@@ -14,13 +14,17 @@ definition platform {
1414permission super_admin = administrator
1515}
1616
17+
1718// team is a collection of resources.
1819// TODO: Should we call this a namespace?
1920definition team {
2021// platform relation is the super admin level. All super-admin type permissions
2122// are passed through the team level.
2223relation platform: platform
2324
25+ // parent allows nesting teams
26+ relation parent: team
27+
2428// Teams have their own roles for user's to interact with team resources.
2529// Each role can be either a group or a user.
2630
@@ -67,33 +71,34 @@ definition team {
6771 * Other Roles *
6872 *******************/
6973
70- // membership needs to include all ways in which someone is a member of this team.
71- permission membership = member +
74+ // direct_membership needs to include all ways in which someone is a member of this team.
75+ // This does not include parent team members.
76+ permission direct_membership = member +
7277workspace_viewer + workspace_creator + workspace_deletor + workspace_version_selector + dangerous_workspace_connector + workspace_editor +
7378template_viewer + template_creator + template_deletor + template_editor
7479
7580/*************************
7681 * Workspace Permissions *
7782 *************************/
7883// view all workspaces owned by the team
79- permission view_workspaces = platform->super_admin + workspace_viewer
80- permission edit_workspaces = platform->super_admin + workspace_editor
81- permission select_workspace_version = platform->super_admin + workspace_version_selector
82- permission delete_workspaces = platform->super_admin + workspace_deletor
83- permission connect_workspaces = dangerous_workspace_connector
84+ permission view_workspaces = platform->super_admin + workspace_viewer + parent->view_workspaces
85+ permission edit_workspaces = platform->super_admin + workspace_editor + parent->edit_workspaces
86+ permission select_workspace_version = platform->super_admin + workspace_version_selector + parent->select_workspace_version
87+ permission delete_workspaces = platform->super_admin + workspace_deletor + parent->delete_workspaces
88+ permission connect_workspaces = dangerous_workspace_connector + parent->connect_workspaces
8489// create_workspace is on the team level object. A workspace that is created is owned by the team
8590// and the application should setup the correct permissions/relations for the new resource.
86- permission create_workspace = platform->super_admin + workspace_creator
91+ permission create_workspace = platform->super_admin + workspace_creator + parent->create_workspace
8792
8893/************************
8994 * Template Permissions *
9095 ************************/
91- permission view_templates = platform->super_admin + template_viewer
92- permission view_template_insights = platform->super_admin + template_insights_viewer
93- permission edit_templates = platform->super_admin + template_editor
94- permission delete_templates = platform->super_admin + template_deletor
95- permission manage_template_permissions = platform->super_admin + template_permission_manager
96- permission create_template = platform->super_admin + template_creator
96+ permission view_templates = platform->super_admin + template_viewer + parent->view_templates
97+ permission view_template_insights = platform->super_admin + template_insights_viewer + parent->view_template_insights
98+ permission edit_templates = platform->super_admin + template_editor + parent->edit_templates
99+ permission delete_templates = platform->super_admin + template_deletor + parent->delete_templates
100+ permission manage_template_permissions = platform->super_admin + template_permission_manager + parent->manage_template_permissions
101+ permission create_template = platform->super_admin + template_creator + parent->create_template
97102}
98103
99104// group is a collection of users and operates exactly like a user from
@@ -129,12 +134,12 @@ definition workspace {
129134// Some perms require view as well
130135edit + delete + select_template_version + ssh +
131136// Give view permissons to any role that requires reading the workspace to conduct their actions.
132- owner->view_workspaces +( viewer & owner->membership)
133- permission edit = owner->edit_workspaces +( editor & owner->membership)
134- permission delete = owner->delete_workspaces +( deletor & owner->membership)
137+ owner->view_workspaces + viewer
138+ permission edit = owner->edit_workspaces + editor
139+ permission delete = owner->delete_workspaces + deletor
135140// TODO: Maybe a caveat to check if the selected version is the active template version, and if that is allowed.
136- permission select_template_version = owner->select_workspace_version +( selector & owner->membership)
137- permission ssh = owner->connect_workspaces +( connector & owner->membership)
141+ permission select_template_version = owner->select_workspace_version + selector
142+ permission ssh = owner->connect_workspaces + connector
138143}
139144
140145definition workspace_build {