@@ -114,7 +114,7 @@ site_allow(roles) := num if {
114114# Adding a second org_members set might affect the partial evaluation.
115115# This is being left until org scopes are used.
116116org_members:= {orgID|
117- input.subject.roles[_].org [orgID]
117+ input.subject.roles[_].by_org_id [orgID]
118118}
119119
120120# 'org' is the same as 'site' except we need to iterate over each organization
@@ -140,7 +140,7 @@ org_allow_set(roles, key) := allow_set if {
140140id:= org_members[_]
141141set:= {is_allowed|
142142# Iterate over all org permissions in all roles
143- perm:= roles[_][key][id ][_]
143+ perm:= roles[_].by_org_id[id][key ][_]
144144perm.action in [input.action," *"
145145perm.resource_type in [input.object.type," *"
146146
@@ -260,15 +260,15 @@ org_member := num if {
260260# Object must be jointly owned by the user
261261input.object.owner!= " "
262262input.subject.id= input.object.owner
263- num:= org_allow (input.subject.roles," org_member "
263+ num:= org_allow (input.subject.roles," member "
264264}
265265
266266default scope_org_member:= 0
267267scope_org_member:= num if {
268268# Object must be jointly owned by the user
269269input.object.owner!= " "
270270input.subject.id= input.object.owner
271- num:= org_allow ([input.subject.scope]," org_member "
271+ num:= org_allow ([input.subject.scope]," member "
272272}
273273
274274# Scope allow_list is a list of resource (Type, ID) tuples explicitly allowed by the scope.