Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Rego rule 3 - Only managers from the employee_managers list can create employees
employee_managers := {"janedoe@styra.com","alicesmith@styra.com","davidholme@styra.com"}
allow {
input.attributes.request.http.method == "POST"
input.parsed_path[0] = "employees"
jwt.valid
jwt.payload.Role == "manager"
jwt.payload.Group == input.parsed_body.userGroup
employee_managers[_] == jwt.payload.sub #is the subject in the employee_managers set?
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment