You signed in with another tab or window.Reload to refresh your session.You signed out in another tab or window.Reload to refresh your session.You switched accounts on another tab or window.Reload to refresh your session.Dismiss alert
- Truth table had an incorrect result value in final row- Permission format examples was missing the object type- Fix actions list- Code block a bash command
Copy file name to clipboardExpand all lines: coderd/rbac/README.md
+7-5Lines changed: 7 additions & 5 deletions
Original file line number
Diff line number
Diff line change
@@ -8,7 +8,7 @@ Authorization defines what **permission** a **subject** has to perform **actions
8
8
9
9
-**Permission** is binary:_yes_ (allowed) or_no_ (denied).
10
10
-**Subject** in this case is anything that implements interface`rbac.Subject`.
11
-
-**Action** here is an enumerated list of actions, but we stick to`Create`,`Read`,`Update`,and`Delete` here.
11
+
-**Action** here is an enumerated list of actions. Actions can differ for each object type. They typically read like,`Create`,`Read`,`Update`,`Delete`, etc.
12
12
-**Object** here is anything that implements`rbac.Object`.
13
13
14
14
##Permission Structure
@@ -34,11 +34,11 @@ Both **negative** and **positive** permissions override **abstain** at the same
34
34
This can be represented by the following truth table, where Y represents_positive_, N represents_negative_, and\_ represents_abstain_:
35
35
36
36
| Action| Positive| Negative| Result|
37
-
| ------| --------| --------|------|
37
+
| ------| --------| --------|--------|
38
38
| read| Y|\_| Y|
39
39
| read| Y| N| N|
40
40
| read|\_|\_|\_|
41
-
| read|\_| N|Y|
41
+
| read|\_| N|N|
42
42
43
43
##Permission Representation
44
44
@@ -49,11 +49,11 @@ This can be represented by the following truth table, where Y represents _positi
49
49
-`object` is any valid resource type.
50
50
-`id` is any valid UUID v4.
51
51
-`id` is included in the permission syntax, however only scopes may use`id` to specify a specific object.
52
-
-`action` is`create`,`read`,`modify`,or`delete`.
52
+
-`action` is`create`,`read`,`modify`,`delete`, or another verb.
53
53
54
54
##Example Permissions
55
55
56
-
-`+site.*.*.read`: allowed to perform the`read` action against all objects of type`app` in a given Coder deployment.
56
+
-`+site.app.*.read`: allowed to perform the`read` action against all objects of type`app` in a given Coder deployment.
57
57
-`-user.workspace.*.create`: user is not allowed to create workspaces.
58
58
59
59
##Roles
@@ -106,7 +106,9 @@ You can test outside of golang by using the `opa` cli.