-
Notifications
You must be signed in to change notification settings - Fork 81
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #88 from Cadasta/feature/permissioning-policies
First cut at permissions policies
- Loading branch information
Showing
6 changed files
with
104 additions
and
13 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,12 @@ | ||
| { | ||
| "clause": [ | ||
| // In addition to the permissions provided by the default | ||
| // policy, data collectors are allowed to manage resources for a | ||
| // specified project within a specified organization. | ||
| { | ||
| "effect": "allow", | ||
| "action": ["project.resources.*"], | ||
| "object": ["project/$organization/$project"] | ||
| } | ||
| ] | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,13 +1,31 @@ | ||
| { | ||
| "clause": [ | ||
| { | ||
| // Any user is allowed to list organizations and create new | ||
| // ones. | ||
| "effect": "allow", | ||
| "object": ["*"], | ||
| "action": ["org.list"] | ||
| }, { | ||
| "action": ["org.list", "org.create"] | ||
| }, | ||
| { | ||
| // Any user is allowed to view the details of an organization. | ||
| "effect": "allow", | ||
| "action": ["org.view"], | ||
| "object": ["organization/*"] | ||
| }, | ||
|
|
||
| { | ||
| // Any user is allowed to list the public projects in an | ||
| // organization. | ||
| "effect": "allow", | ||
| "action": ["project.list"], | ||
| "object": ["organization/*"] | ||
| }, | ||
| { | ||
| // Any user is allowed to view the details of public projects in | ||
| // an organization. | ||
| "effect": "allow", | ||
| "object": ["organization/*"], | ||
| "action": ["org.view"] | ||
| "action": ["project.view"], | ||
| "object": ["project/*/*"] | ||
| } | ||
| ] | ||
| ] | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,13 +1,20 @@ | ||
| { | ||
| "clause": [ | ||
| // In addition to the permissions provided by the default | ||
| // policy, organization administrators are allowed to perform all | ||
| // organization management actions for a specified organization, | ||
| // and all project management actions for all projects within a | ||
| // specified organization. | ||
| { | ||
| "effect": "allow", | ||
| "object": ["*"], | ||
| "action": ["org.*"] | ||
| }, { | ||
| "action": ["org.*", "org.*.*", "project.*", "project.*.*"], | ||
| "object": ["organization/$organization"] | ||
| }, | ||
|
|
||
| { | ||
| "effect": "allow", | ||
| "object": ["organization/*"], | ||
| "action": ["org.*"] | ||
| "action": ["project.*", "project.*.*"], | ||
| "object": ["project/$organization/*"] | ||
| } | ||
| ] | ||
| ] | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,19 @@ | ||
| { | ||
| "clause": [ | ||
| // In addition to the permissions provided by the default | ||
| // policy, project managers are allowed to perform all project | ||
| // management actions, except for project archiving and | ||
| // unarchiving, for a specified project within a specified | ||
| // organization. | ||
| { | ||
| "effect": "allow", | ||
| "action": ["project.*", "project.*.*"], | ||
| "object": ["project/$organization/$project"] | ||
| }, | ||
| { | ||
| "effect": "deny", | ||
| "action": ["project.archive", "project.unarchive"], | ||
| "object": ["project/$organization/$project"] | ||
| } | ||
| ] | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
| { | ||
| "clause": [ | ||
| // Currently, "ordinary" users associated with a project have no | ||
| // additional permissions over those given to all users. This may | ||
| // change in the future. In particular, project users may be | ||
| // permitted access to projects that are normally private. | ||
| ] | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,9 +1,36 @@ | ||
| { | ||
| "clause": [ | ||
| // A superuser is permitted to perform all actions on all entities | ||
| // within the platform. | ||
| { | ||
| "effect": "allow", | ||
| "object": ["organization/*"], | ||
| "action": ["org.*"] | ||
| }, | ||
| { | ||
| "effect": "allow", | ||
| "action": ["org.*", "org.*.*"], | ||
| "object": ["organization/*"] | ||
| }, | ||
|
|
||
| { | ||
| "effect": "allow", | ||
| "action": ["project.*", "project.*.*"], | ||
| "object": ["organization/*"] | ||
| }, | ||
| { | ||
| "effect": "allow", | ||
| "action": ["project.*", "project.*.*"], | ||
| "object": ["project/*/*"] | ||
| }, | ||
|
|
||
| { | ||
| "effect": "allow", | ||
| "action": ["user.*"] | ||
| }, | ||
| { | ||
| "effect": "allow", | ||
| "action": ["user.*"], | ||
| "object": ["user/*"] | ||
| } | ||
| ] | ||
| } |