compose/config/opa-pdp/policies/action/policy.rego


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

package action

import rego.v1

# By default, deny requests.
default allow := false


# Allow the action if admin role is granted permission to perform the action.
allow if {
    some i
    data.action.user_roles[input.user][i] == role
    some j
    data.action.role_permissions[role].actions[j] == input.action
    some k
    data.action.role_permissions[role].resources[k] == input.type
}
#       * Rego comparison to other systems: https://www.openpolicyagent.org/docs/latest/comparison-to-other-systems/
#       * Rego Iteration: https://www.openpolicyagent.org/docs/latest/#iteration