[request_definition]
r = sub, obj, act
[policy_definition]
p = obj, act
[policy_effect]
e = some(where (p.eft == allow))
[matchers]
m = r.act = p.act &&
(
(r.sub.type = "doctor" && p.obj.type = "medicalRecord" && r.sub.id = p.obj.doctorAssigned)
|| (r.sub.type = "accountant" && p.obj.type = "billingInfo" && r.sub.id = p.obj.accountantAssigned)
# ...
)
p, medicalRecord, view
p, billingInfo, view
type MedicalRecord struct {
type string
doctorAssigned int
// ...
}
type BillingInfo struct {
type string
accountantAssigned int
// ...
}
type Patient struct {
medicalRecord MedicalRecord
billingInfo BillingInfo
}
type Doctor struct {
type string
id int
}
type Accountant struct {
type string
id int
}
subDoctor := Doctor{id: 1, type: "doctor"}
subAccountant := Accountant{id: 2, type: "accountant"}
objPatient := Patient{
medicalRecord: MedicalRecord{type: "medicalRecord", doctorAssigned: 1},
billingInfo: BillingInfo{type:"billingInfo", accountantAssigned: 2},
}
enforcer.enforce(subDoctor, objPatient.medicalRecord, "view")
enforcer.enforce(subAccountant, objPatient.billingInfo, "view")