aboutsummaryrefslogtreecommitdiffstats
path: root/compose/config/opa-pdp/policies/action/policy.rego
diff options
context:
space:
mode:
Diffstat (limited to 'compose/config/opa-pdp/policies/action/policy.rego')
-rw-r--r--compose/config/opa-pdp/policies/action/policy.rego21
1 files changed, 21 insertions, 0 deletions
diff --git a/compose/config/opa-pdp/policies/action/policy.rego b/compose/config/opa-pdp/policies/action/policy.rego
new file mode 100644
index 00000000..300fe501
--- /dev/null
+++ b/compose/config/opa-pdp/policies/action/policy.rego
@@ -0,0 +1,21 @@
+package action
+
+import rego.v1
+
+# By default, deny requests.
+default allow := false
+
+
+# Allow the action if admin role is granted permission to perform the action.
+allow if {
+ some i
+ data.action.user_roles[input.user][i] == role
+ some j
+ data.action.role_permissions[role].actions[j] == input.action
+ some k
+ data.action.role_permissions[role].resources[k] == input.type
+}
+# * Rego comparison to other systems: https://www.openpolicyagent.org/docs/latest/comparison-to-other-systems/
+# * Rego Iteration: https://www.openpolicyagent.org/docs/latest/#iteration
+
+