From b2a95020d035f503d6953152b7245ffc3e479f3d Mon Sep 17 00:00:00 2001 From: Gerald Baulig Date: Tue, 30 Jan 2024 15:18:20 +0100 Subject: [PATCH] feat(rules): multi resource rule set --- .../demo-shop/data/seed-data/addresses.yaml | 4 +- .../demo-shop/data/seed-data/customers.yaml | 6 +- .../data/seed-data/organizations.yaml | 52 +- datasets/demo-shop/data/seed-data/shops.yaml | 2 +- datasets/demo-shop/data/seed-data/users.yaml | 217 ++- datasets/system/data/seed-data/policies.yaml | 685 +------- .../system/data/seed-data/policy_sets.yaml | 46 +- datasets/system/data/seed-data/roles.yaml | 67 +- datasets/system/data/seed-data/rules.yaml | 1441 +++++------------ datasets/system/data/seed-data/users.yaml | 10 +- 10 files changed, 694 insertions(+), 1836 deletions(-) diff --git a/datasets/demo-shop/data/seed-data/addresses.yaml b/datasets/demo-shop/data/seed-data/addresses.yaml index 77f0bc1..145e0fe 100644 --- a/datasets/demo-shop/data/seed-data/addresses.yaml +++ b/datasets/demo-shop/data/seed-data/addresses.yaml @@ -86,7 +86,7 @@ modifiedBy: "" owners: - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity - value: urn:restorecommerce:acs:model:organization.Organization + value: urn:restorecommerce:acs:model:user.User attributes: - id: urn:restorecommerce:acs:names:ownerInstance - value: restorecommecre-demo-customer-002-organization \ No newline at end of file + value: restorecommerce-demo-customer-002-user-000 \ No newline at end of file diff --git a/datasets/demo-shop/data/seed-data/customers.yaml b/datasets/demo-shop/data/seed-data/customers.yaml index 31008e3..2c7dd7d 100644 --- a/datasets/demo-shop/data/seed-data/customers.yaml +++ b/datasets/demo-shop/data/seed-data/customers.yaml @@ -40,13 +40,13 @@ --- id: restorecommecre-demo-customer-unauthenticated private: - userId: unauthenticated_user + userId: restorecommerce-demo-unauthenticated-user contactPointIds: [] meta: modifiedBy: "" owners: - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity - value: urn:restorecommerce:acs:model:user.User + value: urn:restorecommerce:acs:model:organization.Organization attributes: - id: urn:restorecommerce:acs:names:ownerInstance - value: unauthenticated_user \ No newline at end of file + value: restorecommecre-demo-root-organization \ No newline at end of file diff --git a/datasets/demo-shop/data/seed-data/organizations.yaml b/datasets/demo-shop/data/seed-data/organizations.yaml index d4c2987..2b8ecab 100644 --- a/datasets/demo-shop/data/seed-data/organizations.yaml +++ b/datasets/demo-shop/data/seed-data/organizations.yaml @@ -20,6 +20,50 @@ attributes: - id: urn:restorecommerce:acs:names:ownerInstance value: restorecommecre-demo-root-organization +--- + id: restorecommecre-demo-shops-organization + name: Restorecommerce Demo Shops + contactPointIds: [] + website: "" + email: "" + vatId: "" + isicV4: "" + registration: "" + logo: + url: "" + registrationCourt: "" + paymentMethodIds: [] + parentId: "restorecommecre-demo-root-organization" + meta: + modifiedBy: "" + owners: + - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity + value: urn:restorecommerce:acs:model:organization.Organization + attributes: + - id: urn:restorecommerce:acs:names:ownerInstance + value: restorecommecre-demo-shops-organization +--- + id: restorecommecre-demo-customers-organization + name: Restorecommerce Demo Customers + contactPointIds: [] + website: "" + email: "" + vatId: "" + isicV4: "" + registration: "" + logo: + url: "" + registrationCourt: "" + paymentMethodIds: [] + parentId: "restorecommecre-demo-root-organization" + meta: + modifiedBy: "" + owners: + - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity + value: urn:restorecommerce:acs:model:organization.Organization + attributes: + - id: urn:restorecommerce:acs:names:ownerInstance + value: restorecommecre-demo-customers-organization --- id: restorecommecre-demo-shop-000-organization name: Restorecommerce Demo Shop 000 Organization @@ -34,7 +78,7 @@ url: http://console:80/templates/logos/PNG/X_Logo.png registrationCourt: Amtsgericht Stuttgart (Registergericht) paymentMethodIds: [] - parentId: restorecommecre-demo-root-organization + parentId: restorecommecre-demo-shops-organization meta: modifiedBy: "" owners: @@ -57,7 +101,7 @@ url: "" registrationCourt: Amtsgericht Stuttgart (Registergericht) paymentMethodIds: [ ] - parentId: restorecommecre-demo-root-organization + parentId: restorecommecre-demo-customers-organization meta: modifiedBy: "" owners: @@ -80,7 +124,7 @@ url: "" registrationCourt: Amtsgericht Stuttgart (Registergericht) paymentMethodIds: [ ] - parentId: restorecommecre-demo-root-organization + parentId: restorecommecre-demo-customers-organization meta: modifiedBy: "" owners: @@ -88,4 +132,4 @@ value: urn:restorecommerce:acs:model:organization.Organization attributes: - id: urn:restorecommerce:acs:names:ownerInstance - value: restorecommecre-demo-customer-002-organization + value: restorecommecre-demo-customer-001-organization diff --git a/datasets/demo-shop/data/seed-data/shops.yaml b/datasets/demo-shop/data/seed-data/shops.yaml index 46fb748..cf06dfe 100644 --- a/datasets/demo-shop/data/seed-data/shops.yaml +++ b/datasets/demo-shop/data/seed-data/shops.yaml @@ -3,7 +3,7 @@ shopNumber: "00000000" name: "Restorecommerce Demo Shop 000" description: "" - domain: store.restorecommerce.io + domain: localhost organizationId: restorecommecre-demo-shop-000-organization meta: modifiedBy: "" diff --git a/datasets/demo-shop/data/seed-data/users.yaml b/datasets/demo-shop/data/seed-data/users.yaml index 404e44e..381d79f 100644 --- a/datasets/demo-shop/data/seed-data/users.yaml +++ b/datasets/demo-shop/data/seed-data/users.yaml @@ -1,19 +1,21 @@ --- id: restorecommerce-demo-unauthenticated-user - name: unauthenticated_user + name: unauthenticated-user firstName: Unauthenticated lastName: User - email: unauthenticated_user@restorecommerce.io - defaultScope: restorecommecre-demo-root-organization + email: unauthenticated.user@restorecommerce.io + defaultScope: restorecommecre-demo-shops-organization roleAssociations: - - id: user-r-role-assoc-id - role: user-r-id + - id: restorecommecre-demo-shops-organization-unauthenticated-user-r-id + role: unauthenticated-user-r-id + - id: restorecommecre-demo-shops-organization-customer-r-id + role: customer-r-id attributes: - id: urn:restorecommerce:acs:names:roleScopingEntity value: urn:restorecommerce:acs:model:organization.Organization attributes: - id: urn:restorecommerce:acs:names:roleScopingInstance - value: restorecommecre-demo-root-organization + value: restorecommecre-demo-shops-organization localeId: de-de timezoneId: europe-berlin meta: @@ -24,11 +26,6 @@ attributes: - id: urn:restorecommerce:acs:names:ownerInstance value: restorecommecre-demo-root-organization - - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity - value: urn:restorecommerce:acs:model:user.User - attributes: - - id: urn:restorecommerce:acs:names:ownerInstance - value: restorecommerce-demo-unauthenticated-user newEmail: "" active: true activationCode: "" @@ -50,24 +47,27 @@ invitedByUserLastName: "" properties: - id: urn:restorecommerce:acs:names:network:src:domain - value: store.restorecommerce.io + value: localhost tokens: - - name: unauthenticated_token - token: k2veMOlBe52yUNMHNYJvCmD3T9iAKCpB - scopes: - - user-r-role-assoc-id + - name: unauthenticated-token + token: UNAUTHENTICATED --- - id: restorecommerce-demo-root-superadmin-000 - name: root.superadmin + id: restorecommerce-demo-root-admin-000 + name: root.admin firstName: Root - lastName: Superadmin - email: root.superadmin@restorecommerce.io + lastName: Admin + email: root.admin@restorecommerce.io password: CNQJrH%KAayeDpf3h defaultScope: restorecommerce-demo-root-organization roleAssociations: - - role: superadministrator-r-id - attributes: [] - id: "" + - id: restorecommerce-demo-root-organization-administrator-r-id + role: administrator-r-id + attributes: + - id: urn:restorecommerce:acs:names:roleScopingEntity + value: urn:restorecommerce:acs:model:organization.Organization + attributes: + - id: urn:restorecommerce:acs:names:roleScopingInstance + value: restorecommerce-demo-root-organization localeId: de-de timezoneId: europe-berlin meta: @@ -78,11 +78,6 @@ attributes: - id: urn:restorecommerce:acs:names:ownerInstance value: restorecommerce-demo-root-organization - - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity - value: urn:restorecommerce:acs:model:user.User - attributes: - - id: urn:restorecommerce:acs:names:ownerInstance - value: restorecommerce-demo-root-superadmin newEmail: "" active: true activationCode: "" @@ -102,7 +97,9 @@ invitedByUserName: "" invitedByUserFirstName: "" invitedByUserLastName: "" - tokens: [] + tokens: + - name: access-token + token: ROOTADMINISTRATOR000 --- id: restorecommerce-demo-shop-000-admin-000 name: shop000.admin000 @@ -112,16 +109,8 @@ password: CNQJrH%KAayeDpf3h defaultScope: restorecommerce-demo-shop-000-organization roleAssociations: - - role: user-r-id - id: restorecommerce-demo-shop-000-admin-000-user-r-id - attributes: - - id: urn:restorecommerce:acs:names:roleScopingEntity - value: urn:restorecommerce:acs:model:organization.Organization - attributes: - - id: urn:restorecommerce:acs:names:roleScopingInstance - value: restorecommerce-demo-shop-000-organization - - role: administrator-r-id - id: restorecommerce-demo-shop-000-admin-000-administrator-r-id + - id: restorecommerce-demo-shop-000-organization-administrator-r-id + role: administrator-r-id attributes: - id: urn:restorecommerce:acs:names:roleScopingEntity value: urn:restorecommerce:acs:model:organization.Organization @@ -138,11 +127,6 @@ attributes: - id: urn:restorecommerce:acs:names:ownerInstance value: restorecommerce-demo-shop-000-organization - - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity - value: urn:restorecommerce:acs:model:user.User - attributes: - - id: urn:restorecommerce:acs:names:ownerInstance - value: restorecommerce-demo-shop-000-admin-000 newEmail: "" active: true activationCode: "" @@ -162,32 +146,36 @@ invitedByUserName: "" invitedByUserFirstName: "" invitedByUserLastName: "" - tokens: [ ] + tokens: + - name: access-token + token: SHOP000ADMINISTRATOR000 --- - id: restorecommerce-demo-customer-000-admin-000 - name: customer000.admin000 + id: restorecommerce-demo-customer-000-moderator-000 + name: customer000.moderator000 firstName: Customer000 - lastName: Admin000 - email: customer000.admin000@restorecommerce.io + lastName: Moderator000 + email: customer000.moderator000@restorecommerce.io password: CNQJrH%KAayeDpf3h defaultScope: restorecommerce-demo-customer-000-organization roleAssociations: - - role: user-r-id - id: "" + - id: restorecommerce-demo-customer-000-organization-moderator-r-id + role: moderator-r-id attributes: - id: urn:restorecommerce:acs:names:roleScopingEntity value: urn:restorecommerce:acs:model:organization.Organization attributes: - id: urn:restorecommerce:acs:names:roleScopingInstance value: restorecommerce-demo-customer-000-organization - - role: administrator-r-id - id: restorecommerce-demo-customer-000-admin-000-administrator-r-id + - id: restorecommecre-demo-shops-organization-customer-r-id + role: customer-r-id attributes: - id: urn:restorecommerce:acs:names:roleScopingEntity value: urn:restorecommerce:acs:model:organization.Organization attributes: - id: urn:restorecommerce:acs:names:roleScopingInstance - value: restorecommerce-demo-customer-000-organization + value: restorecommecre-demo-shops-organization + - id: user-r-id + role: user-r-id localeId: de-de timezoneId: europe-berlin meta: @@ -198,11 +186,6 @@ attributes: - id: urn:restorecommerce:acs:names:ownerInstance value: restorecommerce-demo-customer-000-organization - - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity - value: urn:restorecommerce:acs:model:user.User - attributes: - - id: urn:restorecommerce:acs:names:ownerInstance - value: restorecommerce-demo-customer-000-admin-000 newEmail: "" active: true activationCode: "" @@ -222,32 +205,36 @@ invitedByUserName: "" invitedByUserFirstName: "" invitedByUserLastName: "" - tokens: [ ] + tokens: + - name: access-token + token: CUSTOMER000MODERATOR000 --- - id: restorecommerce-demo-customer-001-admin-000 - name: customer001.admin000 + id: restorecommerce-demo-customer-001-moderator-000 + name: customer001.moderator000 firstName: Customer001 - lastName: Admin000 - email: customer001.admin000@restorecommerce.io + lastName: Moderator000 + email: customer001.moderator000@restorecommerce.io password: CNQJrH%KAayeDpf3h defaultScope: restorecommerce-demo-customer-001-organization roleAssociations: - - role: user-r-id - id: "" + - id: restorecommerce-demo-customer-001-organization-moderator-r-id + role: moderator-r-id attributes: - id: urn:restorecommerce:acs:names:roleScopingEntity value: urn:restorecommerce:acs:model:organization.Organization attributes: - id: urn:restorecommerce:acs:names:roleScopingInstance value: restorecommerce-demo-customer-001-organization - - role: administrator-r-id - id: restorecommerce-demo-customer-001-admin-000-administrator-r-id + - id: restorecommecre-demo-shops-organization-customer-r-id + role: customer-r-id attributes: - id: urn:restorecommerce:acs:names:roleScopingEntity value: urn:restorecommerce:acs:model:organization.Organization attributes: - id: urn:restorecommerce:acs:names:roleScopingInstance - value: restorecommerce-demo-customer-001-organization + value: restorecommecre-demo-shops-organization + - id: user-r-id + role: user-r-id localeId: de-de timezoneId: europe-berlin meta: @@ -258,11 +245,6 @@ attributes: - id: urn:restorecommerce:acs:names:ownerInstance value: restorecommerce-demo-customer-001-organization - - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity - value: urn:restorecommerce:acs:model:user.User - attributes: - - id: urn:restorecommerce:acs:names:ownerInstance - value: restorecommerce-demo-customer-001-admin-000 newEmail: "" active: true activationCode: "" @@ -282,24 +264,36 @@ invitedByUserName: "" invitedByUserFirstName: "" invitedByUserLastName: "" - tokens: [ ] + tokens: + - name: access-token + token: CUSTOMER001MODERATOR000 --- - id: restorecommerce-demo-customer-000-user-000 - name: customer000.user000 + id: restorecommerce-demo-customer-000-member-000 + name: customer000.member000 firstName: Customer000 - lastName: User000 - email: customer000.user000@restorecommerce.io + lastName: Member000 + email: customer000.member000@restorecommerce.io password: CNQJrH%KAayeDpf3h defaultScope: restorecommerce-demo-customer-000-organization roleAssociations: - - role: user-r-id - id: "" + - id: restorecommerce-demo-customer-000-organization-member-r-id + role: member-r-id attributes: - id: urn:restorecommerce:acs:names:roleScopingEntity value: urn:restorecommerce:acs:model:organization.Organization attributes: - id: urn:restorecommerce:acs:names:roleScopingInstance value: restorecommerce-demo-customer-000-organization + - id: restorecommecre-demo-shops-organization-customer-r-id + role: customer-r-id + attributes: + - id: urn:restorecommerce:acs:names:roleScopingEntity + value: urn:restorecommerce:acs:model:organization.Organization + attributes: + - id: urn:restorecommerce:acs:names:roleScopingInstance + value: restorecommecre-demo-shops-organization + - id: user-r-id + role: user-r-id localeId: de-de timezoneId: europe-berlin meta: @@ -310,11 +304,6 @@ attributes: - id: urn:restorecommerce:acs:names:ownerInstance value: restorecommerce-demo-customer-000-organization - - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity - value: urn:restorecommerce:acs:model:user.User - attributes: - - id: urn:restorecommerce:acs:names:ownerInstance - value: restorecommerce-demo-customer-000-user-000 newEmail: "" active: true activationCode: "" @@ -334,24 +323,36 @@ invitedByUserName: "" invitedByUserFirstName: "" invitedByUserLastName: "" - tokens: [ ] + tokens: + - name: access-token + token: CUSTOMER000MEMBER000 --- - id: restorecommerce-demo-customer-001-user-000 - name: customer001.user000 + id: restorecommerce-demo-customer-001-member-000 + name: customer001.member000 firstName: Customer001 - lastName: User000 - email: customer001.user000@restorecommerce.io + lastName: Member000 + email: customer001.member000@restorecommerce.io password: CNQJrH%KAayeDpf3h defaultScope: restorecommerce-demo-customer-001-organization roleAssociations: - - role: user-r-id - id: "" + - id: restorecommerce-demo-customer-001-organization-member-r-id + role: member-r-id attributes: - id: urn:restorecommerce:acs:names:roleScopingEntity value: urn:restorecommerce:acs:model:organization.Organization attributes: - id: urn:restorecommerce:acs:names:roleScopingInstance value: restorecommerce-demo-customer-001-organization + - id: restorecommecre-demo-shops-organization-customer-r-id + role: customer-r-id + attributes: + - id: urn:restorecommerce:acs:names:roleScopingEntity + value: urn:restorecommerce:acs:model:organization.Organization + attributes: + - id: urn:restorecommerce:acs:names:roleScopingInstance + value: restorecommecre-demo-shops-organization + - id: user-r-id + role: user-r-id localeId: de-de timezoneId: europe-berlin meta: @@ -362,11 +363,6 @@ attributes: - id: urn:restorecommerce:acs:names:ownerInstance value: restorecommerce-demo-customer-001-organization - - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity - value: urn:restorecommerce:acs:model:user.User - attributes: - - id: urn:restorecommerce:acs:names:ownerInstance - value: restorecommerce-demo-customer-001-user-000 newEmail: "" active: true activationCode: "" @@ -386,7 +382,9 @@ invitedByUserName: "" invitedByUserFirstName: "" invitedByUserLastName: "" - tokens: [ ] + tokens: + - name: access-token + token: CUSTOMER001MEMBER000 --- id: restorecommerce-demo-customer-002-user-000 name: customer002.user000 @@ -394,16 +392,18 @@ lastName: User000 email: customer002.user000@restorecommerce.io password: CNQJrH%KAayeDpf3h - defaultScope: restorecommerce-demo-customer-002-organization + defaultScope: restorecommerce-demo-customers-organization roleAssociations: - - role: user-r-id - id: "" + - id: restorecommecre-demo-shops-organization-customer-r-id + role: customer-r-id attributes: - id: urn:restorecommerce:acs:names:roleScopingEntity value: urn:restorecommerce:acs:model:organization.Organization attributes: - id: urn:restorecommerce:acs:names:roleScopingInstance - value: restorecommerce-demo-root-organization + value: restorecommecre-demo-shops-organization + - id: user-r-id + role: user-r-id localeId: de-de timezoneId: europe-berlin meta: @@ -413,12 +413,7 @@ value: urn:restorecommerce:acs:model:organization.Organization attributes: - id: urn:restorecommerce:acs:names:ownerInstance - value: restorecommerce-demo-root-organization - - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity - value: urn:restorecommerce:acs:model:user.User - attributes: - - id: urn:restorecommerce:acs:names:ownerInstance - value: restorecommerce-demo-customer-002-user-000 + value: restorecommerce-demo-customers-organization newEmail: "" active: true activationCode: "" @@ -438,4 +433,6 @@ invitedByUserName: "" invitedByUserFirstName: "" invitedByUserLastName: "" - tokens: [ ] \ No newline at end of file + tokens: + - name: access-token + token: CUSTOMER002USER000 \ No newline at end of file diff --git a/datasets/system/data/seed-data/policies.yaml b/datasets/system/data/seed-data/policies.yaml index 4f5e990..cc9fb16 100644 --- a/datasets/system/data/seed-data/policies.yaml +++ b/datasets/system/data/seed-data/policies.yaml @@ -1,279 +1,15 @@ --- - id: users_policy - name: User Policy - description: Targets actions on a User account - evaluationCacheable: false - effect: PERMIT - target: - resources: - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:user.User - subjects: [ ] - actions: [ ] - rules: - - normal_user_read_rule # Organization-scoped reads - - register_user_rule # Unauthenticated user can register its account - - user_activation_rule # Unauthenticated user can activate its account - - forgot_password_rule # Unauthenticated user can reset its password - - confirm_email_change_rule # Unauthenticated user can reset confirm email change - - normal_user_account_rule # Authenticated User has all permissions to access its own account - - administrator_rule # Admin - - fall_back_rule # Deny - - superadmin_rule # SuperAdmin - meta: - modifiedBy: "" - owners: - - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity - value: urn:restorecommerce:acs:model:organization.Organization - attributes: - - id: urn:restorecommerce:acs:names:ownerInstance - value: system - combiningAlgorithm: urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides ---- - id: organizations_policy - name: Organizations policy - description: Targets access to the Organization resource - evaluationCacheable: false - effect: PERMIT - target: - resources: - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:organization.Organization - subjects: [ ] - actions: [ ] - rules: - - normal_user_organization_read_rule_scoped # Reads - - administrator_rule # Admin - - fall_back_rule # Deny - - superadmin_rule # SuperAdmin - combiningAlgorithm: urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides - meta: - modifiedBy: "" - owners: - - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity - value: urn:restorecommerce:acs:model:organization.Organization - attributes: - - id: urn:restorecommerce:acs:names:ownerInstance - value: system ---- - id: address_policy - name: Addresses policy - description: Targets access to Addresses - evaluationCacheable: false - effect: PERMIT - target: - resources: - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:address.Address - subjects: [ ] - actions: [ ] - rules: - - normal_user_address_read_rule_scoped # Reads - - administrator_rule # Admin - - fall_back_rule # Deny - - superadmin_rule # SuperAdmin - meta: - modifiedBy: "" - owners: - - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity - value: urn:restorecommerce:acs:model:organization.Organization - attributes: - - id: urn:restorecommerce:acs:names:ownerInstance - value: system - combiningAlgorithm: urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides ---- - id: contact_points_policy - name: ContactPoints policy - description: Targets access to ContactPoints - evaluationCacheable: false - effect: PERMIT - target: - resources: - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:contact_point.ContactPoint - subjects: [ ] - actions: [ ] - rules: - - normal_user_contactpoint_read_rule_scoped # Reads - - administrator_rule # Admin - - fall_back_rule # Deny - - superadmin_rule # SuperAdmin - combiningAlgorithm: urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides - meta: - modifiedBy: "" - owners: - - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity - value: urn:restorecommerce:acs:model:organization.Organization - attributes: - - id: urn:restorecommerce:acs:names:ownerInstance - value: system ---- - id: contact_point_types_policy - name: ContactPointType policy - description: Targets access to ContactPointTypes - evaluationCacheable: false - effect: PERMIT - target: - resources: - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:contact_point_type.ContactPointType - subjects: [ ] - actions: [ ] - rules: - - normal_user_contactpoint_type_read_rule # Reads - - fall_back_rule # Deny - - superadmin_rule # SuperAdmin - combiningAlgorithm: urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides - meta: - modifiedBy: "" - owners: - - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity - value: urn:restorecommerce:acs:model:organization.Organization - attributes: - - id: urn:restorecommerce:acs:names:ownerInstance - value: system ---- - id: taxes_policy - name: Taxes policy - description: Targets access to Taxes - evaluationCacheable: false - effect: PERMIT - target: - resources: - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:tax.Tax - subjects: [ ] - actions: [ ] - rules: - - normal_user_tax_read_rule # Reads - - fall_back_rule # Deny - - superadmin_rule # SuperAdmin - combiningAlgorithm: urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides - meta: - modifiedBy: "" - owners: - - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity - value: urn:restorecommerce:acs:model:organization.Organization - attributes: - - id: urn:restorecommerce:acs:names:ownerInstance - value: system ---- - id: tax_types_policy - name: TaxType policy - description: Targets access to TaxTypes - evaluationCacheable: false - effect: PERMIT - target: - resources: - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:tax_type.TaxType - subjects: [ ] - actions: [ ] - rules: - - normal_user_tax_type_read_rule # Reads - - fall_back_rule # Deny - - superadmin_rule # SuperAdmin - combiningAlgorithm: urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides - meta: - modifiedBy: "" - owners: - - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity - value: urn:restorecommerce:acs:model:organization.Organization - attributes: - - id: urn:restorecommerce:acs:names:ownerInstance - value: system ---- - id: countries_policy - name: Countries policy - description: Targets access to Countries - evaluationCacheable: false - effect: PERMIT - target: - resources: - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:country.Country - subjects: [ ] - actions: [ ] - rules: - - normal_user_country_read_rule # Reads - - fall_back_rule # Deny - - superadmin_rule # SuperAdmin - combiningAlgorithm: urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides - meta: - modifiedBy: "" - owners: - - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity - value: urn:restorecommerce:acs:model:organization.Organization - attributes: - - id: urn:restorecommerce:acs:names:ownerInstance - value: system ---- - id: roles_policy - name: Roles policy - description: Targets access to Roles - evaluationCacheable: false - effect: PERMIT - target: - resources: - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:role.Role - subjects: [ ] - actions: [ ] - rules: - - normal_user_roles_read_rule # Reads - - superadmin_role_read_rule # Deny access to SuperAdmin Role - - superadmin_rule # SuperAdmin - combiningAlgorithm: urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides - meta: - modifiedBy: "" - owners: - - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity - value: urn:restorecommerce:acs:model:organization.Organization - attributes: - - id: urn:restorecommerce:acs:names:ownerInstance - value: system ---- - id: locales_policy - name: Locales policy - description: Targets access to Locales - evaluationCacheable: false - effect: PERMIT - target: - resources: - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:locale.Locale - subjects: [ ] - actions: [ ] - rules: - - normal_user_locale_read_rule # Reads - - fall_back_rule # Deny - - superadmin_rule # SuperAdmin - combiningAlgorithm: urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides - meta: - modifiedBy: "" - owners: - - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity - value: urn:restorecommerce:acs:model:organization.Organization - attributes: - - id: urn:restorecommerce:acs:names:ownerInstance - value: system ---- - id: timezones_policy - name: Timezones policy - description: Targets access to Timezones + id: fallback-policy + name: Fallback Policy + description: Fallback to Deny evaluationCacheable: false - effect: PERMIT + effect: DENY target: - resources: - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:timezone.Timezone - subjects: [ ] - actions: [ ] + resources: [] + actions: [] + subjects: [] rules: - - normal_user_timezone_read_rule # Reads - - fall_back_rule # Deny - - superadmin_rule # SuperAdmin - combiningAlgorithm: urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides + - fallback-rule meta: modifiedBy: "" owners: @@ -282,52 +18,21 @@ attributes: - id: urn:restorecommerce:acs:names:ownerInstance value: system ---- - id: execute_action_policy - name: Execute-Action Policy - description: Targets `execute`-type actions - evaluationCacheable: false - effect: PERMIT - target: - actions: - - id: urn:oasis:names:tc:xacml:1.0:action:action-id - value: urn:restorecommerce:acs:names:action:execute - resources: [ ] - subjects: [ ] combiningAlgorithm: urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides - meta: - modifiedBy: "" - owners: - - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity - value: urn:restorecommerce:acs:model:organization.Organization - attributes: - - id: urn:restorecommerce:acs:names:ownerInstance - value: system - rules: - - delete_organization_rule # DeleteOrgData - - execute_command_rule # ExecuteCommand - - org_scoped_order_submit_rule - - org_scoped_order_withdraw_rule - - user_scoped_order_submit_rule - - user_scoped_order_withdraw_rule - - unauth_user_order_submit_rule - - superadmin_rule --- - id: commands_policy - name: Commands Policy - description: Allows access by SuperAdmins to the `Command` resource + id: superadministrator-policy + name: Superadministrator Policy + description: Policies for Superadmin evaluationCacheable: false effect: PERMIT target: - resources: - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:command.Command - subjects: [ ] - actions: [ ] + resources: [] + actions: [] + subjects: + - id: urn:restorecommerce:acs:names:role + value: superadministrator-r-id rules: - - superadmin_rule # SuperAdmin - - fall_back_rule # Deny - combiningAlgorithm: urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides + - superadmin-rule meta: modifiedBy: "" owners: @@ -336,70 +41,23 @@ attributes: - id: urn:restorecommerce:acs:names:ownerInstance value: system ---- - id: jobs_policy - name: Jobs Policy - description: Allows access by SuperAdmins to the `Jobs` resource - evaluationCacheable: false - effect: PERMIT - target: - resources: - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:job.Job - subjects: [ ] - actions: [ ] - rules: - - superadmin_rule # SuperAdmin - - fall_back_rule # Deny - combiningAlgorithm: urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides - meta: - modifiedBy: "" - owners: - - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity - value: urn:restorecommerce:acs:model:organization.Organization - attributes: - - id: urn:restorecommerce:acs:names:ownerInstance - value: system ---- - id: policy_sets_policy - name: PolicySets Policy - description: Allows access by SuperAdmins to the `PolicySEt` resource - evaluationCacheable: false - effect: PERMIT - target: - resources: - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:policy_set.PolicySet - subjects: [ ] - actions: [ ] - rules: - - superadmin_rule # SuperAdmin - - fall_back_rule # Deny combiningAlgorithm: urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides - meta: - modifiedBy: "" - owners: - - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity - value: urn:restorecommerce:acs:model:organization.Organization - attributes: - - id: urn:restorecommerce:acs:names:ownerInstance - value: system --- - id: policies_resource_policy - name: Policy-Resource Policy - description: Allows access by SuperAdmins to the `Policy` resource + id: administrator-policy + name: Administrator Policy + description: Policies for Admin evaluationCacheable: false effect: PERMIT target: - resources: - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:policy.Policy - subjects: [ ] - actions: [ ] + resources: [] + actions: [] + subjects: + - id: urn:restorecommerce:acs:names:role + value: administrator-r-id rules: - - superadmin_rule # SuperAdmin - - fall_back_rule # Deny - combiningAlgorithm: urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides + - administrator-rule + - admin-system-roles-read-rule + - admin-orga-roles-read-rule meta: modifiedBy: "" owners: @@ -408,52 +66,23 @@ attributes: - id: urn:restorecommerce:acs:names:ownerInstance value: system ---- - id: rules_policy - name: Rule Policy - description: Allows access by SuperAdmins to the `Rule` resource - evaluationCacheable: false - effect: PERMIT - target: - resources: - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:rule.Rule - subjects: [ ] - actions: [ ] - rules: - - superadmin_rule # SuperAdmin - - fall_back_rule # Deny combiningAlgorithm: urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides - meta: - modifiedBy: "" - owners: - - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity - value: urn:restorecommerce:acs:model:organization.Organization - attributes: - - id: urn:restorecommerce:acs:names:ownerInstance - value: system --- - id: orders_modify_policy - name: Orders Policy - description: Allows normal users to create, read or modify Orders + id: moderator-policy + name: Moderator Policy + description: Policies for Moderator evaluationCacheable: false effect: PERMIT target: - resources: - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:order.Order - actions: [ ] - subjects: [ ] + resources: [] + actions: [] + subjects: + - id: urn:restorecommerce:acs:names:role + value: moderator-r-id rules: - - org_scoped_order_read_rule - - org_scoped_order_modify_rule - - org_scoped_order_delete_rule - - user_scoped_order_read_rule - - user_scoped_order_modify_rule - - user_scoped_order_delete_rule - - superadmin_rule # Permit: SuperAdmin - - fall_back_rule # Deny: All - combiningAlgorithm: urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides + - moderator-organization-user-read-create-rule + - moderator-organization-resource-read-modify-rule + - moderator-organization-order-read-rule meta: modifiedBy: "" owners: @@ -462,50 +91,22 @@ attributes: - id: urn:restorecommerce:acs:names:ownerInstance value: system ---- - id: customers_policy - name: Customers Policy - description: Allows normal users to read Customer resource - evaluationCacheable: false - effect: PERMIT - target: - resources: - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:customer.Customer - subjects: [ ] - actions: [ ] - rules: - - org_scoped_customer_read_rule # Permit: normal user under an Org scope - - user_scoped_customer_read_rule # Permit: normal user who owns the resource and not bounded to any organization - - superadmin_rule # Permit: SuperAdmin - - fall_back_rule # Deny: All combiningAlgorithm: urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides - meta: - modifiedBy: "" - owners: - - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity - value: urn:restorecommerce:acs:model:organization.Organization - attributes: - - id: urn:restorecommerce:acs:names:ownerInstance - value: system --- - id: shops_policy - name: Shops Policy - description: Allows normal users to read Shop resource + id: member-policy + name: Member Policy + description: Policies for Member evaluationCacheable: false effect: PERMIT target: - resources: - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:shop.Shop - subjects: [ ] - actions: [ ] + resources: [] + actions: [] + subjects: + - id: urn:restorecommerce:acs:names:role + value: member-r-id rules: - - org_scoped_shop_read_rule # Permit: normal user under an Org scope - - user_scoped_shop_read_rule # Permit: normal user who owns the resource and not bounded to any organization - - superadmin_rule # Permit: SuperAdmin - - fall_back_rule # Deny: All - combiningAlgorithm: urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides + - member-organization-resource-read-rule + - member-ostorage-bucket-modify-rule meta: modifiedBy: "" owners: @@ -514,48 +115,23 @@ attributes: - id: urn:restorecommerce:acs:names:ownerInstance value: system ---- - id: products_policy - name: Products policy - description: Targets access to Products - evaluationCacheable: false - effect: PERMIT - target: - resources: - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:product.Product - subjects: [ ] - actions: [ ] - rules: - - normal_user_product_read_rule # Reads - - superadmin_rule # SuperAdmin - - fall_back_rule # Deny combiningAlgorithm: urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides - meta: - modifiedBy: "" - owners: - - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity - value: urn:restorecommerce:acs:model:organization.Organization - attributes: - - id: urn:restorecommerce:acs:names:ownerInstance - value: system --- - id: manufacturers_policy - name: Manufacturer's policy - description: Targets access to Manufacturers + id: customer-policy + name: Customer Policy + description: Policies for Customer evaluationCacheable: false effect: PERMIT target: - resources: - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:manufacturer.Manufacturer - subjects: [ ] - actions: [ ] + resources: [] + actions: [] + subjects: + - id: urn:restorecommerce:acs:names:role + value: customer-r-id rules: - - normal_user_manufacturer_read_rule # Reads - - fall_back_rule # Deny - - superadmin_rule # SuperAdmin - combiningAlgorithm: urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides + - customer-organization-resource-read-rule + - customer-order-submit-rule + - customer-order-withdraw-rule meta: modifiedBy: "" owners: @@ -564,48 +140,23 @@ attributes: - id: urn:restorecommerce:acs:names:ownerInstance value: system ---- - id: product_prototypes_policy - name: ProductPrototype policy - description: Targets access to Manufacturers - evaluationCacheable: false - effect: PERMIT - target: - resources: - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:product_prototype.ProductPrototype - subjects: [ ] - actions: [ ] - rules: - - normal_user_product_prototype_read_rule # Reads - - fall_back_rule # Deny - - superadmin_rule # SuperAdmin combiningAlgorithm: urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides - meta: - modifiedBy: "" - owners: - - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity - value: urn:restorecommerce:acs:model:organization.Organization - attributes: - - id: urn:restorecommerce:acs:names:ownerInstance - value: system --- - id: product_categories_policy - name: ProductCategory policy - description: Targets access to Manufacturers + id: user-policy + name: User Policy + description: Policies for User evaluationCacheable: false effect: PERMIT target: - resources: - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:product_category.ProductCategory - subjects: [ ] - actions: [ ] + resources: [] + actions: [] + subjects: + - id: urn:restorecommerce:acs:names:role + value: user-r-id rules: - - normal_user_product_category_read_rule # Reads - - superadmin_rule # SuperAdmin - - fall_back_rule # Deny - combiningAlgorithm: urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides + - user-owned-resource-read-modify-rule + - user-user-read-modify-rule + - user-order-read-modify-rule meta: modifiedBy: "" owners: @@ -614,97 +165,20 @@ attributes: - id: urn:restorecommerce:acs:names:ownerInstance value: system ---- - id: price_groups_policy - name: PriceGroup policy - description: Targets access to Manufacturers - evaluationCacheable: false - effect: PERMIT - target: - resources: - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:price_group.PriceGroup - subjects: [ ] - actions: [ ] - rules: - - normal_user_price_group_read_rule # Reads - - superadmin_rule # SuperAdmin - - fall_back_rule # Deny combiningAlgorithm: urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides - meta: - modifiedBy: "" - owners: - - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity - value: urn:restorecommerce:acs:model:organization.Organization - attributes: - - id: urn:restorecommerce:acs:names:ownerInstance - value: system -#ostorage policy -> Xingular --- - id: ostorage_policy - name: Ostorage policy - description: Targets access to the ostorage resource + id: everyone-policy + name: Everyone Policy + description: Policies for Everyone evaluationCacheable: false effect: PERMIT target: - resources: - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:ostorage.Ostorage - subjects: [ ] - actions: [ ] + resources: [] + actions: [] + subjects: [] rules: - - normal_user_ostorage_bucket_rule_scoped # Reads - - superadmin_rule # SuperAdmin - - fall_back_rule # Deny - combiningAlgorithm: urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides - meta: - modifiedBy: "" - owners: - - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity - value: urn:restorecommerce:acs:model:organization.Organization - attributes: - - id: urn:restorecommerce:acs:names:ownerInstance - value: system ---- - id: tokens_policy - name: Token Policy - description: Targets `Token` resource - target: - resources: - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:token.Token - combiningAlgorithm: urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides - evaluationCacheable: true - rules: - - normal_user_token_create_rule_condition # user-r-id create rule - - normal_user_token_modify_rule_condition # user-r-id modify rule - - normal_user_token_delete_rule_condition # user-r-id delete rule - - normal_user_token_read_rule_condition # user-r-id read rule - - administrator_rule # admin CRMD rule scoped - - superadmin_rule # superAdmin rule - - fall_back_rule # fallback Deny rule - meta: - modifiedBy: "" - owners: - - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity - value: urn:restorecommerce:acs:model:organization.Organization - attributes: - - id: urn:restorecommerce:acs:names:ownerInstance - value: system ---- - id: ostorage_interal_bucket_policy - name: Ostorage policy for internal bucket - description: Targets access to the ostorage resource for internal bucket - target: - resources: - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:internal.Internal - rules: - - unauth_user_internal_bucket_rule # normal user - - administrator_rule - - superadmin_rule # SuperAdmin - - fall_back_rule # Deny - combiningAlgorithm: urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides + - everyone-own-token-read-modify-rule + - everyone-system-resource-read-rule meta: modifiedBy: "" owners: @@ -713,3 +187,4 @@ attributes: - id: urn:restorecommerce:acs:names:ownerInstance value: system + combiningAlgorithm: urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides \ No newline at end of file diff --git a/datasets/system/data/seed-data/policy_sets.yaml b/datasets/system/data/seed-data/policy_sets.yaml index caa9a05..a102e50 100644 --- a/datasets/system/data/seed-data/policy_sets.yaml +++ b/datasets/system/data/seed-data/policy_sets.yaml @@ -1,42 +1,20 @@ --- - id: locales_policy - name: Global Policy Set + id: system-policies + name: System Policy Set description: Contains all policies from RestoreCommerce combiningAlgorithm: urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides target: - resources: [ ] - subjects: [ ] - actions: [ ] + resources: [] + subjects: [] + actions: [] policies: - - execute_action_policy - - users_policy - - organizations_policy - - address_policy - - contact_points_policy - - contact_point_types_policy - - taxes_policy - - tax_types_policy - - countries_policy - - roles_policy - - locales_policy - - commands_policy - - jobs_policy - - policy_sets_policy - - policies_resource_policy - - rules_policy - - timezones_policy - - orders_policy - - customers_policy - - shops_policy - - products_policy - - manufacturers_policy - - product_prototypes_policy - - product_categories_policy - - price_groups_policy - - ostorage_policy - - tokens_policy - - ostorage_interal_bucket_policy - - unauth_execute_action_policy + - superadministrator-policy + - administrator-policy + - moderator-policy + - member-policy + - customer-policy + - user-policy + - everyone-policy meta: modifiedBy: "" owners: diff --git a/datasets/system/data/seed-data/roles.yaml b/datasets/system/data/seed-data/roles.yaml index 710ed10..167a6fd 100644 --- a/datasets/system/data/seed-data/roles.yaml +++ b/datasets/system/data/seed-data/roles.yaml @@ -15,7 +15,7 @@ --- id: administrator-r-id name: Administrator - description: can read and write with in his organization scope + description: can read and write within his organization scope assignableByRoles: - superadministrator-r-id - administrator-r-id @@ -27,13 +27,76 @@ attributes: - id: urn:restorecommerce:acs:names:ownerInstance value: system +--- + id: moderator-r-id + name: Moderator + description: can create and delete users within his organization scope + assignableByRoles: + - superadministrator-r-id + - administrator-r-id + - moderator-r-id + meta: + modifiedBy: "" + owners: + - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity + value: urn:restorecommerce:acs:model:organization.Organization + attributes: + - id: urn:restorecommerce:acs:names:ownerInstance + value: system +--- + id: member-r-id + name: member + description: can read within organization scope + assignableByRoles: + - superadministrator-r-id + - administrator-r-id + - moderator-r-id + meta: + modifiedBy: "" + owners: + - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity + value: urn:restorecommerce:acs:model:organization.Organization + attributes: + - id: urn:restorecommerce:acs:names:ownerInstance + value: system +--- + id: customer-r-id + name: customer + description: can read shops, products and place orders within organization scope + assignableByRoles: + - superadministrator-r-id + - administrator-r-id + - moderator-r-id + meta: + modifiedBy: "" + owners: + - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity + value: urn:restorecommerce:acs:model:organization.Organization + attributes: + - id: urn:restorecommerce:acs:names:ownerInstance + value: system --- id: user-r-id name: user - description: can read and write with in his organization scope + description: grands actions on its own account assignableByRoles: - superadministrator-r-id - administrator-r-id + - moderator-r-id + meta: + modifiedBy: "" + owners: + - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity + value: urn:restorecommerce:acs:model:organization.Organization + attributes: + - id: urn:restorecommerce:acs:names:ownerInstance + value: system +--- + id: unauthenticated-user-r-id + name: unauthenticated-user + description: actions for unauthenticated users + assignableByRoles: + - superadministrator-r-id meta: modifiedBy: "" owners: diff --git a/datasets/system/data/seed-data/rules.yaml b/datasets/system/data/seed-data/rules.yaml index 9af3423..2524d9d 100644 --- a/datasets/system/data/seed-data/rules.yaml +++ b/datasets/system/data/seed-data/rules.yaml @@ -1,12 +1,10 @@ --- - id: fall_back_rule + id: fallback-rule name: Fallback rule - description: Fallback rule + description: Fallback to Deny effect: DENY target: - subjects: - - id: urn:restorecommerce:acs:names:role - value: user-r-id # NormalUser + subjects: [] actions: [] resources: [] condition: "" @@ -23,20 +21,46 @@ - id: urn:restorecommerce:acs:names:ownerInstance value: system --- - id: superadmin_rule + id: superadmin-rule name: SuperAdmins Rule description: Permit anything by SuperAdmins (fallback rule) target: subjects: - id: urn:restorecommerce:acs:names:role - value: superadministrator-r-id # SuperAdmin - actions: [ ] - resources: [ ] + value: superadministrator-r-id + actions: [] + resources: [] effect: PERMIT condition: "" evaluationCacheable: false contextQuery: - filters: [ ] + filters: [] + query: "" + meta: + modifiedBy: "" + owners: + - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity + value: urn:restorecommerce:acs:model:organization.Organization + attributes: + - id: urn:restorecommerce:acs:names:ownerInstance + value: system +--- + id: administrator-rule + name: Admin Rule + description: Permits all if subject is Admin within the hierarchical scope + target: + subjects: + - id: urn:restorecommerce:acs:names:role + value: administrator-r-id + - id: urn:restorecommerce:acs:names:roleScopingEntity + value: urn:restorecommerce:acs:model:organization.Organization + actions: [] + resources: [] + effect: PERMIT + condition: "" + evaluationCacheable: false + contextQuery: + filters: [] query: "" meta: modifiedBy: "" @@ -47,29 +71,40 @@ - id: urn:restorecommerce:acs:names:ownerInstance value: system --- - id: normal_user_read_rule - name: User read rule - description: Permits User read if he is owner of resource + id: admin-system-roles-read-rule + name: Admin system role read rule + description: Allows Admin to read all Roles in system target: subjects: - id: urn:restorecommerce:acs:names:role - value: user-r-id # NormalUser + value: administrator-r-id actions: - id: urn:oasis:names:tc:xacml:1.0:action:action-id value: urn:restorecommerce:acs:names:action:read resources: - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:user.User + value: urn:restorecommerce:acs:model:role.Role + effect: PERMIT condition: " - (request) => request?.target?.resources?.some( - (obj) => obj?.id === 'urn:restorecommerce:acs:names:model:entity' && obj?.value === 'urn:restorecommerce:acs:model:user.User' - ) ? request?.context?.subject?.id : undefined; + (request) => request?.context?.resources?.every( + resource => resource.meta?.owners?.some( + owner => ( + owner.id === 'urn:restorecommerce:acs:names:ownerIndicatoryEntity' + && owner.value === 'urn:restorecommerce:acs:model:organization.Organization' + && owner.attributes?.some( + att => ( + att.id === 'urn:restorecommerce:acs:names:ownerInstance' + && att.value === 'system' + ) + ) + ) + ) + ); " - effect: PERMIT evaluationCacheable: false contextQuery: - filters: [ ] + filters: [] query: "" meta: modifiedBy: "" @@ -80,13 +115,13 @@ - id: urn:restorecommerce:acs:names:ownerInstance value: system --- - id: normal_user_organization_read_rule_scoped - name: Organization read rule - description: Permits any read if the resource is under an organizational hierarchical scope + id: admin-orga-roles-read-rule + name: Admin orga role read rule + description: Allows Admin to read all Roles in orga scope target: subjects: - id: urn:restorecommerce:acs:names:role - value: user-r-id # NormalUser + value: administrator-r-id - id: urn:restorecommerce:acs:names:roleScopingEntity value: urn:restorecommerce:acs:model:organization.Organization actions: @@ -94,12 +129,12 @@ value: urn:restorecommerce:acs:names:action:read resources: - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:organization.Organization + value: urn:restorecommerce:acs:model:role.Role effect: PERMIT condition: "" evaluationCacheable: false contextQuery: - filters: [ ] + filters: [] query: "" meta: modifiedBy: "" @@ -110,26 +145,30 @@ - id: urn:restorecommerce:acs:names:ownerInstance value: system --- - id: normal_user_address_read_rule_scoped - name: Address read rule - description: Permits any read if the resource is under an organizational hierarchical scope + id: moderator-organization-user-read-create-rule + name: Moderator Organization User read create rule + description: Permits actions on users in organizational scope target: subjects: - id: urn:restorecommerce:acs:names:role - value: user-r-id # NormalUser + value: moderator-r-id - id: urn:restorecommerce:acs:names:roleScopingEntity value: urn:restorecommerce:acs:model:organization.Organization actions: - id: urn:oasis:names:tc:xacml:1.0:action:action-id value: urn:restorecommerce:acs:names:action:read + - id: urn:oasis:names:tc:xacml:1.0:action:action-id + value: urn:restorecommerce:acs:names:action:create + - id: urn:oasis:names:tc:xacml:1.0:action:action-id + value: urn:restorecommerce:acs:names:action:delete resources: - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:address.Address + value: urn:restorecommerce:acs:model:user.User effect: PERMIT condition: "" evaluationCacheable: false contextQuery: - filters: [ ] + filters: [] query: "" meta: modifiedBy: "" @@ -140,26 +179,38 @@ - id: urn:restorecommerce:acs:names:ownerInstance value: system --- - id: normal_user_contactpoint_read_rule_scoped - name: ContactPoint read rule - description: Permits any read if the resource is under an organizational hierarchical scope + id: moderator-organization-resource-read-modify-rule + name: Moderator Organization Resource read modify rule + description: Permits read on resources in organizational scope target: subjects: - id: urn:restorecommerce:acs:names:role - value: user-r-id # NormalUser + value: moderator-r-id - id: urn:restorecommerce:acs:names:roleScopingEntity value: urn:restorecommerce:acs:model:organization.Organization actions: - id: urn:oasis:names:tc:xacml:1.0:action:action-id value: urn:restorecommerce:acs:names:action:read + - id: urn:oasis:names:tc:xacml:1.0:action:action-id + value: urn:restorecommerce:acs:names:action:modify resources: + - id: urn:restorecommerce:acs:names:model:entity + value: urn:restorecommerce:acs:model:organization.Organization + - id: urn:restorecommerce:acs:names:model:entity + value: urn:restorecommerce:acs:model:customer.Customer - id: urn:restorecommerce:acs:names:model:entity value: urn:restorecommerce:acs:model:contact_point.ContactPoint + - id: urn:restorecommerce:acs:names:model:entity + value: urn:restorecommerce:acs:model:address.Address + - id: urn:restorecommerce:acs:names:model:entity + value: urn:restorecommerce:acs:model:ostorage.Ostorage + - id: urn:restorecommerce:acs:names:model:entity + value: urn:restorecommerce:acs:model:internal.Internal effect: PERMIT condition: "" evaluationCacheable: false contextQuery: - filters: [ ] + filters: [] query: "" meta: modifiedBy: "" @@ -170,24 +221,26 @@ - id: urn:restorecommerce:acs:names:ownerInstance value: system --- - id: normal_user_contactpoint_type_read_rule - name: ContactPointType read rule - description: Permits read for all users in any Organization + id: moderator-organization-order-read-rule + name: Moderator Organization Order read rule + description: Permits read on orders in organizational scope target: subjects: - id: urn:restorecommerce:acs:names:role - value: user-r-id # NormalUser + value: moderator-r-id + - id: urn:restorecommerce:acs:names:roleScopingEntity + value: urn:restorecommerce:acs:model:organization.Organization actions: - id: urn:oasis:names:tc:xacml:1.0:action:action-id value: urn:restorecommerce:acs:names:action:read resources: - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:contact_point_type.ContactPointType + value: urn:restorecommerce:acs:model:order.Order effect: PERMIT condition: "" evaluationCacheable: false contextQuery: - filters: [ ] + filters: [] query: "" meta: modifiedBy: "" @@ -198,24 +251,50 @@ - id: urn:restorecommerce:acs:names:ownerInstance value: system --- - id: normal_user_locale_read_rule - name: Locale read rule - description: Permits read for all users in any Organization + id: member-organization-resource-read-rule + name: Member Organization Resource read rule + description: Permits read if the resource is in organizational scope target: subjects: - id: urn:restorecommerce:acs:names:role - value: user-r-id # NormalUser + value: member-r-id + - id: urn:restorecommerce:acs:names:roleScopingEntity + value: urn:restorecommerce:acs:model:organization.Organization actions: - id: urn:oasis:names:tc:xacml:1.0:action:action-id value: urn:restorecommerce:acs:names:action:read resources: + - id: urn:restorecommerce:acs:names:model:entity + value: urn:restorecommerce:acs:model:organization.Organization + - id: urn:restorecommerce:acs:names:model:entity + value: urn:restorecommerce:acs:model:customer.Customer + - id: urn:restorecommerce:acs:names:model:entity + value: urn:restorecommerce:acs:model:contact_point_type.ContactPointType + - id: urn:restorecommerce:acs:names:model:entity + value: urn:restorecommerce:acs:model:contact_point.ContactPoint + - id: urn:restorecommerce:acs:names:model:entity + value: urn:restorecommerce:acs:model:country.Country + - id: urn:restorecommerce:acs:names:model:entity + value: urn:restorecommerce:acs:model:address.Address - id: urn:restorecommerce:acs:names:model:entity value: urn:restorecommerce:acs:model:locale.Locale + - id: urn:restorecommerce:acs:names:model:entity + value: urn:restorecommerce:acs:model:timezone.Timezone + - id: urn:restorecommerce:acs:names:model:entity + value: urn:restorecommerce:acs:model:tax_type.TaxType + - id: urn:restorecommerce:acs:names:model:entity + value: urn:restorecommerce:acs:model:tax.Tax + - id: urn:restorecommerce:acs:names:model:entity + value: urn:restorecommerce:acs:model:unit_code.UnitCode + - id: urn:restorecommerce:acs:names:model:entity + value: urn:restorecommerce:acs:model:ostorage.Ostorage + - id: urn:restorecommerce:acs:names:model:entity + value: urn:restorecommerce:acs:model:internal.Internal effect: PERMIT condition: "" evaluationCacheable: false contextQuery: - filters: [ ] + filters: [] query: "" meta: modifiedBy: "" @@ -226,24 +305,42 @@ - id: urn:restorecommerce:acs:names:ownerInstance value: system --- - id: normal_user_timezone_read_rule - name: Timezone read rule - description: Permits read for all users + id: member-ostorage-bucket-modify-rule + name: Object Storage rule + description: Allows members to perform Modify on Object storage data on his organization target: subjects: - id: urn:restorecommerce:acs:names:role - value: user-r-id # NormalUser - actions: - - id: urn:oasis:names:tc:xacml:1.0:action:action-id - value: urn:restorecommerce:acs:names:action:read + value: member-r-id + - id: urn:restorecommerce:acs:names:roleScopingEntity + value: urn:restorecommerce:acs:model:organization.Organization resources: - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:timezone.Timezone + value: urn:restorecommerce:acs:model:ostorage.Ostorage + actions: + - id: urn:oasis:names:tc:xacml:1.0:action:action-id + value: urn:restorecommerce:acs:names:action:modify effect: PERMIT - condition: "" + condition: + " + (request) => request?.context?.resources?.every( + resource => resource.meta?.owners?.some( + owner => ( + owner.id === 'urn:restorecommerce:acs:names:ownerIndicatoryEntity' + && owner.value === 'urn:restorecommerce:acs:model:organization.Organization' + && owner.attributes?.some( + att => ( + att.id === 'urn:restorecommerce:acs:names:ownerInstance' + && att.value === context?.subject?.id + ) + ) + ) + ) + ); + " evaluationCacheable: false contextQuery: - filters: [ ] + filters: [] query: "" meta: modifiedBy: "" @@ -254,26 +351,60 @@ - id: urn:restorecommerce:acs:names:ownerInstance value: system --- - id: normal_user_roles_read_rule - name: Role read rule - description: Only Admin should be allowed to read all Roles in system + id: customer-organization-resource-read-rule + name: Customer Organization Resource read rule + description: Permits any read if the resource is in organizational scope target: subjects: - id: urn:restorecommerce:acs:names:role - value: user-r-id # NormalUser - - id: urn:restorecommerce:acs:names:role - value: administrator-r-id # Admin + value: customer-r-id + - id: urn:restorecommerce:acs:names:roleScopingEntity + value: urn:restorecommerce:acs:model:organization.Organization actions: - id: urn:oasis:names:tc:xacml:1.0:action:action-id value: urn:restorecommerce:acs:names:action:read resources: - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:role.Role + value: urn:restorecommerce:acs:model:organization.Organization + - id: urn:restorecommerce:acs:names:model:entity + value: urn:restorecommerce:acs:model:customer.Customer + - id: urn:restorecommerce:acs:names:model:entity + value: urn:restorecommerce:acs:model:shop.Shop + - id: urn:restorecommerce:acs:names:model:entity + value: urn:restorecommerce:acs:model:contact_point_type.ContactPointType + - id: urn:restorecommerce:acs:names:model:entity + value: urn:restorecommerce:acs:model:contact_point.ContactPoint + - id: urn:restorecommerce:acs:names:model:entity + value: urn:restorecommerce:acs:model:country.Country + - id: urn:restorecommerce:acs:names:model:entity + value: urn:restorecommerce:acs:model:address.Address + - id: urn:restorecommerce:acs:names:model:entity + value: urn:restorecommerce:acs:model:locale.Locale + - id: urn:restorecommerce:acs:names:model:entity + value: urn:restorecommerce:acs:model:timezone.Timezone + - id: urn:restorecommerce:acs:names:model:entity + value: urn:restorecommerce:acs:model:tax_type.TaxType + - id: urn:restorecommerce:acs:names:model:entity + value: urn:restorecommerce:acs:model:tax.Tax + - id: urn:restorecommerce:acs:names:model:entity + value: urn:restorecommerce:acs:model:unit_code.UnitCode + - id: urn:restorecommerce:acs:names:model:entity + value: urn:restorecommerce:acs:model:manufacturer:Manufacturer + - id: urn:restorecommerce:acs:names:model:entity + value: urn:restorecommerce:acs:model:price_groupe:PriceGroup + - id: urn:restorecommerce:acs:names:model:entity + value: urn:restorecommerce:acs:model:product_category:ProductCategory + - id: urn:restorecommerce:acs:names:model:entity + value: urn:restorecommerce:acs:model:product:Product + - id: urn:restorecommerce:acs:names:model:entity + value: urn:restorecommerce:acs:model:ostorage.Ostorage + - id: urn:restorecommerce:acs:names:model:entity + value: urn:restorecommerce:acs:model:internal.Internal effect: PERMIT condition: "" evaluationCacheable: false contextQuery: - filters: [ ] + filters: [] query: "" meta: modifiedBy: "" @@ -284,26 +415,38 @@ - id: urn:restorecommerce:acs:names:ownerInstance value: system --- - id: superadmin_role_read_rule - name: Role SuperAdmin read rule - description: SuperAdmin role should not be readable + id: customer-order-submit-rule + name: Customer Order Submit rule + description: Permits to submit orders in organizational scope target: subjects: - id: urn:restorecommerce:acs:names:role - value: user-r-id # NormalUser + value: customer-r-id + - id: urn:restorecommerce:acs:names:roleScopingEntity + value: urn:restorecommerce:acs:model:organization.Organization actions: - id: urn:oasis:names:tc:xacml:1.0:action:action-id - value: urn:restorecommerce:acs:names:action:read + value: urn:restorecommerce:acs:names:action:execute resources: - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:role.Role - - id: urn:oasis:names:tc:xacml:1.0:resource:resource-id - value: superadministrator-r-id - effect: DENY - condition: "" + - id: urn:restorecommerce:acs:names:operation + value: execution.submitOrders + effect: PERMIT + condition: + " + (request) => request?.context?.resources?.every( + resource => ( + resource.user_id === context?.subject?.id + && ( + !resource.order_state + || resource.order_state?.toString() === 'UNRECOGNIZED' + || resource.order_state?.toString() === 'CREATED' + ) + ) + ); + " evaluationCacheable: false contextQuery: - filters: [ ] + filters: [] query: "" meta: modifiedBy: "" @@ -314,21 +457,31 @@ - id: urn:restorecommerce:acs:names:ownerInstance value: system --- - id: normal_user_tax_read_rule - name: Tax read rule - description: Permits read for all users in any Organization + id: customer-order-withdraw-rule + name: Customer Order Withdraw Rule + description: Permits Order withdraw under condition and organizational hierarchical scope target: subjects: - id: urn:restorecommerce:acs:names:role - value: user-r-id # NormalUser + value: customer-r-id + - id: urn:restorecommerce:acs:names:roleScopingEntity + value: urn:restorecommerce:acs:model:organization.Organization actions: - id: urn:oasis:names:tc:xacml:1.0:action:action-id - value: urn:restorecommerce:acs:names:action:read + value: urn:restorecommerce:acs:names:action:execute resources: - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:tax.Tax + - id: urn:restorecommerce:acs:names:operation + value: execution.withdrawOrders effect: PERMIT - condition: "" + condition: + " + (request) => request?.context?.resources?.every( + resource => ( + resource.user_id === context?.subject?.id + && resource.order_state?.toString() === 'SUBMITTED' + ) + ); + " evaluationCacheable: false contextQuery: filters: [ ] @@ -342,24 +495,52 @@ - id: urn:restorecommerce:acs:names:ownerInstance value: system --- - id: normal_user_tax_type_read_rule - name: TaxType read rule - description: Permits read for all users in any Organization + id: user-owned-resource-read-modify-rule + name: User owned Resource read modify rule + description: Permits read modify on owned resources target: subjects: - id: urn:restorecommerce:acs:names:role - value: user-r-id # NormalUser + value: user-r-id actions: - id: urn:oasis:names:tc:xacml:1.0:action:action-id value: urn:restorecommerce:acs:names:action:read + - id: urn:oasis:names:tc:xacml:1.0:action:action-id + value: urn:restorecommerce:acs:names:action:modify resources: - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:tax_type.TaxType + value: urn:restorecommerce:acs:model:organization.Organization + - id: urn:restorecommerce:acs:names:model:entity + value: urn:restorecommerce:acs:model:customer.Customer + - id: urn:restorecommerce:acs:names:model:entity + value: urn:restorecommerce:acs:model:contact_point.ContactPoint + - id: urn:restorecommerce:acs:names:model:entity + value: urn:restorecommerce:acs:model:address.Address + - id: urn:restorecommerce:acs:names:model:entity + value: urn:restorecommerce:acs:model:ostorage.Ostorage + - id: urn:restorecommerce:acs:names:model:entity + value: urn:restorecommerce:acs:model:internal.Internal effect: PERMIT - condition: "" + condition: + " + (request) => request?.context?.resources?.every( + resource => resource.meta?.owners?.some( + owner => ( + owner.id === 'urn:restorecommerce:acs:names:ownerIndicatoryEntity' + && owner.value === 'urn:restorecommerce:acs:model:organization.Organization' + && owner.attributes?.some( + att => ( + att.id === 'urn:restorecommerce:acs:names:ownerInstance' + && att.value === context?.subject?.id + ) + ) + ) + ) + ); + " evaluationCacheable: false contextQuery: - filters: [ ] + filters: [] query: "" meta: modifiedBy: "" @@ -370,21 +551,23 @@ - id: urn:restorecommerce:acs:names:ownerInstance value: system --- - id: normal_user_country_read_rule - name: Country read rule - description: Permits read for all users in any Organization + id: user-user-read-modify-rule + name: User Account Rule + description: Permits actions by any User on its own account data target: subjects: - id: urn:restorecommerce:acs:names:role - value: user-r-id # NormalUser + value: user-r-id # Normal User + resources: + - id: urn:restorecommerce:acs:names:model:entity + value: urn:restorecommerce:acs:model:user.User actions: - id: urn:oasis:names:tc:xacml:1.0:action:action-id value: urn:restorecommerce:acs:names:action:read - resources: - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:country.Country + - id: urn:oasis:names:tc:xacml:1.0:action:action-id + value: urn:restorecommerce:acs:names:action:modify + condition: "context?.subject?.id" effect: PERMIT - condition: "" evaluationCacheable: false contextQuery: filters: [ ] @@ -398,24 +581,38 @@ - id: urn:restorecommerce:acs:names:ownerInstance value: system --- - id: register_user_rule - name: Register User rule - description: Targets register + id: user-order-read-modify-rule + name: User Order Modify rule + description: Permits to create and modify orders owned by user target: subjects: - - id: urn:restorecommerce:acs:names:unauthenticated-user - value: "true" + - id: urn:restorecommerce:acs:names:role + value: user-r-id actions: - id: urn:oasis:names:tc:xacml:1.0:action:action-id - value: urn:restorecommerce:acs:names:action:create + value: urn:restorecommerce:acs:names:action:read + - id: urn:oasis:names:tc:xacml:1.0:action:action-id + value: urn:restorecommerce:acs:names:action:modify resources: - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:user.User + value: urn:restorecommerce:acs:model:order.Order effect: PERMIT - condition: "" + condition: + " + (request) => request?.context?.resources?.every( + resource => ( + resource.user_id === context?.subject?.id + && ( + !resource.order_state + || resource.order_state?.toString() === 'UNRECOGNIZED' + || resource.order_state?.toString() === 'CREATED' + ) + ) + ); + " evaluationCacheable: false contextQuery: - filters: [ ] + filters: [] query: "" meta: modifiedBy: "" @@ -426,28 +623,28 @@ - id: urn:restorecommerce:acs:names:ownerInstance value: system --- - id: forgot_password_rule - name: User 'Forgot Password' rule - description: Permits 'modify' by unauthenticated users on their password + id: unauthenticated-register-user-rule + name: Register new User rule + description: Register new User as Unauthenticated User target: subjects: - - id: urn:restorecommerce:acs:names:unauthenticated-user - value: "true" + - id: urn:restorecommerce:acs:names:role + value: unauthenticated-user-r-id + - id: urn:restorecommerce:acs:names:roleScopingEntity + value: urn:restorecommerce:acs:model:organization.Organization + - id: urn:restorecommerce:acs:names:hierarchicalRoleScoping + value: 'false' actions: - id: urn:oasis:names:tc:xacml:1.0:action:action-id - value: urn:restorecommerce:acs:names:action:modify + value: urn:restorecommerce:acs:names:action:create resources: - id: urn:restorecommerce:acs:names:model:entity value: urn:restorecommerce:acs:model:user.User - - id: urn:restorecommerce:acs:names:model:property - value: urn:restorecommerce:acs:model:user.User#activation_code - - id: urn:restorecommerce:acs:names:model:property - value: urn:restorecommerce:acs:model:user.User#password_hash effect: PERMIT condition: "" evaluationCacheable: false contextQuery: - filters: [ ] + filters: [] query: "" meta: modifiedBy: "" @@ -456,15 +653,17 @@ value: urn:restorecommerce:acs:model:organization.Organization attributes: - id: urn:restorecommerce:acs:names:ownerInstance - value: system + value: restorecommecre-demo-root-organization --- - id: confirm_email_change_rule - name: User 'ConfirmEmailChange' rule + id: unauthenticated-forgot-password-rule + name: User 'Forgot Password' rule description: Permits 'modify' by unauthenticated users on their password target: subjects: - - id: urn:restorecommerce:acs:names:unauthenticated-user - value: "true" + - id: urn:restorecommerce:acs:names:role + value: unauthenticated-user-r-id + - id: urn:restorecommerce:acs:names:roleScopingEntity + value: urn:restorecommerce:acs:model:organization.Organization actions: - id: urn:oasis:names:tc:xacml:1.0:action:action-id value: urn:restorecommerce:acs:names:action:modify @@ -473,6 +672,8 @@ value: urn:restorecommerce:acs:model:user.User - id: urn:restorecommerce:acs:names:model:property value: urn:restorecommerce:acs:model:user.User#activation_code + - id: urn:restorecommerce:acs:names:model:property + value: urn:restorecommerce:acs:model:user.User#password_hash - id: urn:restorecommerce:acs:names:model:property value: urn:restorecommerce:acs:model:user.User#email effect: PERMIT @@ -490,152 +691,23 @@ - id: urn:restorecommerce:acs:names:ownerInstance value: system --- - id: user_activation_rule - name: User Activation - description: Permits 'modify' by unauthenticated users in case of activation + id: everyone-own-token-read-modify-rule + name: Token read and modify rule + description: Permit modify access to the token resource owned by user target: - subjects: - - id: urn:restorecommerce:acs:names:unauthenticated-user - value: "true" + subjects: [] actions: + - id: urn:oasis:names:tc:xacml:1.0:action:action-id + value: urn:restorecommerce:acs:names:action:read - id: urn:oasis:names:tc:xacml:1.0:action:action-id value: urn:restorecommerce:acs:names:action:modify resources: - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:user.User - - id: urn:restorecommerce:acs:names:model:property - value: urn:restorecommerce:acs:model:user.User#active - - id: urn:restorecommerce:acs:names:model:property - value: urn:restorecommerce:acs:model:user.User#activation_code - effect: PERMIT - condition: "" - evaluationCacheable: false - contextQuery: - filters: [ ] - query: "" - meta: - modifiedBy: "" - owners: - - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity - value: urn:restorecommerce:acs:model:organization.Organization - attributes: - - id: urn:restorecommerce:acs:names:ownerInstance - value: system ---- - id: normal_user_account_rule - name: User Account Rule - description: Permits actions by any User on its own account data - target: - subjects: - - id: urn:restorecommerce:acs:names:role - value: user-r-id # Normal User - resources: - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:user.User - actions: [] - condition: # target.resources -> will contain the subject id of the requestor - " - (request) => { - let isUser = false; - let match = false; - isUser = request?.target?.resources?.some((obj) => obj?.id == 'urn:restorecommerce:acs:names:model:entity' && obj?.value == 'urn:restorecommerce:acs:model:user.User'); - if (isUser) { - match = request?.target?.resources?.some((obj) => obj?.id == 'urn:oasis:names:tc:xacml:1.0:resource:resource-id' && obj?.value == request?.context?.subject?.id); - } - return match; - } - " - effect: PERMIT - evaluationCacheable: false - contextQuery: - filters: [ ] - query: "" - meta: - modifiedBy: "" - owners: - - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity - value: urn:restorecommerce:acs:model:organization.Organization - attributes: - - id: urn:restorecommerce:acs:names:ownerInstance - value: system ---- - id: administrator_rule - name: Admin Rule - description: Permits all if subject is Admin within the resource's hierarchical scope - target: - subjects: - - id: urn:restorecommerce:acs:names:role - value: administrator-r-id # Admin - - id: urn:restorecommerce:acs:names:roleScopingEntity - value: urn:restorecommerce:acs:model:organization.Organization - actions: [] - resources: [] - effect: PERMIT - condition: "" - evaluationCacheable: false - contextQuery: - filters: [ ] - query: "" - meta: - modifiedBy: "" - owners: - - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity - value: urn:restorecommerce:acs:model:organization.Organization - attributes: - - id: urn:restorecommerce:acs:names:ownerInstance - value: system -# Special Rules ---- - id: delete_organization_rule - name: DeleteOrg Rule - description: Rule targeting the `DeleteOrgData` mutation - target: - resources: - - id: urn:restorecommerce:acs:names:operation - value: mutation.deleteOrgData - actions: - - id: urn:oasis:names:tc:xacml:1.0:action:action-id - value: urn:restorecommerce:acs:names:action:execute - subjects: - - id: urn:restorecommerce:acs:names:role - value: superadministrator-r-id # SuperAdmin - effect: PERMIT - condition: "" - evaluationCacheable: false - contextQuery: - filters: [ ] - query: "" - meta: - modifiedBy: "" - owners: - - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity - value: urn:restorecommerce:acs:model:organization.Organization - attributes: - - id: urn:restorecommerce:acs:names:ownerInstance - value: system ---- - id: execute_command_rule - name: ExecuteCommand Rule - description: Targets the `ExecuteCommand` mutation - target: - resources: - - id: urn:restorecommerce:acs:names:operation - value: mutation.executeCommand - actions: - - id: urn:oasis:names:tc:xacml:1.0:action:action-id - value: urn:restorecommerce:acs:names:action:execute - subjects: - - id: urn:restorecommerce:acs:names:role - value: superadministrator-r-id # SuperAdmin + value: urn:restorecommerce:acs:model:token.Token + condition: "context?.subject?.id;" effect: PERMIT - condition: "" - evaluationCacheable: false - contextQuery: - filters: [ ] - query: "" + evaluationCacheable: true meta: - - modifiedBy: "" owners: - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity value: urn:restorecommerce:acs:model:organization.Organization @@ -643,142 +715,58 @@ - id: urn:restorecommerce:acs:names:ownerInstance value: system --- - id: org_scoped_order_read_rule - name: Order read rule for scoped Organization - description: Permits Order read under an organizational hierarchical scope + id: everyone-system-resource-read-rule + name: Everyone system resource read rule + description: Permits read of system resources to everyone target: - subjects: - - id: urn:restorecommerce:acs:names:role - value: user-r-id # NormalUser - - id: urn:restorecommerce:acs:names:roleScopingEntity - value: urn:restorecommerce:acs:model:organization.Organization + subjects: [] actions: - id: urn:oasis:names:tc:xacml:1.0:action:action-id value: urn:restorecommerce:acs:names:action:read resources: - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:order.Order - effect: PERMIT - condition: "" - evaluationCacheable: false - contextQuery: - filters: [ ] - query: "" - meta: - modifiedBy: "" - owners: - - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity - value: urn:restorecommerce:acs:model:organization.Organization - attributes: - - id: urn:restorecommerce:acs:names:ownerInstance - value: system ---- - id: org_scoped_order_modify_rule - name: Order create or modify rule for scoped Organization - description: Permits Order create or modify under condition and organizational hierarchical scope - target: - subjects: - - id: urn:restorecommerce:acs:names:role - value: user-r-id # NormalUser - - id: urn:restorecommerce:acs:names:roleScopingEntity - value: urn:restorecommerce:acs:model:organization.Organization - actions: - - id: urn:oasis:names:tc:xacml:1.0:action:action-id - value: urn:restorecommerce:acs:names:action:modify - resources: + value: urn:restorecommerce:acs:model:contact_point_type.ContactPointType - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:order.Order - effect: PERMIT - # NormalUser can only create or modify orders of no higher state than CREATED - condition: - " - (request) => request?.context?.resources?.length === 0 || request?.context?.resources?.every( - resource => !resource.order_state - || resource.order_state?.toString() === 'UNRECOGNIZED' - || resource.order_state?.toString() === 'CREATED' - ); - " - evaluationCacheable: false - contextQuery: - filters: [ ] - query: "" - meta: - modifiedBy: "" - owners: - - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity - value: urn:restorecommerce:acs:model:organization.Organization - attributes: - - id: urn:restorecommerce:acs:names:ownerInstance - value: system ---- - id: org_scoped_order_delete_rule - name: Order delete rule for scoped Organization - description: Permits Order delete under condition and organizational hierarchical scope - target: - subjects: - - id: urn:restorecommerce:acs:names:role - value: user-r-id # NormalUser - - id: urn:restorecommerce:acs:names:roleScopingEntity - value: urn:restorecommerce:acs:model:organization.Organization - actions: - - id: urn:oasis:names:tc:xacml:1.0:action:action-id - value: urn:restorecommerce:acs:names:action:delete - resources: + value: urn:restorecommerce:acs:model:contact_point.ContactPoint - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:order.Order - effect: PERMIT - # NormalUser can only delete orders of no higher state than CREATED - condition: - " - (request) => request?.context?.resources?.length === 0 || request?.context?.resources?.every( - resource => !resource.order_state - || resource.order_state?.toString() === 'UNRECOGNIZED' - || resource.order_state?.toString() === 'CREATED' - ); - " - evaluationCacheable: false - contextQuery: - filters: [ ] - query: "" - meta: - modifiedBy: "" - owners: - - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity - value: urn:restorecommerce:acs:model:organization.Organization - attributes: - - id: urn:restorecommerce:acs:names:ownerInstance - value: system ---- - id: org_scoped_order_submit_rule - name: Order submit rule for scoped Organization - description: Permits Order submit under condition and organizational hierarchical scope - target: - subjects: - - id: urn:restorecommerce:acs:names:role - value: user-r-id # NormalUser - - id: urn:restorecommerce:acs:names:roleScopingEntity - value: urn:restorecommerce:acs:model:organization.Organization - actions: - - id: urn:oasis:names:tc:xacml:1.0:action:action-id - value: urn:restorecommerce:acs:names:action:execute - resources: - - id: urn:restorecommerce:acs:names:operation - value: execution.submitOrders + value: urn:restorecommerce:acs:model:country.Country + - id: urn:restorecommerce:acs:names:model:entity + value: urn:restorecommerce:acs:model:address.Address + - id: urn:restorecommerce:acs:names:model:entity + value: urn:restorecommerce:acs:model:locale.Locale + - id: urn:restorecommerce:acs:names:model:entity + value: urn:restorecommerce:acs:model:timezone.Timezone + - id: urn:restorecommerce:acs:names:model:entity + value: urn:restorecommerce:acs:model:tax_type.TaxType + - id: urn:restorecommerce:acs:names:model:entity + value: urn:restorecommerce:acs:model:tax.Tax + - id: urn:restorecommerce:acs:names:model:entity + value: urn:restorecommerce:acs:model:unit_code.UnitCode + - id: urn:restorecommerce:acs:names:model:entity + value: urn:restorecommerce:acs:model:ostorage.Ostorage + - id: urn:restorecommerce:acs:names:model:entity + value: urn:restorecommerce:acs:model:internal.Internal effect: PERMIT - # NormalUser can only submit orders of no higher state than CREATED condition: " (request) => request?.context?.resources?.every( - resource => resource.user_id === request.subject?.id && ( - !resource.order_state - || resource.order_state?.toString() === 'UNRECOGNIZED' - || resource.order_state?.toString() === 'CREATED' + resource => resource.meta?.owners?.some( + owner => ( + owner.id === 'urn:restorecommerce:acs:names:ownerIndicatoryEntity' + && owner.value === 'urn:restorecommerce:acs:model:organization.Organization' + && owner.attributes?.some( + att => ( + att.id === 'urn:restorecommerce:acs:names:ownerInstance' + && att.value === 'system' + ) + ) ) + ) ); " evaluationCacheable: false contextQuery: - filters: [ ] + filters: [] query: "" meta: modifiedBy: "" @@ -788,690 +776,3 @@ attributes: - id: urn:restorecommerce:acs:names:ownerInstance value: system ---- - id: org_scoped_order_withdraw_rule - name: Order withdraw rule for scoped Organization - description: Permits Order withdraw under condition and organizational hierarchical scope - target: - subjects: - - id: urn:restorecommerce:acs:names:role - value: user-r-id # NormalUser - - id: urn:restorecommerce:acs:names:roleScopingEntity - value: urn:restorecommerce:acs:model:organization.Organization - actions: - - id: urn:oasis:names:tc:xacml:1.0:action:action-id - value: urn:restorecommerce:acs:names:action:execute - resources: - - id: urn:restorecommerce:acs:names:operation - value: execution.withdrawOrders - effect: PERMIT - # NormalUser can only withdraw SUBMITTED orders - condition: - " - (request) => request?.context?.resources?.every( - resource => resource.user_id === request.subject?.id - && resource.order_state?.toString() === 'SUBMITTED' - ); - " - evaluationCacheable: false - contextQuery: - filters: [ ] - query: "" - meta: - modifiedBy: "" - owners: - - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity - value: urn:restorecommerce:acs:model:organization.Organization - attributes: - - id: urn:restorecommerce:acs:names:ownerInstance - value: system ---- - id: user_scoped_order_read_rule - name: Order read rule for scoped User - description: Permits Order read under user scope - target: - subjects: - - id: urn:restorecommerce:acs:names:role - value: user-r-id # NormalUser - - id: urn:restorecommerce:acs:names:roleScopingEntity - value: urn:restorecommerce:acs:model:user.User - actions: - - id: urn:oasis:names:tc:xacml:1.0:action:action-id - value: urn:restorecommerce:acs:names:action:read - resources: - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:order.Order - effect: PERMIT - condition: "" - evaluationCacheable: false - contextQuery: - filters: [ ] - query: "" - meta: - modifiedBy: "" - owners: - - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity - value: urn:restorecommerce:acs:model:organization.Organization - attributes: - - id: urn:restorecommerce:acs:names:ownerInstance - value: system ---- - id: user_scoped_order_modify_rule - name: Order create or modify rule for scoped User - description: Permits Order create or modify under condition and user scope - target: - subjects: - - id: urn:restorecommerce:acs:names:role - value: user-r-id # NormalUser - - id: urn:restorecommerce:acs:names:roleScopingEntity - value: urn:restorecommerce:acs:model:user.User - actions: - - id: urn:oasis:names:tc:xacml:1.0:action:action-id - value: urn:restorecommerce:acs:names:action:modify - resources: - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:order.Order - effect: PERMIT - # NormalUser can only create or modify orders of no higher state than CREATED - condition: - " - (request) => request?.context?.resources?.every( - resource => resource.user_id === request.subject?.id - && ( - !resource.order_state - || resource.order_state?.toString() === 'UNRECOGNIZED' - || resource.order_state?.toString() === 'CREATED' - ) - ); - " - evaluationCacheable: false - contextQuery: - filters: [ ] - query: "" - meta: - modifiedBy: "" - owners: - - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity - value: urn:restorecommerce:acs:model:organization.Organization - attributes: - - id: urn:restorecommerce:acs:names:ownerInstance - value: system ---- - id: user_scoped_order_delete_rule - name: Order delete rule for scoped User - description: Permits Order delete under condition and user scope - target: - subjects: - - id: urn:restorecommerce:acs:names:role - value: user-r-id # NormalUser - - id: urn:restorecommerce:acs:names:roleScopingEntity - value: urn:restorecommerce:acs:model:user.User - actions: - - id: urn:oasis:names:tc:xacml:1.0:action:action-id - value: urn:restorecommerce:acs:names:action:delete - resources: - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:order.Order - effect: PERMIT - # NormalUser can only delete orders of no higher state than CREATED - condition: - " - (request) => request?.context?.resources?.every( - resource => resource.user_id === request.subject?.id - && ( - !resource.order_state - || resource.order_state?.toString() === 'UNRECOGNIZED' - || resource.order_state?.toString() === 'CREATED' - ) - ); - " - evaluationCacheable: false - contextQuery: - filters: [ ] - query: "" - meta: - modifiedBy: "" - owners: - - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity - value: urn:restorecommerce:acs:model:organization.Organization - attributes: - - id: urn:restorecommerce:acs:names:ownerInstance - value: system ---- - id: user_scoped_order_submit_rule - name: Order submit rule for scoped User - description: Permits Order submit under condition and user scope - target: - subjects: - - id: urn:restorecommerce:acs:names:role - value: user-r-id # NormalUser - - id: urn:restorecommerce:acs:names:roleScopingEntity - value: urn:restorecommerce:acs:model:user.User - actions: - - id: urn:oasis:names:tc:xacml:1.0:action:action-id - value: urn:restorecommerce:acs:names:action:execute - resources: - - id: urn:restorecommerce:acs:names:operation - value: execution.submitOrders - effect: PERMIT - # NormalUser can only submit orders of no higher state than CREATED - condition: - " - (request) => request?.context?.resources?.every( - resource => resource.user_id === request.subject?.id - && ( - !resource.order_state - || resource.order_state?.toString() === 'UNRECOGNIZED' - || resource.order_state?.toString() === 'CREATED' - ) - ); - " - evaluationCacheable: false - contextQuery: - filters: [ ] - query: "" - meta: - modifiedBy: "" - owners: - - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity - value: urn:restorecommerce:acs:model:organization.Organization - attributes: - - id: urn:restorecommerce:acs:names:ownerInstance - value: system ---- - id: user_scoped_order_withdraw_rule - name: Order withdraw rule for scoped User - description: Permits Order withdraw under condition and users hierarchical scope - target: - subjects: - - id: urn:restorecommerce:acs:names:role - value: user-r-id # NormalUser - - id: urn:restorecommerce:acs:names:roleScopingEntity - value: urn:restorecommerce:acs:model:user.User - resources: - - id: urn:restorecommerce:acs:names:operation - value: execution.withdrawOrders - effect: PERMIT - # NormalUser can only withdraw SUBMITTED orders - condition: - " - (request) => request?.context?.resources?.every( - resource => resource.user_id === request.subject?.id - && resource.order_state?.toString() === 'SUBMITTED' - ); - " - evaluationCacheable: false - contextQuery: - filters: [ ] - query: "" - meta: - modifiedBy: "" - owners: - - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity - value: urn:restorecommerce:acs:model:organization.Organization - attributes: - - id: urn:restorecommerce:acs:names:ownerInstance - value: system ---- - id: unauth_user_order_submit_rule - name: Order submit rule for scoped unauthenticated User - description: Permits Order submit under condition for unauthenticated Users - target: - subjects: - - id: urn:restorecommerce:acs:names:unauthenticated-user - value: "true" - resources: - - id: urn:restorecommerce:acs:names:operation - value: execution.submitOrders - effect: PERMIT - # NormalUser can only submit orders of no higher state than CREATED - condition: "" - evaluationCacheable: false - contextQuery: - filters: [ ] - query: "" - meta: - modifiedBy: "" - owners: - - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity - value: urn:restorecommerce:acs:model:organization.Organization - attributes: - - id: urn:restorecommerce:acs:names:ownerInstance - value: system ---- - id: org_scoped_customer_read_rule - name: Customer read rule for Organizational Scope - description: Permits any read if the resource is under an organizational hierarchical scope - target: - subjects: - - id: urn:restorecommerce:acs:names:role - value: user-r-id # NormalUser - - id: urn:restorecommerce:acs:names:roleScopingEntity - value: urn:restorecommerce:acs:model:organization.Organization - actions: - - id: urn:oasis:names:tc:xacml:1.0:action:action-id - value: urn:restorecommerce:acs:names:action:read - resources: - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:customer.Customer - effect: PERMIT - condition: "" - evaluationCacheable: false - contextQuery: - filters: [ ] - query: "" - meta: - modifiedBy: "" - owners: - - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity - value: urn:restorecommerce:acs:model:organization.Organization - attributes: - - id: urn:restorecommerce:acs:names:ownerInstance - value: system ---- - id: user_scoped_customer_read_rule - name: Customer read rule for Independent User Scope - description: Permits any read if the resource is under an user hierarchical scope - target: - subjects: - - id: urn:restorecommerce:acs:names:role - value: user-r-id # NormalUser - - id: urn:restorecommerce:acs:names:roleScopingEntity - value: urn:restorecommerce:acs:model:user.User - actions: - - id: urn:oasis:names:tc:xacml:1.0:action:action-id - value: urn:restorecommerce:acs:names:action:read - resources: - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:customer.Customer - effect: PERMIT - condition: "" - evaluationCacheable: false - contextQuery: - filters: [ ] - query: "" - meta: - modifiedBy: "" - owners: - - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity - value: urn:restorecommerce:acs:model:organization.Organization - attributes: - - id: urn:restorecommerce:acs:names:ownerInstance - value: system ---- - id: org_scoped_shop_read_rule - name: Shop read rule for Organizational Scope - description: Permits any read if the resource is under an organizational hierarchical scope - target: - subjects: - - id: urn:restorecommerce:acs:names:role - value: user-r-id # NormalUser - - id: urn:restorecommerce:acs:names:roleScopingEntity - value: urn:restorecommerce:acs:model:organization.Organization - actions: - - id: urn:oasis:names:tc:xacml:1.0:action:action-id - value: urn:restorecommerce:acs:names:action:read - resources: - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:shop.Shop - effect: PERMIT - condition: "" - evaluationCacheable: false - contextQuery: - filters: [ ] - query: "" - meta: - modifiedBy: "" - owners: - - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity - value: urn:restorecommerce:acs:model:organization.Organization - attributes: - - id: urn:restorecommerce:acs:names:ownerInstance - value: system ---- - id: user_scoped_shop_read_rule - name: Shop read rule for Independent User Scope - description: Permits any read if the resource is under an user hierarchical scope - target: - subjects: - - id: urn:restorecommerce:acs:names:role - value: user-r-id # NormalUser - - id: urn:restorecommerce:acs:names:roleScopingEntity - value: urn:restorecommerce:acs:model:user.User - actions: - - id: urn:oasis:names:tc:xacml:1.0:action:action-id - value: urn:restorecommerce:acs:names:action:read - resources: - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:shop.Shop - effect: PERMIT - condition: "" - evaluationCacheable: false - contextQuery: - filters: [ ] - query: "" - meta: - modifiedBy: "" - owners: - - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity - value: urn:restorecommerce:acs:model:organization.Organization - attributes: - - id: urn:restorecommerce:acs:names:ownerInstance - value: system ---- - id: normal_user_product_read_rule - name: Product read rule - description: Permits read for all users in any Organization or Independent user - target: - subjects: - - id: urn:restorecommerce:acs:names:role - value: user-r-id # NormalUser - actions: - - id: urn:oasis:names:tc:xacml:1.0:action:action-id - value: urn:restorecommerce:acs:names:action:read - resources: - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:product.Product - effect: PERMIT - condition: "" - evaluationCacheable: false - contextQuery: - filters: [ ] - query: "" - meta: - modifiedBy: "" - owners: - - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity - value: urn:restorecommerce:acs:model:organization.Organization - attributes: - - id: urn:restorecommerce:acs:names:ownerInstance - value: system ---- - id: normal_user_manufacturer_read_rule - name: Manufacturer read rule - description: Permits read for all users in any Organization or Independent user - target: - subjects: - - id: urn:restorecommerce:acs:names:role - value: user-r-id # NormalUser - actions: - - id: urn:oasis:names:tc:xacml:1.0:action:action-id - value: urn:restorecommerce:acs:names:action:read - resources: - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:manufacturer.Manufacturer - effect: PERMIT - condition: "" - evaluationCacheable: false - contextQuery: - filters: [ ] - query: "" - meta: - modifiedBy: "" - owners: - - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity - value: urn:restorecommerce:acs:model:organization.Organization - attributes: - - id: urn:restorecommerce:acs:names:ownerInstance - value: system ---- - id: normal_user_product_prototype_read_rule - name: ProductPrototype read rule - description: Permits read for all users in any Organization or Independent user - target: - subjects: - - id: urn:restorecommerce:acs:names:role - value: user-r-id # NormalUser - actions: - - id: urn:oasis:names:tc:xacml:1.0:action:action-id - value: urn:restorecommerce:acs:names:action:read - resources: - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:product_prototype.ProductPrototype - effect: PERMIT - condition: "" - evaluationCacheable: false - contextQuery: - filters: [ ] - query: "" - meta: - modifiedBy: "" - owners: - - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity - value: urn:restorecommerce:acs:model:organization.Organization - attributes: - - id: urn:restorecommerce:acs:names:ownerInstance - value: system ---- - id: normal_user_product_category_read_rule - name: ProductCategory read rule - description: Permits read for all users in any Organization or Independent user - target: - subjects: - - id: urn:restorecommerce:acs:names:role - value: user-r-id # NormalUser - actions: - - id: urn:oasis:names:tc:xacml:1.0:action:action-id - value: urn:restorecommerce:acs:names:action:read - resources: - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:product_category.ProductCategory - effect: PERMIT - condition: "" - evaluationCacheable: false - contextQuery: - filters: [ ] - query: "" - meta: - modifiedBy: "" - owners: - - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity - value: urn:restorecommerce:acs:model:organization.Organization - attributes: - - id: urn:restorecommerce:acs:names:ownerInstance - value: system ---- - id: normal_user_price_group_read_rule - name: PriceGroup read rule - description: Permits read for all users in any Organization or Independent user - target: - subjects: - - id: urn:restorecommerce:acs:names:role - value: user-r-id # NormalUser - actions: - - id: urn:oasis:names:tc:xacml:1.0:action:action-id - value: urn:restorecommerce:acs:names:action:read - resources: - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:price_group.PriceGroup - effect: PERMIT - condition: "" - evaluationCacheable: false - contextQuery: - filters: [ ] - query: "" - meta: - modifiedBy: "" - owners: - - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity - value: urn:restorecommerce:acs:model:organization.Organization - attributes: - - id: urn:restorecommerce:acs:names:ownerInstance - value: system ---- - id: normal_user_ostorage_bucket_rule_scoped - name: Object Storage rule - description: Allows normal user to perform CRUD on Object storage data on his organization - target: - subjects: - - id: urn:restorecommerce:acs:names:role - value: user-r-id # Normal User - - id: urn:restorecommerce:acs:names:roleScopingEntity - value: urn:restorecommerce:acs:model:organization.Organization - resources: - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:ostorage.Ostorage - actions: [] - effect: PERMIT - condition: "" - evaluationCacheable: false - contextQuery: - filters: [ ] - query: "" - meta: - modifiedBy: "" - owners: - - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity - value: urn:restorecommerce:acs:model:organization.Organization - attributes: - - id: urn:restorecommerce:acs:names:ownerInstance - value: system ---- - id: normal_user_token_create_rule_condition - name: Token create rule - description: Permit create access to the token resource owned by user - target: - subjects: - - id: urn:restorecommerce:acs:names:role - value: user-r-id - resources: - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:token.Token - actions: - - id: urn:oasis:names:tc:xacml:1.0:action:action-id - value: urn:restorecommerce:acs:names:action:create - condition: - " - (request) => request?.context?.resources?.every( - resource => resource?.meta?.owners?.some( - owner => owner?.attributes?.some( - attr => attr?.id === 'urn:restorecommerce:acs:names:ownerInstance' && attr?.value === request?.context.subject.id - ) - ) - ); - " - effect: PERMIT - evaluationCacheable: true - meta: - owners: - - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity - value: urn:restorecommerce:acs:model:organization.Organization - attributes: - - id: urn:restorecommerce:acs:names:ownerInstance - value: system ---- - id: normal_user_token_modify_rule_condition - name: Token modify rule - description: Permit modify access to the token resource owned by user - target: - subjects: - - id: urn:restorecommerce:acs:names:role - value: user-r-id - resources: - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:token.Token - actions: - - id: urn:oasis:names:tc:xacml:1.0:action:action-id - value: urn:restorecommerce:acs:names:action:modify - condition: - " - (request) => request?.context?.resources?.every( - resource => resource?.meta?.owners?.some( - owner => owner?.attributes?.some( - attr => attr?.id === 'urn:restorecommerce:acs:names:ownerInstance' && attr?.value === request?.context?.subject?.id - ) - ) - ); - " - effect: PERMIT - evaluationCacheable: true - meta: - owners: - - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity - value: urn:restorecommerce:acs:model:organization.Organization - attributes: - - id: urn:restorecommerce:acs:names:ownerInstance - value: system ---- - id: normal_user_token_delete_rule_condition - name: Token delete rule - description: Permit delete access to the token resource owned by user - target: - subjects: - - id: urn:restorecommerce:acs:names:role - value: user-r-id - resources: - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:token.Token - actions: - - id: urn:oasis:names:tc:xacml:1.0:action:action-id - value: urn:restorecommerce:acs:names:action:delete - condition: - " - (request) => request?.context?.resources?.every( - resource => resource?.meta?.owners?.some( - owner => owner?.attributes?.some( - attr => attr?.id === 'urn:restorecommerce:acs:names:ownerInstance' && attr?.value === request?.context?.subject?.id - ) - ) - ); - " - effect: PERMIT - evaluationCacheable: true - meta: - owners: - - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity - value: urn:restorecommerce:acs:model:organization.Organization - attributes: - - id: urn:restorecommerce:acs:names:ownerInstance - value: system ---- - id: normal_user_token_read_rule_condition - name: Token read rule - description: Permit read access to the token resource owned by user - target: - subjects: - - id: urn:restorecommerce:acs:names:role - value: user-r-id - resources: - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:token.Token - actions: - - id: urn:oasis:names:tc:xacml:1.0:action:action-id - value: urn:restorecommerce:acs:names:action:read - condition: - " - let filter = context?.subject?.id; - filter; - " - effect: PERMIT - evaluationCacheable: true - meta: - owners: - - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity - value: urn:restorecommerce:acs:model:organization.Organization - attributes: - - id: urn:restorecommerce:acs:names:ownerInstance - value: system ---- - id: unauth_user_internal_bucket_rule - name: Object Storage rule for the internal bucket - description: Allows unauthenticated-user to read Object storage data from the internal bucket - target: - subjects: - - id: urn:restorecommerce:acs:names:unauthenticated-user - value: "true" - resources: - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:internal.Internal - actions: - - id: urn:oasis:names:tc:xacml:1.0:action:action-id - value: urn:restorecommerce:acs:names:action:read - effect: PERMIT - meta: - owners: - - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity - value: urn:restorecommerce:acs:model:organization.Organization - attributes: - - id: urn:restorecommerce:acs:names:ownerInstance - value: system diff --git a/datasets/system/data/seed-data/users.yaml b/datasets/system/data/seed-data/users.yaml index 26316d2..a490961 100644 --- a/datasets/system/data/seed-data/users.yaml +++ b/datasets/system/data/seed-data/users.yaml @@ -1,9 +1,9 @@ --- - id: tech_user - name: tech_user + id: tech-user + name: tech-user firstName: Tech lastName: User - email: tech_user@restorecommerce.io + email: tech-user@restorecommerce.io password: CNQJrH%KAayeDpf3h defaultScope: "" roleAssociations: @@ -24,7 +24,7 @@ value: urn:restorecommerce:acs:model:user.User attributes: - id: urn:restorecommerce:acs:names:ownerInstance - value: tech_user + value: tech-user newEmail: "" active: true activationCode: "" @@ -45,7 +45,7 @@ invitedByUserFirstName: "" invitedByUserLastName: "" tokens: - - name: tech_user_token + - name: access-token token: 123099ffc93b44f6b4a81b1e5589b642 scopes: - superadministrator-r-role-assoc-id \ No newline at end of file