-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathapi.alfa
66 lines (53 loc) · 1.41 KB
/
api.alfa
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
namespace axiomatics.demo{
import System
/*Online Trial Tutorial policy */
/*Policy for api's */
policyset api{
target clause stringEndsWith("record", resourceType)
apply denyUnlessPermit
/*Global records policies... */
policyset global{
apply firstApplicable
/*Clearance check */
policy clearance{
apply firstApplicable
/*R5 - Deny all access if user clearance < record classification */
rule denyAccess{
condition user.clearance < record.classification
deny
on deny{
advice decision_reason {
reason = "R5 - Deny all access if user clearance < record classification"
}
}
}
}
}
/*View records...*/
policyset GET{
target clause actionId == "GET"
apply firstApplicable
/*Client can view records*/
policy client{
target clause user.role == "client"
apply denyUnlessPermit
/*R2.1 - An client can view a record in their own department with obligation to mask owner and status*/
rule clientView{
condition record.department == user.department
permit
on permit{
obligation fields {
mask_fields = "owner"
mask_fields = "status"
}
}
on permit{
advice decision_reason {
reason = "2.1 - An client can view a record in their own department with obligation to mask owner and status"
}
}
}
}
}
}
}