diff --git a/src/main/resources/reference.conf b/src/main/resources/reference.conf index 454710850..71fbd6c5d 100644 --- a/src/main/resources/reference.conf +++ b/src/main/resources/reference.conf @@ -118,8 +118,13 @@ resourceTypes = { } owner = { roleActions = ["delete", "read_policies", "share_policy::owner", "share_policy::application", "share_policy::writer", "share_policy::reader", "own", "write", "read", "compute", "share_policy::share-reader", "share_policy::share-writer", "share_policy::can-compute", "share_policy::can-catalog", "read_auth_domain", "create_controlled_user_shared", "create_controlled_user_private", "create_referenced_resource", "update_referenced_resource", "delete_referenced_resource", "list_children", "remove_child", "add_child"] + # Workspace Manager also maintains a mapping of workspace roles to controlled resource roles. If you change this mapping, check that service's mapping as well. descendantRoles = { google-project = ["owner"] + controlled-user-shared-workspace-resource = ["editor", "writer", "reader"] + controlled-user-private-workspace-resource = ["assigner", "editor"] + controlled-application-shared-workspace-resource = ["editor", "writer", "reader"] + controlled-application-private-workspace-resource = ["editor"] } } application = { @@ -127,9 +132,19 @@ resourceTypes = { } writer = { roleActions = ["read_policy::owner", "write", "read", "create_controlled_user_shared", "create_controlled_user_private", "create_referenced_resource", "update_referenced_resource", "delete_referenced_resource", "list_children", "add_child", "remove_child", "read_auth_domain"] + descendantRoles = { + controlled-user-shared-workspace-resource = ["editor", "writer", "reader"] + controlled-user-private-workspace-resource = ["editor"] + controlled-application-shared-workspace-resource = ["editor", "writer", "reader"] + controlled-application-private-workspace-resource = ["editor"] + } } reader = { roleActions = ["read_policy::owner", "read", "read_auth_domain"] + descendantRoles = { + controlled-user-shared-workspace-resource = ["reader"] + controlled-application-shared-workspace-resource = ["reader"] + } } share-reader = { roleActions = ["share_policy::reader", "read_policies"] @@ -195,7 +210,7 @@ resourceTypes = { roleActions = ["delete", "edit"] } writer = { - roleActions = ["write"] + roleActions = ["read", "write"] } reader = { roleActions = ["read"] @@ -248,13 +263,13 @@ resourceTypes = { roleActions = ["delete", "read_policies", "share_policy::owner", "share_policy::editor", "share_policy::writer", "share_policy::reader", "own", "edit", "manage_private_user", "set_parent"] } assigner = { - roleActions = ["manage_private_user"] + roleActions = ["manage_private_user", "read_policies", "share_policy::editor", "share_policy::writer", "share_policy::reader"] } editor = { roleActions = ["delete", "edit"] } writer = { - roleActions = ["write"] + roleActions = ["read", "write"] } reader = { roleActions = ["read"] @@ -307,7 +322,7 @@ resourceTypes = { roleActions = ["delete", "edit"] } writer = { - roleActions = ["write"] + roleActions = ["read", "write"] } reader = { roleActions = ["read"] @@ -360,13 +375,13 @@ resourceTypes = { roleActions = ["delete", "read_policies", "share_policy::owner", "share_policy::editor", "share_policy::writer", "share_policy::reader", "own", "edit", "manage_private_user", "set_parent"] } assigner = { - roleActions = ["manage_private_user"] + roleActions = ["manage_private_user", "read_policies", "share_policy::editor", "share_policy::writer", "share_policy::reader"] } editor = { roleActions = ["delete", "edit"] } writer = { - roleActions = ["write"] + roleActions = ["read", "write"] } reader = { roleActions = ["read"]