package AD.UPDATE default allow := false allow { input.userUuid == input.owner } allow { input.role == "admin" }