diff --git a/datasets/demo-shop/data/seed-data/users.yaml b/datasets/demo-shop/data/seed-data/users.yaml index 381d79f..cd4285e 100644 --- a/datasets/demo-shop/data/seed-data/users.yaml +++ b/datasets/demo-shop/data/seed-data/users.yaml @@ -6,8 +6,8 @@ email: unauthenticated.user@restorecommerce.io defaultScope: restorecommecre-demo-shops-organization roleAssociations: - - id: restorecommecre-demo-shops-organization-unauthenticated-user-r-id - role: unauthenticated-user-r-id + - id: restorecommecre-demo-shops-organization-unauthenticated-r-id + role: unauthenticated-r-id - id: restorecommecre-demo-shops-organization-customer-r-id role: customer-r-id attributes: diff --git a/datasets/system/data/seed-data/policies.yaml b/datasets/system/data/seed-data/policies.yaml index cc9fb16..e3a5496 100644 --- a/datasets/system/data/seed-data/policies.yaml +++ b/datasets/system/data/seed-data/policies.yaml @@ -1,15 +1,17 @@ --- - id: fallback-policy - name: Fallback Policy - description: Fallback to Deny + id: superadministrator-policy + name: Super Administrator Policy + description: Permit all to Super Administrator evaluationCacheable: false - effect: DENY + effect: PERMIT target: - resources: [] - actions: [] - subjects: [] + resources: [ ] + actions: [ ] + subjects: + - id: urn:restorecommerce:acs:names:role + value: superadministrator-r-id rules: - - fallback-rule + - fallback-permit-all meta: modifiedBy: "" owners: @@ -20,19 +22,26 @@ value: system combiningAlgorithm: urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides --- - id: superadministrator-policy - name: Superadministrator Policy - description: Policies for Superadmin + id: address-policy + name: Address Policy + description: Policy for resource Address evaluationCacheable: false effect: PERMIT target: - resources: [] - actions: [] - subjects: - - id: urn:restorecommerce:acs:names:role - value: superadministrator-r-id + actions: [ ] + subjects: [ ] + resources: + - id: urn:restorecommerce:acs:names:model:entity + value: urn:restorecommerce:acs:model:address.Address rules: - - superadmin-rule + - administrator-permit-all-scoped + - sales-permit-all-scoped + - moderator-permit-all-scoped + - member-permit-read-scoped + - customer-permit-read-scoped + - user-permit-all-owned + - everyone-permit-read-system + - fallback-deny-all meta: modifiedBy: "" owners: @@ -43,21 +52,19 @@ value: system combiningAlgorithm: urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides --- - id: administrator-policy - name: Administrator Policy - description: Policies for Admin + id: command-policy + name: Command Policy + description: Policy for resource Command evaluationCacheable: false effect: PERMIT target: - resources: [] - actions: [] - subjects: - - id: urn:restorecommerce:acs:names:role - value: administrator-r-id + actions: [ ] + subjects: [ ] + resources: + - id: urn:restorecommerce:acs:names:model:entity + value: urn:restorecommerce:acs:model:command.Command rules: - - administrator-rule - - admin-system-roles-read-rule - - admin-orga-roles-read-rule + - fallback-deny-all meta: modifiedBy: "" owners: @@ -68,21 +75,25 @@ value: system combiningAlgorithm: urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides --- - id: moderator-policy - name: Moderator Policy - description: Policies for Moderator + id: contact-point-type-policy + name: ContactPointType Policy + description: Policy for resource ContactPointType evaluationCacheable: false effect: PERMIT target: - resources: [] - actions: [] - subjects: - - id: urn:restorecommerce:acs:names:role - value: moderator-r-id + actions: [ ] + subjects: [ ] + resources: + - id: urn:restorecommerce:acs:names:model:entity + value: urn:restorecommerce:acs:model:contact_point_type.ContactPointType rules: - - moderator-organization-user-read-create-rule - - moderator-organization-resource-read-modify-rule - - moderator-organization-order-read-rule + - administrator-permit-all-scoped + - sales-permit-read-scoped + - moderator-permit-read-scoped + - member-permit-read-scoped + - customer-permit-read-scoped + - everyone-permit-read-system + - fallback-deny-all meta: modifiedBy: "" owners: @@ -93,20 +104,84 @@ value: system combiningAlgorithm: urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides --- - id: member-policy - name: Member Policy - description: Policies for Member + id: contact-point-policy + name: ContactPoint Policy + description: Policy for resource ContactPoint evaluationCacheable: false effect: PERMIT target: - resources: [] - actions: [] - subjects: - - id: urn:restorecommerce:acs:names:role - value: member-r-id + actions: [ ] + subjects: [ ] + resources: + - id: urn:restorecommerce:acs:names:model:entity + value: urn:restorecommerce:acs:model:contact_point.ContactPoint rules: - - member-organization-resource-read-rule - - member-ostorage-bucket-modify-rule + - administrator-permit-all-scoped + - sales-permit-all-scoped + - moderator-permit-all-scoped + - member-permit-read-scoped + - customer-permit-read-scoped + - user-permit-all-owned + - everyone-permit-read-system + - fallback-deny-all + meta: + modifiedBy: "" + owners: + - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity + value: urn:restorecommerce:acs:model:organization.Organization + attributes: + - id: urn:restorecommerce:acs:names:ownerInstance + value: system + combiningAlgorithm: urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides +--- + id: country-policy + name: Country Policy + description: Policy for resource Country + evaluationCacheable: false + effect: PERMIT + target: + actions: [ ] + subjects: [ ] + resources: + - id: urn:restorecommerce:acs:names:model:entity + value: urn:restorecommerce:acs:model:country.Country + rules: + - administrator-permit-all-scoped + - sales-permit-read-scoped + - moderator-permit-read-scoped + - member-permit-read-scoped + - customer-permit-read-scoped + - everyone-permit-read-system + - fallback-deny-all + meta: + modifiedBy: "" + owners: + - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity + value: urn:restorecommerce:acs:model:organization.Organization + attributes: + - id: urn:restorecommerce:acs:names:ownerInstance + value: system + combiningAlgorithm: urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides +--- + id: currency-policy + name: Currency Policy + description: Policy for resource Currency + evaluationCacheable: false + effect: PERMIT + target: + actions: [ ] + subjects: [ ] + resources: + - id: urn:restorecommerce:acs:names:model:entity + value: urn:restorecommerce:acs:model:currency.Currency + rules: + - administrator-permit-all-scoped + - sales-permit-read-scoped + - moderator-permit-read-scoped + - member-permit-read-scoped + - customer-permit-read-scoped + - everyone-permit-read-system + - fallback-deny-all meta: modifiedBy: "" owners: @@ -119,19 +194,23 @@ --- id: customer-policy name: Customer Policy - description: Policies for Customer + description: Policy for resource Customer evaluationCacheable: false effect: PERMIT target: - resources: [] - actions: [] - subjects: - - id: urn:restorecommerce:acs:names:role - value: customer-r-id + actions: [ ] + subjects: [ ] + resources: + - id: urn:restorecommerce:acs:names:model:entity + value: urn:restorecommerce:acs:model:customer.Customer rules: - - customer-organization-resource-read-rule - - customer-order-submit-rule - - customer-order-withdraw-rule + - administrator-permit-all-scoped + - sales-permit-read-scoped + - moderator-permit-all-scoped + - member-permit-read-scoped + - user-permit-create-owned + - user-permit-read-owned + - fallback-deny-all meta: modifiedBy: "" owners: @@ -142,21 +221,22 @@ value: system combiningAlgorithm: urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides --- - id: user-policy - name: User Policy - description: Policies for User + id: fulfillment-courier-policy + name: FulfillmentCourier Policy + description: Policy for resource FulfillmentCourier evaluationCacheable: false effect: PERMIT target: - resources: [] - actions: [] - subjects: - - id: urn:restorecommerce:acs:names:role - value: user-r-id + actions: [ ] + subjects: [ ] + resources: + - id: urn:restorecommerce:acs:names:model:entity + value: urn:restorecommerce:acs:model:fulfillment_courier.FulfillmentCounrier rules: - - user-owned-resource-read-modify-rule - - user-user-read-modify-rule - - user-order-read-modify-rule + - administrator-permit-all-scoped + - sales-permit-read-scoped + - customer-permit-read-scoped + - fallback-deny-all meta: modifiedBy: "" owners: @@ -167,18 +247,673 @@ value: system combiningAlgorithm: urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides --- - id: everyone-policy - name: Everyone Policy - description: Policies for Everyone + id: fulfillment-product-policy + name: FulfillmentProduct Policy + description: Policy for resource FulfillmentProduct + evaluationCacheable: false + effect: PERMIT + target: + actions: [ ] + subjects: [ ] + resources: + - id: urn:restorecommerce:acs:names:model:entity + value: urn:restorecommerce:acs:model:fulfillment_product.FulfillmentProduct + rules: + - administrator-permit-all-scoped + - sales-permit-read-scoped + - customer-permit-read-scoped + - fallback-deny-all + meta: + modifiedBy: "" + owners: + - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity + value: urn:restorecommerce:acs:model:organization.Organization + attributes: + - id: urn:restorecommerce:acs:names:ownerInstance + value: system + combiningAlgorithm: urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides +--- + id: fulfillment-policy + name: Fulfillment Policy + description: Policy for resource Fulfillment + evaluationCacheable: false + effect: PERMIT + target: + actions: [ ] + subjects: [ ] + resources: + - id: urn:restorecommerce:acs:names:model:entity + value: urn:restorecommerce:acs:model:fulfillment.Fulfillment + rules: + - administrator-permit-all-scoped + - sales-permit-all-scoped + - moderator-permit-read-scoped + - user-permit-read-owned + - fallback-deny-all + meta: + modifiedBy: "" + owners: + - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity + value: urn:restorecommerce:acs:model:organization.Organization + attributes: + - id: urn:restorecommerce:acs:names:ownerInstance + value: system + combiningAlgorithm: urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides +--- + id: invoice-policy + name: Invoice Policy + description: Policy for resource Invoice + evaluationCacheable: false + effect: PERMIT + target: + actions: [ ] + subjects: [ ] + resources: + - id: urn:restorecommerce:acs:names:model:entity + value: urn:restorecommerce:acs:model:invoice.Invoice + rules: + - administrator-permit-all-scoped + - sales-permit-all-scoped + - moderator-permit-read-scoped + - user-permit-read-owned + - fallback-deny-all + meta: + modifiedBy: "" + owners: + - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity + value: urn:restorecommerce:acs:model:organization.Organization + attributes: + - id: urn:restorecommerce:acs:names:ownerInstance + value: system + combiningAlgorithm: urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides +--- + id: locale-policy + name: Locale Policy + description: Policy for resource Locale + evaluationCacheable: false + effect: PERMIT + target: + actions: [ ] + subjects: [ ] + resources: + - id: urn:restorecommerce:acs:names:model:entity + value: urn:restorecommerce:acs:model:locale.Locale + rules: + - administrator-permit-all-scoped + - sales-permit-read-scoped + - moderator-permit-read-scoped + - member-permit-read-scoped + - customer-permit-read-scoped + - everyone-permit-read-system + - fallback-deny-all + meta: + modifiedBy: "" + owners: + - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity + value: urn:restorecommerce:acs:model:organization.Organization + attributes: + - id: urn:restorecommerce:acs:names:ownerInstance + value: system + combiningAlgorithm: urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides +--- + id: manufacturer-policy + name: Manufacturer Policy + description: Policy for resource Manufacturer + evaluationCacheable: false + effect: PERMIT + target: + actions: [ ] + subjects: [ ] + resources: + - id: urn:restorecommerce:acs:names:model:entity + value: urn:restorecommerce:acs:model:manufacturer.Manufacturer + rules: + - administrator-permit-all-scoped + - sales-permit-all-scoped + - customer-permit-read-scoped + - fallback-deny-all + meta: + modifiedBy: "" + owners: + - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity + value: urn:restorecommerce:acs:model:organization.Organization + attributes: + - id: urn:restorecommerce:acs:names:ownerInstance + value: system + combiningAlgorithm: urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides +--- + id: order-policy + name: Order Policy + description: Policy for resource Order + evaluationCacheable: false + effect: PERMIT + target: + actions: [ ] + subjects: [ ] + resources: + - id: urn:restorecommerce:acs:names:model:entity + value: urn:restorecommerce:acs:model:order.Order + rules: + - administrator-permit-all-scoped + - sales-permit-read-scoped + - moderator-permit-read-scoped + - user-permit-read-owned + - user-permit-modify-owned-order + - fallback-deny-all + meta: + modifiedBy: "" + owners: + - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity + value: urn:restorecommerce:acs:model:organization.Organization + attributes: + - id: urn:restorecommerce:acs:names:ownerInstance + value: system + combiningAlgorithm: urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides +--- + id: order-submit-policy + name: Order Submit Policy + description: Policy for operation Submit Orders + evaluationCacheable: false + effect: PERMIT + target: + actions: [ ] + subjects: [ ] + resources: + - id: urn:restorecommerce:acs:names:operation + value: execution.submitOrders + rules: + - require-order-state-created + - administrator-permit-all-scoped + - customer-permit-all-scoped + meta: + modifiedBy: "" + owners: + - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity + value: urn:restorecommerce:acs:model:organization.Organization + attributes: + - id: urn:restorecommerce:acs:names:ownerInstance + value: system + combiningAlgorithm: urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides +--- + id: order-withdraw-policy + name: Order Withdraw Policy + description: Policy for operation Withdraw Orders + evaluationCacheable: false + effect: PERMIT + target: + actions: [ ] + subjects: [ ] + resources: + - id: urn:restorecommerce:acs:names:operation + value: execution.withdrawOrders + rules: + - requier-order-state-submitted + - administrator-permit-all-scoped + - sales-permit-all-scoped + - moderator-permit-all-scoped + - user-permit-all-owned + meta: + modifiedBy: "" + owners: + - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity + value: urn:restorecommerce:acs:model:organization.Organization + attributes: + - id: urn:restorecommerce:acs:names:ownerInstance + value: system + combiningAlgorithm: urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides +--- + id: order-cancel-policy + name: Order Cancel Policy + description: Policy for operation Cancel Orders + evaluationCacheable: false + effect: PERMIT + target: + actions: [ ] + subjects: [ ] + resources: + - id: urn:restorecommerce:acs:names:operation + value: execution.cancelOrders + rules: + - requier-order-state-withdrawn + - administrator-permit-all-scoped + - sales-permit-all-scoped + meta: + modifiedBy: "" + owners: + - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity + value: urn:restorecommerce:acs:model:organization.Organization + attributes: + - id: urn:restorecommerce:acs:names:ownerInstance + value: system + combiningAlgorithm: urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides +--- + id: organization-policy + name: Organization Policy + description: Policy for resource Organization + evaluationCacheable: false + effect: PERMIT + target: + actions: [ ] + subjects: [ ] + resources: + - id: urn:restorecommerce:acs:names:model:entity + value: urn:restorecommerce:acs:model:organization.Organization + rules: + - administrator-permit-all-scoped + - moderator-permit-create-scoped + - moderator-permit-update-scoped + - moderator-permit-read-scoped + - member-permit-read-scoped + - fallback-deny-all + meta: + modifiedBy: "" + owners: + - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity + value: urn:restorecommerce:acs:model:organization.Organization + attributes: + - id: urn:restorecommerce:acs:names:ownerInstance + value: system + combiningAlgorithm: urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides +--- + id: ostorage-policy + name: Ostorage Policy + description: Policy for resource Ostorage + evaluationCacheable: false + effect: PERMIT + target: + actions: [ ] + subjects: [ ] + resources: + - id: urn:restorecommerce:acs:names:model:entity + value: urn:restorecommerce:acs:model:ostorage.Ostorage + rules: + - administrator-permit-all-scoped + - sales-permit-all-scoped + - moderator-permit-all-scoped + - member-permit-read-scoped + - user-permit-all-owned + - everyone-permit-read-system + - fallback-deny-all + meta: + modifiedBy: "" + owners: + - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity + value: urn:restorecommerce:acs:model:organization.Organization + attributes: + - id: urn:restorecommerce:acs:names:ownerInstance + value: system + combiningAlgorithm: urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides +--- + id: payment-method-policy + name: PaymentMethod Policy + description: Policy for resource the PaymentMethod + evaluationCacheable: false + effect: PERMIT + target: + actions: [ ] + subjects: [ ] + resources: + - id: urn:restorecommerce:acs:names:model:entity + value: urn:restorecommerce:acs:model:payment_method.PaymentMethod + rules: + - administrator-permit-all-scoped + - sales-permit-read-scoped + - customer-permit-read-scoped + - everyone-permit-read-system + - fallback-deny-all + meta: + modifiedBy: "" + owners: + - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity + value: urn:restorecommerce:acs:model:organization.Organization + attributes: + - id: urn:restorecommerce:acs:names:ownerInstance + value: system + combiningAlgorithm: urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides +--- + id: payment-policy + name: Payment Policy + description: Policy for resource the Payment + evaluationCacheable: false + effect: PERMIT + target: + actions: [ ] + subjects: [ ] + resources: + - id: urn:restorecommerce:acs:names:model:entity + value: urn:restorecommerce:acs:model:payment.Payment + rules: + - administrator-permit-all-scoped + - sales-permit-read-scoped + - moderator-permit-read-scoped + - user-permit-read-owned + - fallback-deny-all + meta: + modifiedBy: "" + owners: + - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity + value: urn:restorecommerce:acs:model:organization.Organization + attributes: + - id: urn:restorecommerce:acs:names:ownerInstance + value: system + combiningAlgorithm: urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides +--- + id: price-group-policy + name: PriceGroup Policy + description: Policy for resource PriceGroup + evaluationCacheable: false + effect: PERMIT + target: + actions: [ ] + subjects: [ ] + resources: + - id: urn:restorecommerce:acs:names:model:entity + value: urn:restorecommerce:acs:model:price_group.PriceGroup + rules: + - administrator-permit-all-scoped + - sales-permit-all-scoped + - customer-permit-read-scoped + - fallback-deny-all + meta: + modifiedBy: "" + owners: + - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity + value: urn:restorecommerce:acs:model:organization.Organization + attributes: + - id: urn:restorecommerce:acs:names:ownerInstance + value: system + combiningAlgorithm: urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides +--- + id: product-category-policy + name: ProductCategory Policy + description: Policy for resource ProductCategory + evaluationCacheable: false + effect: PERMIT + target: + actions: [ ] + subjects: [ ] + resources: + - id: urn:restorecommerce:acs:names:model:entity + value: urn:restorecommerce:acs:model:product_category.ProductCategory + rules: + - administrator-permit-all-scoped + - sales-permit-all-scoped + - customer-permit-read-scoped + - fallback-deny-all + meta: + modifiedBy: "" + owners: + - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity + value: urn:restorecommerce:acs:model:organization.Organization + attributes: + - id: urn:restorecommerce:acs:names:ownerInstance + value: system + combiningAlgorithm: urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides +--- + id: product-prototype-policy + name: ProductPrototype Policy + description: Policy for resource the ProductPrototype + evaluationCacheable: false + effect: PERMIT + target: + actions: [ ] + subjects: [ ] + resources: + - id: urn:restorecommerce:acs:names:model:entity + value: urn:restorecommerce:acs:model:product_prototype.ProductPrototype + rules: + - administrator-permit-all-scoped + - sales-permit-all-scoped + - customer-permit-read-scoped + - fallback-deny-all + meta: + modifiedBy: "" + owners: + - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity + value: urn:restorecommerce:acs:model:organization.Organization + attributes: + - id: urn:restorecommerce:acs:names:ownerInstance + value: system + combiningAlgorithm: urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides +--- + id: product-policy + name: Product Policy + description: Policy for resource Product + evaluationCacheable: false + effect: PERMIT + target: + actions: [ ] + subjects: [ ] + resources: + - id: urn:restorecommerce:acs:names:model:entity + value: urn:restorecommerce:acs:model:product.Product + rules: + - administrator-permit-all-scoped + - sales-permit-all-scoped + - customer-permit-read-scoped + - fallback-deny-all + meta: + modifiedBy: "" + owners: + - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity + value: urn:restorecommerce:acs:model:organization.Organization + attributes: + - id: urn:restorecommerce:acs:names:ownerInstance + value: system + combiningAlgorithm: urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides +--- + id: role-policy + name: Role Policy + description: Policy for resource Role + evaluationCacheable: false + effect: PERMIT + target: + actions: [ ] + subjects: [ ] + resources: + - id: urn:restorecommerce:acs:names:model:entity + value: urn:restorecommerce:acs:model:role.Role + rules: + - administrator-permit-read-scoped + - sales-permit-read-scoped + - moderator-permit-read-scoped + - member-permit-read-scoped + - customer-permit-read-scoped + - user-permit-read-scoped + - everyone-permit-read-system + - fallback-deny-all + meta: + modifiedBy: "" + owners: + - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity + value: urn:restorecommerce:acs:model:organization.Organization + attributes: + - id: urn:restorecommerce:acs:names:ownerInstance + value: system + combiningAlgorithm: urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides +--- + id: shop-policy + name: Shop Policy + description: Policy for resource Shop + evaluationCacheable: false + effect: PERMIT + target: + actions: [ ] + subjects: [ ] + resources: + - id: urn:restorecommerce:acs:names:model:entity + value: urn:restorecommerce:acs:model:shop.Shop + rules: + - administrator-permit-all-scoped + - sales-permit-all-scoped + - customer-permit-read-scoped + - fallback-deny-all + meta: + modifiedBy: "" + owners: + - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity + value: urn:restorecommerce:acs:model:organization.Organization + attributes: + - id: urn:restorecommerce:acs:names:ownerInstance + value: system + combiningAlgorithm: urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides +--- + id: tax-type-policy + name: TaxType Policy + description: Policy for resource TaxType + evaluationCacheable: false + effect: PERMIT + target: + actions: [ ] + subjects: [ ] + resources: + - id: urn:restorecommerce:acs:names:model:entity + value: urn:restorecommerce:acs:model:tax_type.TaxType + rules: + - administrator-permit-all-scoped + - sales-permit-read-scoped + - customer-permit-read-scoped + - everyone-permit-read-system + - fallback-deny-all + meta: + modifiedBy: "" + owners: + - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity + value: urn:restorecommerce:acs:model:organization.Organization + attributes: + - id: urn:restorecommerce:acs:names:ownerInstance + value: system + combiningAlgorithm: urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides +--- + id: tax-policy + name: Tax Policy + description: Policy for resource Tax + evaluationCacheable: false + effect: PERMIT + target: + actions: [ ] + subjects: [ ] + resources: + - id: urn:restorecommerce:acs:names:model:entity + value: urn:restorecommerce:acs:model:tax.Tax + rules: + - administrator-permit-all-scoped + - sales-permit-read-scoped + - customer-permit-read-scoped + - everyone-permit-read-system + - fallback-deny-all + meta: + modifiedBy: "" + owners: + - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity + value: urn:restorecommerce:acs:model:organization.Organization + attributes: + - id: urn:restorecommerce:acs:names:ownerInstance + value: system + combiningAlgorithm: urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides +--- + id: timezone-policy + name: Timezone Policy + description: Policy for resource Timezone + evaluationCacheable: false + effect: PERMIT + target: + actions: [ ] + subjects: [ ] + resources: + - id: urn:restorecommerce:acs:names:model:entity + value: urn:restorecommerce:acs:model:timezone.Timezone + rules: + - administrator-permit-all-scoped + - sales-permit-read-scoped + - moderator-permit-read-scoped + - member-permit-read-scoped + - customer-permit-read-scoped + - everyone-permit-read-system + - fallback-deny-all + meta: + modifiedBy: "" + owners: + - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity + value: urn:restorecommerce:acs:model:organization.Organization + attributes: + - id: urn:restorecommerce:acs:names:ownerInstance + value: system + combiningAlgorithm: urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides +--- + id: token-policy + name: Token Policy + description: Policy for resource Token + evaluationCacheable: false + effect: PERMIT + target: + actions: [ ] + subjects: [ ] + resources: + - id: urn:restorecommerce:acs:names:model:entity + value: urn:restorecommerce:acs:model:token.Token + rules: + - user-permit-all-owned + - fallback-deny-all + meta: + modifiedBy: "" + owners: + - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity + value: urn:restorecommerce:acs:model:organization.Organization + attributes: + - id: urn:restorecommerce:acs:names:ownerInstance + value: system + combiningAlgorithm: urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides +--- + id: unit-code-policy + name: UnitCode Policy + description: Policy for resource UnitCode + evaluationCacheable: false + effect: PERMIT + target: + actions: [ ] + subjects: [ ] + resources: + - id: urn:restorecommerce:acs:names:model:entity + value: urn:restorecommerce:acs:model:unit_code.UnitCode + rules: + - administrator-permit-all-scoped + - sales-permit-read-scoped + - customer-permit-read-scoped + - everyone-permit-read-system + - fallback-deny-all + meta: + modifiedBy: "" + owners: + - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity + value: urn:restorecommerce:acs:model:organization.Organization + attributes: + - id: urn:restorecommerce:acs:names:ownerInstance + value: system + combiningAlgorithm: urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides +--- + id: user-policy + name: User Policy + description: Policy for resource User evaluationCacheable: false effect: PERMIT target: - resources: [] - actions: [] - subjects: [] + actions: [ ] + subjects: [ ] + resources: + - id: urn:restorecommerce:acs:names:model:entity + value: urn:restorecommerce:acs:model:user.User rules: - - everyone-own-token-read-modify-rule - - everyone-system-resource-read-rule + - administrator-permit-all-scoped + - sales-permit-read-scoped + - moderator-permit-create-scoped + - moderator-permit-read-scoped + - member-permit-read-scoped + - user-permit-read-owned + - user-permit-update-owned + - unauthenticated-permit-create-strict-scope + - everyone-permit-reset-password + - fallback-deny-all meta: modifiedBy: "" owners: diff --git a/datasets/system/data/seed-data/policy_sets.yaml b/datasets/system/data/seed-data/policy_sets.yaml index a102e50..def0b58 100644 --- a/datasets/system/data/seed-data/policy_sets.yaml +++ b/datasets/system/data/seed-data/policy_sets.yaml @@ -1,20 +1,47 @@ --- - id: system-policies + id: system-policy-set name: System Policy Set - description: Contains all policies from RestoreCommerce + description: Contains all policies for Restorecommerce combiningAlgorithm: urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides target: - resources: [] - subjects: [] - actions: [] + actions: [ ] + subjects: [ ] + resources: [ ] policies: - superadministrator-policy - - administrator-policy - - moderator-policy - - member-policy + - address-policy + - command-policy + - contact-point-type-policy + - contact-point-policy + - country-policy + - currency-policy - customer-policy + - fulfillment-courier-policy + - fulfillment-product-policy + - fulfillment-policy + - invoice-policy + - locale-policy + - manufacturer-policy + - order-policy + - order-submit-policy + - order-withdraw-policy + - order-cancel-policy + - organization-policy + - ostorage-policy + - payment-method-policy + - payment-policy + - price-group-policy + - product-category-policy + - product-prototype-policy + - product-policy + - role-policy + - shop-policy + - tax-type-policy + - tax-policy + - timezone-policy + - token-policy + - unit-code-policy - user-policy - - everyone-policy meta: modifiedBy: "" owners: @@ -22,4 +49,4 @@ value: urn:restorecommerce:acs:model:organization.Organization attributes: - id: urn:restorecommerce:acs:names:ownerInstance - value: system + value: system \ No newline at end of file diff --git a/datasets/system/data/seed-data/roles.yaml b/datasets/system/data/seed-data/roles.yaml index 167a6fd..b8ec5df 100644 --- a/datasets/system/data/seed-data/roles.yaml +++ b/datasets/system/data/seed-data/roles.yaml @@ -15,7 +15,22 @@ --- id: administrator-r-id name: Administrator - description: can read and write within his organization scope + description: can read and write within organization scope + assignableByRoles: + - superadministrator-r-id + - administrator-r-id + meta: + modifiedBy: "" + owners: + - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity + value: urn:restorecommerce:acs:model:organization.Organization + attributes: + - id: urn:restorecommerce:acs:names:ownerInstance + value: system +--- + id: sales-r-id + name: Sales + description: can read and write within shop organization scope assignableByRoles: - superadministrator-r-id - administrator-r-id @@ -30,7 +45,7 @@ --- id: moderator-r-id name: Moderator - description: can create and delete users within his organization scope + description: can create and delete users within organization scope assignableByRoles: - superadministrator-r-id - administrator-r-id @@ -92,8 +107,8 @@ - id: urn:restorecommerce:acs:names:ownerInstance value: system --- - id: unauthenticated-user-r-id - name: unauthenticated-user + id: unauthenticated-r-id + name: unauthenticated description: actions for unauthenticated users assignableByRoles: - superadministrator-r-id diff --git a/datasets/system/data/seed-data/rules.yaml b/datasets/system/data/seed-data/rules.yaml index 2524d9d..e19f5d7 100644 --- a/datasets/system/data/seed-data/rules.yaml +++ b/datasets/system/data/seed-data/rules.yaml @@ -1,16 +1,16 @@ --- - id: fallback-rule - name: Fallback rule - description: Fallback to Deny + id: fallback-deny-all + name: Fallback Deny All + description: Fallback to Deny all effect: DENY target: - subjects: [] - actions: [] - resources: [] + subjects: [ ] + actions: [ ] + resources: [ ] condition: "" evaluationCacheable: false contextQuery: - filters: [] + filters: [ ] query: "" meta: modifiedBy: "" @@ -21,20 +21,18 @@ - id: urn:restorecommerce:acs:names:ownerInstance value: system --- - id: superadmin-rule - name: SuperAdmins Rule - description: Permit anything by SuperAdmins (fallback rule) - target: - subjects: - - id: urn:restorecommerce:acs:names:role - value: superadministrator-r-id - actions: [] - resources: [] + id: fallback-permit-all + name: Fallback Permit All + description: Fallback to Permit all effect: PERMIT + target: + subjects: [ ] + actions: [ ] + resources: [ ] condition: "" evaluationCacheable: false contextQuery: - filters: [] + filters: [ ] query: "" meta: modifiedBy: "" @@ -45,22 +43,22 @@ - id: urn:restorecommerce:acs:names:ownerInstance value: system --- - id: administrator-rule - name: Admin Rule - description: Permits all if subject is Admin within the hierarchical scope + id: administrator-permit-all-scoped + name: Admin Permit All Rule + description: Permits all if subject is Admin within hierarchical scope target: subjects: - id: urn:restorecommerce:acs:names:role value: administrator-r-id - id: urn:restorecommerce:acs:names:roleScopingEntity value: urn:restorecommerce:acs:model:organization.Organization - actions: [] - resources: [] + actions: [ ] + resources: [ ] effect: PERMIT condition: "" evaluationCacheable: false contextQuery: - filters: [] + filters: [ ] query: "" meta: modifiedBy: "" @@ -71,40 +69,24 @@ - id: urn:restorecommerce:acs:names:ownerInstance value: system --- - id: admin-system-roles-read-rule - name: Admin system role read rule - description: Allows Admin to read all Roles in system + id: administrator-permit-read-scoped + name: Admin Permit Read Rule + description: Permits read if subject is Admin within hierarchical scope target: + resources: [ ] subjects: - id: urn:restorecommerce:acs:names:role value: administrator-r-id + - id: urn:restorecommerce:acs:names:roleScopingEntity + value: urn:restorecommerce:acs:model:organization.Organization actions: - id: urn:oasis:names:tc:xacml:1.0:action:action-id value: urn:restorecommerce:acs:names:action:read - resources: - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:role.Role effect: PERMIT - condition: - " - (request) => request?.context?.resources?.every( - resource => resource.meta?.owners?.some( - owner => ( - owner.id === 'urn:restorecommerce:acs:names:ownerIndicatoryEntity' - && owner.value === 'urn:restorecommerce:acs:model:organization.Organization' - && owner.attributes?.some( - att => ( - att.id === 'urn:restorecommerce:acs:names:ownerInstance' - && att.value === 'system' - ) - ) - ) - ) - ); - " + condition: "" evaluationCacheable: false contextQuery: - filters: [] + filters: [ ] query: "" meta: modifiedBy: "" @@ -115,26 +97,22 @@ - id: urn:restorecommerce:acs:names:ownerInstance value: system --- - id: admin-orga-roles-read-rule - name: Admin orga role read rule - description: Allows Admin to read all Roles in orga scope + id: sales-permit-all-scoped + name: Sales Permit All Rule + description: Permits all if subject is Sales within hierarchical scope target: subjects: - id: urn:restorecommerce:acs:names:role - value: administrator-r-id + value: sales-r-id - id: urn:restorecommerce:acs:names:roleScopingEntity value: urn:restorecommerce:acs:model:organization.Organization - actions: - - id: urn:oasis:names:tc:xacml:1.0:action:action-id - value: urn:restorecommerce:acs:names:action:read - resources: - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:role.Role + actions: [ ] + resources: [ ] effect: PERMIT condition: "" evaluationCacheable: false contextQuery: - filters: [] + filters: [ ] query: "" meta: modifiedBy: "" @@ -145,30 +123,24 @@ - id: urn:restorecommerce:acs:names:ownerInstance value: system --- - id: moderator-organization-user-read-create-rule - name: Moderator Organization User read create rule - description: Permits actions on users in organizational scope + id: sales-permit-read-scoped + name: Sales Permit Read Rule + description: Permits read if subject is Sales within hierarchical scope target: + resources: [ ] subjects: - id: urn:restorecommerce:acs:names:role - value: moderator-r-id + value: sales-r-id - id: urn:restorecommerce:acs:names:roleScopingEntity value: urn:restorecommerce:acs:model:organization.Organization actions: - id: urn:oasis:names:tc:xacml:1.0:action:action-id value: urn:restorecommerce:acs:names:action:read - - id: urn:oasis:names:tc:xacml:1.0:action:action-id - value: urn:restorecommerce:acs:names:action:create - - id: urn:oasis:names:tc:xacml:1.0:action:action-id - value: urn:restorecommerce:acs:names:action:delete - resources: - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:user.User effect: PERMIT condition: "" evaluationCacheable: false contextQuery: - filters: [] + filters: [ ] query: "" meta: modifiedBy: "" @@ -179,38 +151,22 @@ - id: urn:restorecommerce:acs:names:ownerInstance value: system --- - id: moderator-organization-resource-read-modify-rule - name: Moderator Organization Resource read modify rule - description: Permits read on resources in organizational scope + id: moderator-permit-all-scoped + name: Moderator Permit All Rule + description: Permits all if subject is Moderator within hierarchical scope target: subjects: - id: urn:restorecommerce:acs:names:role value: moderator-r-id - id: urn:restorecommerce:acs:names:roleScopingEntity value: urn:restorecommerce:acs:model:organization.Organization - actions: - - id: urn:oasis:names:tc:xacml:1.0:action:action-id - value: urn:restorecommerce:acs:names:action:read - - id: urn:oasis:names:tc:xacml:1.0:action:action-id - value: urn:restorecommerce:acs:names:action:modify - resources: - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:organization.Organization - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:customer.Customer - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:contact_point.ContactPoint - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:address.Address - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:ostorage.Ostorage - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:internal.Internal + actions: [ ] + resources: [ ] effect: PERMIT condition: "" evaluationCacheable: false contextQuery: - filters: [] + filters: [ ] query: "" meta: modifiedBy: "" @@ -221,10 +177,11 @@ - id: urn:restorecommerce:acs:names:ownerInstance value: system --- - id: moderator-organization-order-read-rule - name: Moderator Organization Order read rule - description: Permits read on orders in organizational scope + id: moderator-permit-read-scoped + name: Moderator Permit Read Rule + description: Permits read if subject is Moderator within hierarchical scope target: + resources: [ ] subjects: - id: urn:restorecommerce:acs:names:role value: moderator-r-id @@ -233,14 +190,11 @@ actions: - id: urn:oasis:names:tc:xacml:1.0:action:action-id value: urn:restorecommerce:acs:names:action:read - resources: - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:order.Order effect: PERMIT condition: "" evaluationCacheable: false contextQuery: - filters: [] + filters: [ ] query: "" meta: modifiedBy: "" @@ -251,50 +205,24 @@ - id: urn:restorecommerce:acs:names:ownerInstance value: system --- - id: member-organization-resource-read-rule - name: Member Organization Resource read rule - description: Permits read if the resource is in organizational scope + id: moderator-permit-create-scoped + name: Moderator Permit Create Rule + description: Permits create if subject is Moderator within hierarchical scope target: + resources: [ ] subjects: - id: urn:restorecommerce:acs:names:role - value: member-r-id + value: moderator-r-id - id: urn:restorecommerce:acs:names:roleScopingEntity value: urn:restorecommerce:acs:model:organization.Organization actions: - id: urn:oasis:names:tc:xacml:1.0:action:action-id - value: urn:restorecommerce:acs:names:action:read - resources: - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:organization.Organization - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:customer.Customer - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:contact_point_type.ContactPointType - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:contact_point.ContactPoint - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:country.Country - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:address.Address - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:locale.Locale - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:timezone.Timezone - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:tax_type.TaxType - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:tax.Tax - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:unit_code.UnitCode - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:ostorage.Ostorage - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:internal.Internal + value: urn:restorecommerce:acs:names:action:create effect: PERMIT condition: "" evaluationCacheable: false contextQuery: - filters: [] + filters: [ ] query: "" meta: modifiedBy: "" @@ -305,42 +233,24 @@ - id: urn:restorecommerce:acs:names:ownerInstance value: system --- - id: member-ostorage-bucket-modify-rule - name: Object Storage rule - description: Allows members to perform Modify on Object storage data on his organization + id: moderator-permit-update-scoped + name: Moderator Permit Update Rule + description: Permits update if subject is Moderator within hierarchical scope target: + resources: [ ] subjects: - id: urn:restorecommerce:acs:names:role - value: member-r-id + value: moderator-r-id - id: urn:restorecommerce:acs:names:roleScopingEntity value: urn:restorecommerce:acs:model:organization.Organization - resources: - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:ostorage.Ostorage actions: - id: urn:oasis:names:tc:xacml:1.0:action:action-id - value: urn:restorecommerce:acs:names:action:modify + value: urn:restorecommerce:acs:names:action:update effect: PERMIT - condition: - " - (request) => request?.context?.resources?.every( - resource => resource.meta?.owners?.some( - owner => ( - owner.id === 'urn:restorecommerce:acs:names:ownerIndicatoryEntity' - && owner.value === 'urn:restorecommerce:acs:model:organization.Organization' - && owner.attributes?.some( - att => ( - att.id === 'urn:restorecommerce:acs:names:ownerInstance' - && att.value === context?.subject?.id - ) - ) - ) - ) - ); - " + condition: "" evaluationCacheable: false contextQuery: - filters: [] + filters: [ ] query: "" meta: modifiedBy: "" @@ -351,60 +261,24 @@ - id: urn:restorecommerce:acs:names:ownerInstance value: system --- - id: customer-organization-resource-read-rule - name: Customer Organization Resource read rule - description: Permits any read if the resource is in organizational scope + id: member-permit-read-scoped + name: Member Permit Read Rule + description: Permits read if subject is Member within hierarchical scope target: + resources: [ ] subjects: - id: urn:restorecommerce:acs:names:role - value: customer-r-id + value: member-r-id - id: urn:restorecommerce:acs:names:roleScopingEntity value: urn:restorecommerce:acs:model:organization.Organization actions: - id: urn:oasis:names:tc:xacml:1.0:action:action-id value: urn:restorecommerce:acs:names:action:read - resources: - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:organization.Organization - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:customer.Customer - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:shop.Shop - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:contact_point_type.ContactPointType - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:contact_point.ContactPoint - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:country.Country - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:address.Address - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:locale.Locale - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:timezone.Timezone - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:tax_type.TaxType - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:tax.Tax - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:unit_code.UnitCode - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:manufacturer:Manufacturer - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:price_groupe:PriceGroup - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:product_category:ProductCategory - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:product:Product - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:ostorage.Ostorage - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:internal.Internal effect: PERMIT condition: "" evaluationCacheable: false contextQuery: - filters: [] + filters: [ ] query: "" meta: modifiedBy: "" @@ -415,38 +289,22 @@ - id: urn:restorecommerce:acs:names:ownerInstance value: system --- - id: customer-order-submit-rule - name: Customer Order Submit rule - description: Permits to submit orders in organizational scope + id: customer-permit-all-scoped + name: Customer Permit All Rule + description: Permits all if subject is Customer within hierarchical scope target: subjects: - id: urn:restorecommerce:acs:names:role value: customer-r-id - id: urn:restorecommerce:acs:names:roleScopingEntity value: urn:restorecommerce:acs:model:organization.Organization - actions: - - id: urn:oasis:names:tc:xacml:1.0:action:action-id - value: urn:restorecommerce:acs:names:action:execute - resources: - - id: urn:restorecommerce:acs:names:operation - value: execution.submitOrders + actions: [ ] + resources: [ ] effect: PERMIT - condition: - " - (request) => request?.context?.resources?.every( - resource => ( - resource.user_id === context?.subject?.id - && ( - !resource.order_state - || resource.order_state?.toString() === 'UNRECOGNIZED' - || resource.order_state?.toString() === 'CREATED' - ) - ) - ); - " + condition: "" evaluationCacheable: false contextQuery: - filters: [] + filters: [ ] query: "" meta: modifiedBy: "" @@ -457,10 +315,11 @@ - id: urn:restorecommerce:acs:names:ownerInstance value: system --- - id: customer-order-withdraw-rule - name: Customer Order Withdraw Rule - description: Permits Order withdraw under condition and organizational hierarchical scope + id: customer-permit-read-scoped + name: Customer Permit Read Rule + description: Permits read if subject is Customer within hierarchical scope target: + resources: [ ] subjects: - id: urn:restorecommerce:acs:names:role value: customer-r-id @@ -468,17 +327,46 @@ value: urn:restorecommerce:acs:model:organization.Organization actions: - id: urn:oasis:names:tc:xacml:1.0:action:action-id - value: urn:restorecommerce:acs:names:action:execute - resources: - - id: urn:restorecommerce:acs:names:operation - value: execution.withdrawOrders + value: urn:restorecommerce:acs:names:action:read + effect: PERMIT + condition: "" + evaluationCacheable: false + contextQuery: + filters: [ ] + query: "" + meta: + modifiedBy: "" + owners: + - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity + value: urn:restorecommerce:acs:model:organization.Organization + attributes: + - id: urn:restorecommerce:acs:names:ownerInstance + value: system +--- + id: user-permit-all-owned + name: User Permit All Owned + description: Permits all if resource is owned by subject + target: + subjects: + - id: urn:restorecommerce:acs:names:role + value: user-r-id + actions: [ ] + resources: [ ] effect: PERMIT condition: " (request) => request?.context?.resources?.every( - resource => ( - resource.user_id === context?.subject?.id - && resource.order_state?.toString() === 'SUBMITTED' + resource => resource.meta?.owners?.some( + owner => ( + owner.id === 'urn:restorecommerce:acs:names:ownerIndicatoryEntity' + && owner.value === 'urn:restorecommerce:acs:model:organization.Organization' + && owner.attributes?.some( + att => ( + att.id === 'urn:restorecommerce:acs:names:ownerInstance' + && att.value === context?.subject?.id + ) + ) + ) ) ); " @@ -495,31 +383,17 @@ - id: urn:restorecommerce:acs:names:ownerInstance value: system --- - id: user-owned-resource-read-modify-rule - name: User owned Resource read modify rule - description: Permits read modify on owned resources + id: user-permit-update-owned + name: User Permit Update Owned + description: Permits update if resource is owned by subject target: subjects: - id: urn:restorecommerce:acs:names:role value: user-r-id actions: - id: urn:oasis:names:tc:xacml:1.0:action:action-id - value: urn:restorecommerce:acs:names:action:read - - id: urn:oasis:names:tc:xacml:1.0:action:action-id - value: urn:restorecommerce:acs:names:action:modify - resources: - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:organization.Organization - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:customer.Customer - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:contact_point.ContactPoint - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:address.Address - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:ostorage.Ostorage - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:internal.Internal + value: urn:restorecommerce:acs:names:action:update + resources: [ ] effect: PERMIT condition: " @@ -540,7 +414,7 @@ " evaluationCacheable: false contextQuery: - filters: [] + filters: [ ] query: "" meta: modifiedBy: "" @@ -551,23 +425,35 @@ - id: urn:restorecommerce:acs:names:ownerInstance value: system --- - id: user-user-read-modify-rule - name: User Account Rule - description: Permits actions by any User on its own account data + id: user-permit-read-owned + name: User Permit Read Owned + description: Permits read if resource is owned by subject target: subjects: - id: urn:restorecommerce:acs:names:role - value: user-r-id # Normal User - resources: - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:user.User + value: user-r-id actions: - id: urn:oasis:names:tc:xacml:1.0:action:action-id value: urn:restorecommerce:acs:names:action:read - - id: urn:oasis:names:tc:xacml:1.0:action:action-id - value: urn:restorecommerce:acs:names:action:modify - condition: "context?.subject?.id" + resources: [ ] effect: PERMIT + condition: + " + (request) => request?.context?.resources?.every( + resource => resource.meta?.owners?.some( + owner => ( + owner.id === 'urn:restorecommerce:acs:names:ownerIndicatoryEntity' + && owner.value === 'urn:restorecommerce:acs:model:organization.Organization' + && owner.attributes?.some( + att => ( + att.id === 'urn:restorecommerce:acs:names:ownerInstance' + && att.value === context?.subject?.id + ) + ) + ) + ) + ); + " evaluationCacheable: false contextQuery: filters: [ ] @@ -581,38 +467,29 @@ - id: urn:restorecommerce:acs:names:ownerInstance value: system --- - id: user-order-read-modify-rule - name: User Order Modify rule - description: Permits to create and modify orders owned by user + id: require-order-state-created + name: Require Order State Created + description: Denies if order has other state than created target: - subjects: - - id: urn:restorecommerce:acs:names:role - value: user-r-id - actions: - - id: urn:oasis:names:tc:xacml:1.0:action:action-id - value: urn:restorecommerce:acs:names:action:read - - id: urn:oasis:names:tc:xacml:1.0:action:action-id - value: urn:restorecommerce:acs:names:action:modify + subjects: [ ] + actions: [ ] resources: - id: urn:restorecommerce:acs:names:model:entity value: urn:restorecommerce:acs:model:order.Order - effect: PERMIT + effect: DENY condition: " - (request) => request?.context?.resources?.every( + (request) => !request?.context?.resources?.every( resource => ( - resource.user_id === context?.subject?.id - && ( - !resource.order_state - || resource.order_state?.toString() === 'UNRECOGNIZED' - || resource.order_state?.toString() === 'CREATED' - ) + !resource.order_state + || resource.order_state?.toString() === 'UNRECOGNIZED' + || resource.order_state?.toString() === 'CREATED' ) ); " evaluationCacheable: false contextQuery: - filters: [] + filters: [ ] query: "" meta: modifiedBy: "" @@ -623,28 +500,27 @@ - id: urn:restorecommerce:acs:names:ownerInstance value: system --- - id: unauthenticated-register-user-rule - name: Register new User rule - description: Register new User as Unauthenticated User + id: require-order-state-submitted + name: Require Order State Submitted + description: Denies if order has other state than submitted target: - subjects: - - id: urn:restorecommerce:acs:names:role - value: unauthenticated-user-r-id - - id: urn:restorecommerce:acs:names:roleScopingEntity - value: urn:restorecommerce:acs:model:organization.Organization - - id: urn:restorecommerce:acs:names:hierarchicalRoleScoping - value: 'false' - actions: - - id: urn:oasis:names:tc:xacml:1.0:action:action-id - value: urn:restorecommerce:acs:names:action:create + subjects: [ ] + actions: [ ] resources: - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:user.User - effect: PERMIT - condition: "" + value: urn:restorecommerce:acs:model:order.Order + effect: DENY + condition: + " + (request) => !request?.context?.resources?.every( + resource => ( + resource.order_state?.toString() === 'SUBMITTED' + ) + ); + " evaluationCacheable: false contextQuery: - filters: [] + filters: [ ] query: "" meta: modifiedBy: "" @@ -653,31 +529,26 @@ value: urn:restorecommerce:acs:model:organization.Organization attributes: - id: urn:restorecommerce:acs:names:ownerInstance - value: restorecommecre-demo-root-organization + value: system --- - id: unauthenticated-forgot-password-rule - name: User 'Forgot Password' rule - description: Permits 'modify' by unauthenticated users on their password + id: require-order-state-withdrawn + name: Require Order State Withdrawn + description: Denies if order has other state than withdrawn target: - subjects: - - id: urn:restorecommerce:acs:names:role - value: unauthenticated-user-r-id - - id: urn:restorecommerce:acs:names:roleScopingEntity - value: urn:restorecommerce:acs:model:organization.Organization - actions: - - id: urn:oasis:names:tc:xacml:1.0:action:action-id - value: urn:restorecommerce:acs:names:action:modify + subjects: [ ] + actions: [ ] resources: - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:user.User - - id: urn:restorecommerce:acs:names:model:property - value: urn:restorecommerce:acs:model:user.User#activation_code - - id: urn:restorecommerce:acs:names:model:property - value: urn:restorecommerce:acs:model:user.User#password_hash - - id: urn:restorecommerce:acs:names:model:property - value: urn:restorecommerce:acs:model:user.User#email - effect: PERMIT - condition: "" + value: urn:restorecommerce:acs:model:order.Order + effect: DENY + condition: + " + (request) => !request?.context?.resources?.every( + resource => ( + resource.order_state?.toString() === 'WITHDRAWM' + ) + ); + " evaluationCacheable: false contextQuery: filters: [ ] @@ -691,61 +562,45 @@ - id: urn:restorecommerce:acs:names:ownerInstance value: system --- - id: everyone-own-token-read-modify-rule - name: Token read and modify rule - description: Permit modify access to the token resource owned by user + id: unauthenticated-permit-create-strict-scope + name: Unauthenticated Create Strict Scope + description: Permits create if subject is Unauthenticated within strict scope target: - subjects: [] + subjects: + - id: urn:restorecommerce:acs:names:role + value: unauthenticated-r-id + - id: urn:restorecommerce:acs:names:roleScopingEntity + value: urn:restorecommerce:acs:model:organization.Organization + - id: urn:restorecommerce:acs:names:hierarchicalRoleScoping + value: 'false' actions: - id: urn:oasis:names:tc:xacml:1.0:action:action-id - value: urn:restorecommerce:acs:names:action:read - - id: urn:oasis:names:tc:xacml:1.0:action:action-id - value: urn:restorecommerce:acs:names:action:modify - resources: - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:token.Token - condition: "context?.subject?.id;" + value: urn:restorecommerce:acs:names:action:create + resources: [ ] effect: PERMIT - evaluationCacheable: true + condition: "" + evaluationCacheable: false + contextQuery: + filters: [ ] + query: "" meta: + modifiedBy: "" owners: - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity value: urn:restorecommerce:acs:model:organization.Organization attributes: - id: urn:restorecommerce:acs:names:ownerInstance - value: system + value: restorecommecre-demo-root-organization --- - id: everyone-system-resource-read-rule - name: Everyone system resource read rule - description: Permits read of system resources to everyone + id: everyone-permit-read-system + name: Everyone Permit Read System + description: Permits read if resource is owned by system target: - subjects: [] + resources: [ ] + subjects: [ ] actions: - id: urn:oasis:names:tc:xacml:1.0:action:action-id value: urn:restorecommerce:acs:names:action:read - resources: - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:contact_point_type.ContactPointType - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:contact_point.ContactPoint - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:country.Country - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:address.Address - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:locale.Locale - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:timezone.Timezone - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:tax_type.TaxType - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:tax.Tax - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:unit_code.UnitCode - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:ostorage.Ostorage - - id: urn:restorecommerce:acs:names:model:entity - value: urn:restorecommerce:acs:model:internal.Internal effect: PERMIT condition: " @@ -766,7 +621,7 @@ " evaluationCacheable: false contextQuery: - filters: [] + filters: [ ] query: "" meta: modifiedBy: "" @@ -776,3 +631,35 @@ attributes: - id: urn:restorecommerce:acs:names:ownerInstance value: system +--- + id: everyone-permit-reset-password + name: Everyone Permit Reset Password + description: Permits reset password to everyone + target: + subjects: [ ] + actions: + - id: urn:oasis:names:tc:xacml:1.0:action:action-id + value: urn:restorecommerce:acs:names:action:update + resources: + - id: urn:restorecommerce:acs:names:model:entity + value: urn:restorecommerce:acs:model:user.User + - id: urn:restorecommerce:acs:names:model:property + value: urn:restorecommerce:acs:model:user.User#activation_code + - id: urn:restorecommerce:acs:names:model:property + value: urn:restorecommerce:acs:model:user.User#password_hash + - id: urn:restorecommerce:acs:names:model:property + value: urn:restorecommerce:acs:model:user.User#email + effect: PERMIT + condition: "" + evaluationCacheable: false + contextQuery: + filters: [ ] + query: "" + meta: + modifiedBy: "" + owners: + - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity + value: urn:restorecommerce:acs:model:organization.Organization + attributes: + - id: urn:restorecommerce:acs:names:ownerInstance + value: system \ No newline at end of file