forked from openedx/openedx-authz
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathauthz.policy
More file actions
76 lines (64 loc) · 4.41 KB
/
authz.policy
File metadata and controls
76 lines (64 loc) · 4.41 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
############################################
# Open edX AuthZ — Casbin Policy Configuration
#
# This file defines policies that work with the model configuration.
# Uses namespaced subjects, actions, and scopes for maximum flexibility.
############################################
# Policy definitions - format: p = subject(role), action, scope, effect
# For role definitions use: lib^*, course^*, org^* to specify the scope of the role
# Library Admin Role Policies
p, role^library_admin, act^content_libraries.view_library, lib^*, allow
p, role^library_admin, act^content_libraries.manage_library_tags, lib^*, allow
p, role^library_admin, act^content_libraries.delete_library, lib^*, allow
p, role^library_admin, act^content_libraries.edit_library_content, lib^*, allow
p, role^library_admin, act^content_libraries.publish_library_content, lib^*, allow
p, role^library_admin, act^content_libraries.reuse_library_content, lib^*, allow
p, role^library_admin, act^content_libraries.view_library_team, lib^*, allow
p, role^library_admin, act^content_libraries.manage_library_team, lib^*, allow
p, role^library_admin, act^content_libraries.create_library_collection, lib^*, allow
p, role^library_admin, act^content_libraries.edit_library_collection, lib^*, allow
p, role^library_admin, act^content_libraries.delete_library_collection, lib^*, allow
# Library Author Role Policies
p, role^library_author, act^content_libraries.view_library, lib^*, allow
p, role^library_author, act^content_libraries.manage_library_tags, lib^*, allow
p, role^library_author, act^content_libraries.edit_library_content, lib^*, allow
p, role^library_author, act^content_libraries.publish_library_content, lib^*, allow
p, role^library_author, act^content_libraries.reuse_library_content, lib^*, allow
p, role^library_author, act^content_libraries.view_library_team, lib^*, allow
p, role^library_author, act^content_libraries.create_library_collection, lib^*, allow
p, role^library_author, act^content_libraries.edit_library_collection, lib^*, allow
p, role^library_author, act^content_libraries.delete_library_collection, lib^*, allow
# Library Contributor Role Policies
p, role^library_contributor, act^content_libraries.view_library, lib^*, allow
p, role^library_contributor, act^content_libraries.manage_library_tags, lib^*, allow
p, role^library_contributor, act^content_libraries.edit_library_content, lib^*, allow
p, role^library_contributor, act^content_libraries.reuse_library_content, lib^*, allow
p, role^library_contributor, act^content_libraries.view_library_team, lib^*, allow
p, role^library_contributor, act^content_libraries.create_library_collection, lib^*, allow
p, role^library_contributor, act^content_libraries.edit_library_collection, lib^*, allow
p, role^library_contributor, act^content_libraries.delete_library_collection, lib^*, allow
# Library User Role Policies
p, role^library_user, act^content_libraries.view_library, lib^*, allow
p, role^library_user, act^content_libraries.reuse_library_content, lib^*, allow
p, role^library_user, act^content_libraries.view_library_team, lib^*, allow
# Action Inheritance (g2) - format: g2 = granted_action, implied_action
# Higher-level permissions automatically grant lower-level permissions
# If a user has the granted_action, they also have the implied_action
# Example: g2, act^content_libraries.delete_library, act^content_libraries.view_library means delete permission includes view permission
# Library
g2, act^content_libraries.manage_library_tags, act^content_libraries.edit_library_content
g2, act^content_libraries.delete_library, act^content_libraries.edit_library_content
# Content
g2, act^content_libraries.publish_library_content, act^content_libraries.edit_library_content
g2, act^content_libraries.edit_library_content, act^content_libraries.view_library
g2, act^content_libraries.reuse_library_content, act^content_libraries.view_library
g2, act^content_libraries.publish_library_content, act^content_libraries.view_library
# Team
g2, act^content_libraries.manage_library_team, act^content_libraries.view_library_team
# Collections
g2, act^content_libraries.delete_library_collection, act^content_libraries.edit_library_collection
g2, act^content_libraries.create_library_collection, act^content_libraries.edit_library_collection
g2, act^content_libraries.edit_library_collection, act^content_libraries.view_library
# Course Policies
# Course Staff Permissions
p, role^course_staff, act^courses.manage_advanced_settings, course^*, allow