ncri/example_policy.json

## example_policy.json
apiVersion: api.cerbos.dev/v1
description: Common variables for apprenticeship
exportVariables:
  name: apprenticeship_presentation_apprenticeship_common_variables
  definitions:
    apprenticeship_company_id: request.resource.attr.company_id
    apprenticeship_id: request.resource.id

apiVersion: "api.cerbos.dev/v1"
description: |-
  Common roles for apprenticeship presentation
derivedRoles:
  name: apprenticeship_presentation_common_roles
  variables:
    import:
      - apprenticeship_presentation_apprenticeship_common_variables
  definitions:
    - name: apprenticeship_owner
      parentRoles: ["company_manager:admin"]
      condition:
        match:
          any:
            of:
              - expr: (V.apprenticeship_company_id in P.attr.write_resource_access.company_manager.company.company_manager_admin)

apiVersion: api.cerbos.dev/v1
resourcePolicy:
  scope: "apprenticeship_presentation"
  resource: "apprenticeship"
  version: "default"
  variables:
    import:
      - apprenticeship_presentation_apprenticeship_common_variables
  importDerivedRoles:
    - apprenticeship_presentation_common_roles
  rules:
    - actions:
      - 'assign_ambassador'
      - 'unassign_ambassador'
      - 'publish'
      - 'unpublish'
      effect: EFFECT_ALLOW
      derivedRoles:
        - apprenticeship_owner
      output:
        when:
          conditionNotMet: |-
            {"principal": P.id, "resource": R.id, "message": "You are not an apprenticeship owner. Action is not allowed"}
	apiVersion: api.cerbos.dev/v1
	description: Common variables for apprenticeship
	exportVariables:
	name: apprenticeship_presentation_apprenticeship_common_variables
	definitions:
	apprenticeship_company_id: request.resource.attr.company_id
	apprenticeship_id: request.resource.id

	apiVersion: "api.cerbos.dev/v1"
	description: \|-
	Common roles for apprenticeship presentation
	derivedRoles:
	name: apprenticeship_presentation_common_roles
	variables:
	import:
	- apprenticeship_presentation_apprenticeship_common_variables
	definitions:
	- name: apprenticeship_owner
	parentRoles: ["company_manager:admin"]
	condition:
	match:
	any:
	of:
	- expr: (V.apprenticeship_company_id in P.attr.write_resource_access.company_manager.company.company_manager_admin)

	apiVersion: api.cerbos.dev/v1
	resourcePolicy:
	scope: "apprenticeship_presentation"
	resource: "apprenticeship"
	version: "default"
	variables:
	import:
	- apprenticeship_presentation_apprenticeship_common_variables
	importDerivedRoles:
	- apprenticeship_presentation_common_roles
	rules:
	- actions:
	- 'assign_ambassador'
	- 'unassign_ambassador'
	- 'publish'
	- 'unpublish'
	effect: EFFECT_ALLOW
	derivedRoles:
	- apprenticeship_owner
	output:
	when:
	conditionNotMet: \|-
	{"principal": P.id, "resource": R.id, "message": "You are not an apprenticeship owner. Action is not allowed"}