-
Notifications
You must be signed in to change notification settings - Fork 84
Admin UI authorization using Cedar Policy
Arnab Dutta edited this page Oct 8, 2024
·
16 revisions
@id("ViewOIDCClient")
permit(
principal == ?principal,
action,
resource == ?resource
)
when {
principal.role.permission.contains(resource.permission)
};
@id("EditOIDCClient")
permit(
principal == ?principal,
action,
resource == ?resource
)
when {
principal.role.permission.contains(resource.permission)
};
[
{
"template_id": "ViewOIDCClient",
"link_id": "ViewOIDCClientJohn",
"args": {
"?principal": "User::\"John\"",
"?resource": "Feature::\"oidc_client\""
}
},
{
"template_id": "EditOIDCClient",
"link_id": "EditOIDCClientJohn",
"args": {
"?principal": "User::\"John\"",
"?resource": "Feature::\"oidc_client\""
}
}
]
[
{
"uid": { "type": "User", "id": "John" },
"attrs": {
"role": [
{ "__entity": { "type": "Role", "id": "api-admin" } }
],
"username": "John"
},
"parents": [
{
"type": "Role",
"id": "api-admin"
}
]
},
{
"uid": { "type": "User", "id": "Ahmad"},
"attrs" : {
"role": [
{ "__entity": { "type": "Role", "id": "api-viewer" } }
],
"username": "ahmad"
},
"parents": [
{
"type": "Role",
"id": "api-viewer"
}
]
},
{
"uid": { "type": "Role", "id": "api-admin"},
"attrs" : {
"permission": [
"oidc_clients_view",
"oidc_clients_edit",
"oidc_clients_delete",
"scope_view",
"scope_edit",
"scope_delete"
],
"name": "api-admin"
},
"parents": []
},
{
"uid": { "type": "Role", "id": "api-viewer"},
"attrs" : {
"permission": [
"oidc_clients_view",
"scope_view"
],
"name": "api-viewer"
},
"parents": []
},
{
"uid": { "type": "Role", "id": "api-viewer"},
"attrs" : {
"permission": [
"oidc_clients_view",
"scope_view"
],
"name": "api-viewer"
},
"parents": []
},
{
"uid": { "type": "Feature", "id": "oidc_client"},
"attrs" : {
"permission": [
"oidc_clients_view",
"oidc_clients_edit",
"oidc_clients_delete"
]
},
"parents": []
},
{
"uid": { "type": "Feature", "id": "scope"},
"attrs" : {
"permission": [
"scope_view",
"scope_edit",
"scope_delete"
]
},
"parents": []
},
]
entity Role {
name: String,
permission: Set<String>
};
entity User in [Role] {
sub: String,
username: String,
email: email_address,
phone_number: String,
role: Set<Role>,
};
entity Feature= {
permission: Set<String>,
};
//actions
action Read appliesTo {
principal: [User, Role],
resource: Application,
context: Context,
};
action Write appliesTo {
principal: [User, Role],
resource: Application,
context: Context,
};
action Delete appliesTo {
principal: [User, Role],
resource: Application,
context: Context,
};