auth/opa/ad/read.rego

package AD.READ

default allow := false

allow {
    input.owner == input.requester
}

allow {
    input.role == "admin"
}