Skip to content

Instantly share code, notes, and snippets.

@Jarvie8176
Last active April 27, 2019 04:18
Show Gist options
  • Save Jarvie8176/be8c6c1f9ee01dcf4674d2145c6abfe7 to your computer and use it in GitHub Desktop.
Save Jarvie8176/be8c6c1f9ee01dcf4674d2145c6abfe7 to your computer and use it in GitHub Desktop.

Model

[request_definition]
r = sub, obj, act

[policy_definition]
p = obj, act

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = r.act = p.act &&
(
  (r.sub.type = "doctor" && p.obj.type = "medicalRecord" && r.sub.id = p.obj.doctorAssigned)
  ||  (r.sub.type = "accountant" && p.obj.type = "billingInfo" && r.sub.id = p.obj.accountantAssigned)
  # ...
)

Policy

p, medicalRecord, view
p, billingInfo, view

Authz code

type MedicalRecord struct {
	type string
	doctorAssigned int
	// ...
}

type BillingInfo struct {
	type string
	accountantAssigned int
	// ...
}

type Patient struct {
	medicalRecord MedicalRecord
	billingInfo BillingInfo
}

type Doctor struct {
	type string
	id int
}

type Accountant struct {
	type string
	id int
}

subDoctor := Doctor{id: 1, type: "doctor"}
subAccountant := Accountant{id: 2, type: "accountant"}
objPatient := Patient{
	medicalRecord: MedicalRecord{type: "medicalRecord", doctorAssigned: 1},
	billingInfo: BillingInfo{type:"billingInfo", accountantAssigned: 2},
}
enforcer.enforce(subDoctor, objPatient.medicalRecord, "view")
enforcer.enforce(subAccountant, objPatient.billingInfo, "view")
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment