-
Notifications
You must be signed in to change notification settings - Fork 15
Expand file tree
/
Copy pathreaders-writers-admins-teams.rego
More file actions
38 lines (31 loc) · 1.07 KB
/
readers-writers-admins-teams.rego
File metadata and controls
38 lines (31 loc) · 1.07 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
package spacelift
# This import is required for Rego v0 compatibility and can be removed if you are only using Rego v1.
import rego.v1
# Define team roles
admins := {"team1", "team2", "team3"}
writers := {"team4", "team5", "team6"}
readers := {"team7", "team8", "team9"}
# Space access rules
# Admin access rule - highest priority
space_admin contains space.id if {
some space in input.spaces
some login in input.session.teams
admins[login] # User is an admin
}
# Writer access rule - second priority
# Only consider this rule if the user is not an admin
space_write contains space.id if {
some space in input.spaces
some login in input.session.teams
writers[login] # User is a writer
not admins[login] # Ensure user is not an admin
}
# Reader access rule - third priority
# Only consider this rule if the user is neither an admin nor a writer
space_read contains space.id if {
some space in input.spaces
some login in input.session.teams
readers[login] # User is a reader
not admins[login] # Ensure user is not an admin
not writers[login] # Ensure user is not a writer
}