-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathtests.fga.yaml
139 lines (137 loc) · 4.1 KB
/
tests.fga.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
name: Smart HR Assistant Authorization Tests
model_file: ./schema.fga
tuples:
# Mandatory tuples
- user: user:john_doe
relation: member
object: company:myCompany
- user: user:random_user
relation: member
object: company:myCompany
- user: company:myCompany
relation: company
object: public_document:company_policy
- user: user:john_doe
relation: owner
object: performance_review:john_doe
tests:
- name: Employees Access Control
description: As an Owner I get access to my Salary information, Perfomance Review and Public Infromation
tuples:
- user: user:john_doe
relation: owner
object: salary_information:john_doe
check:
- user: user:john_doe
object: salary_information:john_doe
assertions:
can_read: true
- user: user:john_doe
object: performance_review:john_doe
assertions:
can_read: true
- user: user:john_doe
object: public_document:company_policy
assertions:
can_read: true
- user: user:random_user
object: performance_review:john_doe
assertions:
can_read: false
- name: Team Access Control
description: As a Team Member I get access to teams documents
tuples:
- user: user:john_doe
relation: member
object: team:architects
- user: team:architects
relation: team
object: team_document:meeting_notes
## there's another Team's document to which John should not get access:
- user: team:c-level
relation: team
object: team_document:c-level-layoff-list
check:
- user: user:john_doe
object: team_document:meeting_notes
assertions:
can_read: true
- user: user:john_doe
object: team_document:c-level-layoff-list
assertions:
can_read: false
- user: user:random_user
object: team_document:meeting_notes
assertions:
can_read: false
- name: Managers Access Control
description: As a Manager - I get access to performance review of my team members
tuples:
- user: user:john_doe
relation: member
object: team:architects
- user: team:architects
relation: team
object: user:john_doe
- user: user:big_boss
relation: manager
object: team:architects
check:
- user: user:john_doe
object: performance_review:john_doe
assertions:
can_read: true
- user: user:big_boss
object: performance_review:john_doe
assertions:
can_read: true
- user: user:random_user
object: performance_review:john_doe
assertions:
can_read: false
- name: HRs Access Control
description: HR should have access to salary information and perf review. Admins should have access to everything
tuples:
- user: company:myCompany
relation: company
object: performance_review:john_doe
- user: user:anetka
relation: is_hr
object: company:myCompany
- user: user:it_guy
relation: is_admin
object: company:myCompany
- user: user:john_doe
relation: member
object: team:architects
- user: team:architects
relation: team
object: team_document:meeting_notes
- user: company:myCompany
relation: company
object: team_document:meeting_notes
check:
- user: user:john_doe
object: performance_review:john_doe
assertions:
can_read: true
- user: user:anetka
object: performance_review:john_doe
assertions:
can_read: true
- user: user:it_guy
object: performance_review:john_doe
assertions:
can_read: true
- user: user:random_user
object: performance_review:john_doe
assertions:
can_read: false
- user: user:it_guy
object: team_document:meeting_notes
assertions:
can_read: true
- user: user:anetka
object: team_document:meeting_notes
assertions:
can_read: false