Bradey Wood
11/13/2023, 5:11 PMapiVersion: "api.cerbos.dev/v1"
description: |-
This policy defines who can access an app
resourcePolicy:
version: "template"
resource: "mua:app"
rules:
- actions: ["access"]
roles: ["*"]
effect: EFFECT_ALLOW
condition:
match:
expr: R.id in P.attr.appsEnabled
Test:
---
name: access app
description: Tests for verifying who can access an app
principals:
ioi_enabled:
id: ioi_user
roles: [user]
attr:
appsEnabled: ["ioi"]
ecm_enabled:
id: ecm_user
roles: [user]
attr:
appsEnabled: ["ecm"]
both_enabled:
id: ioi_and_ecm_user
roles: [user]
attr:
appsEnabled: ["ecm", "ioi"]
resources:
ioi:
id: ioi
kind: "mua:app"
ecm:
id: ecm
kind: "mua:app"
tests:
- name: app enabled users can access the relevant app
input:
principals:
- ioi_enabled
resources:
- ioi
actions:
- access
expected:
- principal: ioi_enabled
resource: ioi
actions:
access: EFFECT_ALLOW