diff options
Diffstat (limited to 'doc/share/authz/POLICY.md')
| -rw-r--r-- | doc/share/authz/POLICY.md | 51 |
1 files changed, 51 insertions, 0 deletions
diff --git a/doc/share/authz/POLICY.md b/doc/share/authz/POLICY.md new file mode 100644 index 00000000..30cca5fe --- /dev/null +++ b/doc/share/authz/POLICY.md @@ -0,0 +1,51 @@ +# Policy + +A policy is a predicate that describes if a subject can perform an action +against a specific resource. + +```ruby + policy(:parent) { predicate } + policy(:partner) { predicate } + policy(:sibling) { predicate } + policy(:child) { predicate } + + enable(:permission, on: resource).when { parent | partner } +``` + +Authorizaion uses policies to determine if a subject in a specific context is +authorized to perform an action against a resource. + +```ruby + def can?(subject, action, resource) + end +``` + +## Policy Language + +A policy language facilitates: + +1. the specification of composite policies, which in turn forms the basis of trust delegation. +1. **the static analysis of policies and system configuration.** + +## Example + +The following hierarchy will be used as the basis for expression policy. + +```ruby +class Organization + has_many :groups +end + +class Group + belongs_to :organization + has_many :projects +end + +class Project + belongs_to :group + has_many :issues +end + +class Issue +end +``` |