/
yourtenant.yaml
71 lines (62 loc) · 2.06 KB
/
yourtenant.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
# This file contains the namespace configuration for basic example.
# This section contains the tenant configuration itself.
namespace_configs:
- |
name: "yourtenant/user"
- |
name: "yourtenant/document"
relation {
name: "read"
userset_rewrite {
union {
child { computed_userset { relation: "viewer" } }
child { computed_userset { relation: "contributor" } }
child { computed_userset { relation: "owner" } }
}
}
}
relation {
name: "write"
userset_rewrite {
union {
child { computed_userset { relation: "contributor" } }
child { computed_userset { relation: "owner" } }
}
}
}
relation {
name: "delete"
userset_rewrite {
union {
child { computed_userset { relation: "owner" } }
}
}
}
relation {
name: "viewer"
}
relation {
name: "contributor"
}
relation {
name: "owner"
}
# This section contains example tuples that will be written to the tenant,
# which can be used to validate the tenant configuration offline.
validation_tuples:
- yourtenant/document:doc1#owner@yourtenant/user:theowner#...
- yourtenant/document:doc1#contributor@yourtenant/user:userwhocanedit#...
- yourtenant/document:doc1#viewer@yourtenant/user:viewonlyuser#...
# This section contains validation blocks that check the specific membership
# of the various grantable permissions. Validation will fail if the list of
# entities computed to have access differs in any way from the list declared.
validation:
yourtenant/document:doc1#read:
- '[yourtenant/user:viewonlyuser#...] is <yourtenant/document:doc1#viewer>'
- '[yourtenant/user:userwhocanedit#...] is <yourtenant/document:doc1#contributor>'
- '[yourtenant/user:theowner#...] is <yourtenant/document:doc1#owner>'
yourtenant/document:doc1#write:
- '[yourtenant/user:userwhocanedit#...] is <yourtenant/document:doc1#contributor>'
- '[yourtenant/user:theowner#...] is <yourtenant/document:doc1#owner>'
yourtenant/document:doc1#delete:
- '[yourtenant/user:theowner#...] is <yourtenant/document:doc1#owner>'