public/grafana
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f2f1663dba8a5f6884df19bebd2dbe61c831d8d5
grafana/pkg/services/authz/zanzana/schema/schema_subresource.fga
T
Alexander Zobnin 63a2ce7214 Zanzana: Support subresources for users and service accounts (#102874) 
* Zanzana: Support subresources for users and service accounts

* rename relationsFolder

* fix linter error
2025-03-26 16:07:01 +01:00

64 lines
6.0 KiB
Plaintext
Raw Blame History

module resource
extend type folder
relations
define resource_view: [user, service-account, team#member, role#assignee] or resource_edit or resource_view from parent
define resource_edit: [user, service-account, team#member, role#assignee] or resource_admin or resource_edit from parent
define resource_admin: [user, service-account, team#member, role#assignee] or resource_admin from parent
define resource_get: [user with subresource_filter, service-account with subresource_filter, team#member with subresource_filter, role#assignee with subresource_filter] or resource_view or resource_get from parent
define resource_create: [user with subresource_filter, service-account with subresource_filter, team#member with subresource_filter, role#assignee with subresource_filter] or resource_edit or resource_create from parent
define resource_update: [user with subresource_filter, service-account with subresource_filter, team#member with subresource_filter, role#assignee with subresource_filter] or resource_edit or resource_update from parent
define resource_delete: [user with subresource_filter, service-account with subresource_filter, team#member with subresource_filter, role#assignee with subresource_filter] or resource_edit or resource_delete from parent
define resource_get_permissions: [user with subresource_filter, service-account with subresource_filter, team#member with subresource_filter, role#assignee with subresource_filter] or resource_admin or resource_get_permissions from parent
define resource_set_permissions: [user with subresource_filter, service-account with subresource_filter, team#member with subresource_filter, role#assignee with subresource_filter] or resource_admin or resource_set_permissions from parent
extend type team
relations
define resource_view: [user, service-account, team#member, role#assignee] or resource_edit
define resource_edit: [user, service-account, team#member, role#assignee] or resource_admin
define resource_admin: [user, service-account, team#member, role#assignee]
define resource_get: [user with subresource_filter, service-account with subresource_filter, team#member with subresource_filter, role#assignee with subresource_filter] or resource_view
define resource_create: [user with subresource_filter, service-account with subresource_filter, team#member with subresource_filter, role#assignee with subresource_filter] or resource_edit
define resource_update: [user with subresource_filter, service-account with subresource_filter, team#member with subresource_filter, role#assignee with subresource_filter] or resource_edit
define resource_delete: [user with subresource_filter, service-account with subresource_filter, team#member with subresource_filter, role#assignee with subresource_filter] or resource_edit
extend type user
relations
define resource_view: [user, service-account, team#member, role#assignee] or resource_edit
define resource_edit: [user, service-account, team#member, role#assignee] or resource_admin
define resource_admin: [user, service-account, team#member, role#assignee]
define resource_get: [user with subresource_filter, service-account with subresource_filter, team#member with subresource_filter, role#assignee with subresource_filter] or resource_view
define resource_create: [user with subresource_filter, service-account with subresource_filter, team#member with subresource_filter, role#assignee with subresource_filter] or resource_edit
define resource_update: [user with subresource_filter, service-account with subresource_filter, team#member with subresource_filter, role#assignee with subresource_filter] or resource_edit
define resource_delete: [user with subresource_filter, service-account with subresource_filter, team#member with subresource_filter, role#assignee with subresource_filter] or resource_edit
extend type service-account
relations
define resource_view: [user, service-account, team#member, role#assignee] or resource_edit
define resource_edit: [user, service-account, team#member, role#assignee] or resource_admin
define resource_admin: [user, service-account, team#member, role#assignee]
define resource_get: [user with subresource_filter, service-account with subresource_filter, team#member with subresource_filter, role#assignee with subresource_filter] or resource_view
define resource_create: [user with subresource_filter, service-account with subresource_filter, team#member with subresource_filter, role#assignee with subresource_filter] or resource_edit
define resource_update: [user with subresource_filter, service-account with subresource_filter, team#member with subresource_filter, role#assignee with subresource_filter] or resource_edit
define resource_delete: [user with subresource_filter, service-account with subresource_filter, team#member with subresource_filter, role#assignee with subresource_filter] or resource_edit
extend type role
relations
define resource_view: [user, service-account, team#member, role#assignee] or resource_edit
define resource_edit: [user, service-account, team#member, role#assignee] or resource_admin
define resource_admin: [user, service-account, team#member, role#assignee]
define resource_get: [user with subresource_filter, service-account with subresource_filter, team#member with subresource_filter, role#assignee with subresource_filter] or resource_view
define resource_create: [user with subresource_filter, service-account with subresource_filter, team#member with subresource_filter, role#assignee with subresource_filter] or resource_edit
define resource_update: [user with subresource_filter, service-account with subresource_filter, team#member with subresource_filter, role#assignee with subresource_filter] or resource_edit
define resource_delete: [user with subresource_filter, service-account with subresource_filter, team#member with subresource_filter, role#assignee with subresource_filter] or resource_edit
condition subresource_filter(subresource: string, subresources: list<string>) {
subresource in subresources
}
Reference in New Issue View Git Blame Copy Permalink