| { |
| "name" : "Operator policy set", |
| "policies" : [ |
| { |
| "name" : "Operators can read a site if they are assigned to the site.", |
| "target" : { |
| "name" : "When an operator reads a site", |
| "resource" : { |
| "name" : "Site", |
| "uriTemplate" : "/sites/{site_id}" |
| }, |
| "action" : "GET", |
| "subject" : { |
| "name" : "Operator", |
| "attributes" : [ |
| { "issuer" : "https://acs.attributes.int", |
| "name" : "site" } |
| ] |
| } |
| }, |
| "conditions" : [ |
| { "name" : "is assigned to site", |
| "condition" : "match.single(subject.attributes('https://acs.attributes.int', 'site'), resource.uri.placeHolder('site_id'))" } |
| ], |
| "effect" : "PERMIT" |
| }, |
| { |
| "name" : "Operators can read an asset if they are a member of the asset group.", |
| "target" : { |
| "name" : "When an operator reads an asset", |
| "resource" : { |
| "name" : "Asset", |
| "uriTemplate" : "/assets/{asset_id}", |
| "attributes" : [ |
| { "issuer" : "https://acs.attributes.int", |
| "name" : "group" } |
| ] |
| }, |
| "action" : "GET", |
| "subject" : { |
| "name" : "Operator", |
| "attributes" : [ |
| { "issuer" : "https://acs.attributes.int", |
| "name" : "group" } |
| ] |
| } |
| }, |
| "conditions" : [ |
| { "name" : "is member of group", |
| "condition" : "match.any(subject.attributes('https://acs.attributes.int', 'group'), resource.attributes('https://acs.attributes.int', 'group'))" } |
| ], |
| "effect" : "PERMIT" |
| }, |
| { |
| "name" : "Operators can modify a site if they are assigned to the site and they are a manager.", |
| "target" : { |
| "name" : "When an operator modifies a site", |
| "resource" : { |
| "name" : "Site", |
| "uriTemplate" : "/sites/{site_id}" |
| }, |
| "action" : "PUT", |
| "subject" : { |
| "name" : "Operator", |
| "attributes" : [ |
| { "issuer" : "https://acs.attributes.int", |
| "name" : "site" }, |
| { "issuer" : "https://acs.attributes.int", |
| "name" : "role" } |
| ] |
| } |
| }, |
| "conditions" : [ |
| { "name" : "is assigned to site", |
| "condition" : "match.single(subject.attributes('https://acs.attributes.int', 'site'), resource.uri.placeHolder('site_id'))" }, |
| { "name" : "is a manager", |
| "condition" : "match.single(subject.attributes('https://acs.attributes.int', 'role'), 'manager')" } |
| ], |
| "effect" : "PERMIT" |
| }, |
| { |
| "name" : "Operators can create a case if they own the alarm and they are members of the asset group.", |
| "target" : { |
| "name" : "When an operator creates an case for an asset alarm", |
| "resource" : { |
| "name" : "Asset alarm cases", |
| "uriTemplate" : "/assets/{asset_id}/alarms/{alarm_id}/cases", |
| "attributes" : [ |
| { "issuer" : "https://acs.attributes.int", |
| "name" : "group" }, |
| { "issuer" : "https://acs.attributes.int", |
| "name" : "owner" } |
| ] |
| }, |
| "action" : "POST", |
| "subject" : { |
| "name" : "Operator", |
| "attributes" : [ |
| { "issuer" : "https://acs.attributes.int", |
| "name" : "name_id" }, |
| { "issuer" : "https://acs.attributes.int", |
| "name" : "group" } |
| ] |
| } |
| }, |
| "conditions" : [ |
| { "name" : "is member of group", |
| "condition" : "match.any(subject.attributes('https://acs.attributes.int', 'group'), resource.attributes('https://acs.attributes.int', 'group'))" }, |
| { "name" : "is owner of", |
| "condition" : "match.any(subject.attributes('https://acs.attributes.int', 'name_id'), resource.attributes('https://acs.attributes.int', 'owner'))" } |
| ], |
| "effect" : "PERMIT" |
| }, |
| { |
| "name" : "Operators can see all sites that they are assigned to", |
| "target" : { |
| "name" : "When an operator reads all sites", |
| "resource" : { |
| "name" : "Sites", |
| "uriTemplate" : "/sites" |
| }, |
| "action" : "GET", |
| "subject" : { |
| "name" : "Operator", |
| "attributes" : [ |
| { "issuer" : "https://acs.attributes.int", |
| "name" : "group" } |
| ] |
| } |
| }, |
| "effect" : "PERMIT" |
| }, |
| { |
| "name" : "Operators can see all assets that are assigned to their asset groups", |
| "target" : { |
| "name" : "When an operator reads all assets", |
| "resource" : { |
| "name" : "Assets", |
| "uriTemplate" : "/assets" |
| }, |
| "action" : "GET", |
| "subject" : { |
| "name" : "Operator", |
| "attributes" : [ |
| { "issuer" : "https://acs.attributes.int", |
| "name" : "group" } |
| ] |
| } |
| }, |
| "effect" : "PERMIT" |
| }, |
| { |
| "name" : "Deny all other operations by default", |
| "effect" : "DENY" |
| } |
| ] |
| } |