diff --git a/opa/ad/delete.rego b/opa/ad/delete.rego new file mode 100644 index 0000000..27a0e1a --- /dev/null +++ b/opa/ad/delete.rego @@ -0,0 +1,11 @@ +package AD.DELETE + +default allow := false + +allow { + input.userUuid == input.owner +} + +allow { + input.role == "admin" +} diff --git a/opa/ad/list.rego b/opa/ad/list.rego new file mode 100644 index 0000000..1718a69 --- /dev/null +++ b/opa/ad/list.rego @@ -0,0 +1,3 @@ +package AD.LIST + +default allow := true diff --git a/opa/ad/read.rego b/opa/ad/read.rego new file mode 100644 index 0000000..ed974fe --- /dev/null +++ b/opa/ad/read.rego @@ -0,0 +1,11 @@ +package AD.READ + +default allow := false + +allow { + input.userUuid == input.owner +} + +allow { + input.role == "admin" +} diff --git a/opa/ad/update.rego b/opa/ad/update.rego new file mode 100644 index 0000000..94a0699 --- /dev/null +++ b/opa/ad/update.rego @@ -0,0 +1,11 @@ +package AD.UPDATE + +default allow := false + +allow { + input.userUuid == input.owner +} + +allow { + input.role == "admin" +} diff --git a/opa/user/read.rego b/opa/user/read.rego index 5650aae..843d31b 100644 --- a/opa/user/read.rego +++ b/opa/user/read.rego @@ -2,10 +2,10 @@ package USER.READ default allow := false -allow := true { +allow { input.uuid == input.owner } -allow := true { +allow { input.role == "admin" }