-
Notifications
You must be signed in to change notification settings - Fork 9
/
store.fga.yaml
89 lines (86 loc) · 2.6 KB
/
store.fga.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
# Documentation: https://openfga.dev/docs/modeling/advanced/github
# FGA Playground: https://play.fga.dev/sandbox/?store=github
name: GitHub
model_file: ./model.fga
tuples:
# The OpenFGA organization is the owner of the openfga/openfga repository
- user: organization:openfga
relation: owner
object: repo:openfga/openfga
# Members of the OpenFGA organization have a repository admin base permission on the organization
- user: organization:openfga#member
relation: repo_admin
object: organization:openfga
# Erik is a member of the OpenFGA organization
- user: user:erik
relation: member
object: organization:openfga
# The openfga/core team members are admins on the openfga/openfga repository
- user: team:openfga/core#member
relation: admin
object: repo:openfga/openfga
# Anne is a reader on the openfga/openfga repository
- user: user:anne
relation: reader
object: repo:openfga/openfga
# Beth is a writer on the openfga/openfga repository
- user: user:beth
relation: writer
object: repo:openfga/openfga
# Charles is a member of the openfga/core team
- user: user:charles
relation: member
object: team:openfga/core
# Members of the openfga/backend team are members of the openfga/core team
- user: team:openfga/backend#member
relation: member
object: team:openfga/core
# Diane is a member of the openfga/backend team
- user: user:diane
relation: member
object: team:openfga/backend
tests:
- name: Test
check:
- user: user:anne
object: repo:openfga/openfga
assertions:
reader: true
triager: false
- user: user:beth
object: repo:openfga/openfga
assertions:
admin: false
- user: user:charles
object: repo:openfga/openfga
assertions:
writer: true
- user: user:diane
object: repo:openfga/openfga
assertions:
admin: true
- user: user:erik
object: repo:openfga/openfga
assertions:
reader: true
- name: Check if the right users have access to the right repositories
list_users:
- object: repo:openfga/openfga
user_filter:
- type: user
assertions:
writer:
users:
- user:charles
- user:beth
- user:diane
- user:erik
- object: repo:openfga/openfga
user_filter:
- type: team
relation: member
assertions:
writer:
users:
- team:openfga/backend#member
- team:openfga/core#member