fix: Add access to role read for normal users and admin users

restorecommerce · Mar 22, 2024 · d3fef43 · d3fef43
1 parent 2a01d39
commit d3fef43
Show file tree

Hide file tree

Showing 2 changed files with 50 additions and 0 deletions.
diff --git a/datasets/system/data/seed-data/policies.yaml b/datasets/system/data/seed-data/policies.yaml
@@ -744,6 +744,8 @@
   rules:
     - superadministrator-permits-all
     - permit-read-strict-scoped
+    - normal-user-read-roles
+    - admin-user-read-roles
     - domainless-unauthenticated-permits-read-system
     - fallback-deny-all
   meta:

diff --git a/datasets/system/data/seed-data/rules.yaml b/datasets/system/data/seed-data/rules.yaml
@@ -831,6 +831,54 @@
     )
     "
   evaluationCacheable: false
+  meta:
+    modifiedBy: ""
+    owners:
+      - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity
+        value: urn:restorecommerce:acs:model:organization.Organization
+        attributes:
+          - id: urn:restorecommerce:acs:names:ownerInstance
+            value: system
+---
+  id: normal-user-read-roles
+  name: Normal User Role read rule
+  description: Normal User should be allowed to read all Roles in system
+  target:
+    subjects:
+      - id: urn:restorecommerce:acs:names:role
+        value: user-r-id
+    resources:
+      - id: urn:restorecommerce:acs:names:model:entity
+        value: urn:restorecommerce:acs:model:role.Role
+    actions:
+      - id: urn:oasis:names:tc:xacml:1.0:action:action-id
+        value: urn:restorecommerce:acs:names:action:read
+  effect: PERMIT
+  evaluationCacheable: false
+  meta:
+    modifiedBy: ""
+    owners:
+      - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity
+        value: urn:restorecommerce:acs:model:organization.Organization
+        attributes:
+          - id: urn:restorecommerce:acs:names:ownerInstance
+            value: system
+---
+  id: admin-user-read-roles
+  name: Admin User Role read rule
+  description: Admin User should be allowed to read all Roles in system
+  target:
+    subjects:
+      - id: urn:restorecommerce:acs:names:role
+        value: administrator-r-id
+    resources:
+      - id: urn:restorecommerce:acs:names:model:entity
+        value: urn:restorecommerce:acs:model:role.Role
+    actions:
+      - id: urn:oasis:names:tc:xacml:1.0:action:action-id
+        value: urn:restorecommerce:acs:names:action:read
+  effect: PERMIT
+  evaluationCacheable: false
   meta:
     modifiedBy: ""
     owners: