41 lines
1010 B
YAML
41 lines
1010 B
YAML
# yaml-language-server: $schema=https://api.cerbos.dev/latest/cerbos/policy/v1/Policy.schema.json
|
|
# docs: https://docs.cerbos.dev/cerbos/latest/policies/resource_policies
|
|
|
|
apiVersion: api.cerbos.dev/v1
|
|
resourcePolicy:
|
|
resource: privateData
|
|
version: default
|
|
rules:
|
|
- actions:
|
|
- create
|
|
effect: EFFECT_ALLOW
|
|
roles:
|
|
- admin
|
|
- actions:
|
|
- read
|
|
effect: EFFECT_ALLOW
|
|
roles:
|
|
- admin
|
|
- user
|
|
- actions:
|
|
- update
|
|
effect: EFFECT_ALLOW
|
|
roles:
|
|
- admin
|
|
- actions:
|
|
- delete
|
|
effect: EFFECT_ALLOW
|
|
roles:
|
|
- admin
|
|
|
|
# This is an example of using conditions for attribute-based access control
|
|
# The action is only allowed if the principal ID matches the ownerId attribute
|
|
# - actions:
|
|
# - someAction
|
|
# effect: EFFECT_ALLOW
|
|
# roles:
|
|
# - admin
|
|
# condition:
|
|
# match:
|
|
# expr: request.resource.attr.ownerId == request.principal.id
|