor-access-github.rego
File metadata and controls
38 lines (28 loc) · 1.11 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
package spacelift
# This import is required for Rego v0 compatibility and can be removed if you are only using Rego v1.
import rego.v1
# NOTE: This feature is not available when using single sign-on -
# your identity provider must be able to successfully validate each user
# trying to log in to Spacelift.
# Sometimes you have folks (short-term consultants, most likely) who are
# not members of your organization but need access to your Spacelift account -
# either as regular members or perhaps even as admins. There's also the situation
# where a bunch of friends is working on a hobby project in a personal GitHub account
# and they could use access to Spacelift. Here's an example of a policy that allows
# a bunch of allow-listed folks to get regular access and one to get admin privileges:
admins := {"alice"}
allowed := {"bob", "charlie", "danny"}
login := input.session.login
admin if {
admins[login]
}
allow if {
allowed[login]
}
deny if {
not admins[login]
not allowed[login]
}
# Learn more about sampling policy evaluations here:
# https://docs.spacelift.io/concepts/policy#sampling-policy-inputs
sample := true