Authorization engine for configuring per user per feature access control. Access is configured via plain text and handled directly via code. Configuration storage is controlled by you, scopie just handles the logic.
A language agnostic set of scenarios can be found in the scenarios.json file.
A portion of our application is around building, running and responding to financial reports. We run half, quarterly, monthly and weekly reports.
Actions
- Edit: Modify how the report is built
- Run: Manually run the report
- Read: Read the reports in our tool
- Approve: Sign off on the report, approved reports would then be shared
- Delete: Remove an invalid or broken report
Format
For the above reasons we are going to specify our scopes and rules as:
reports/<duration>/<action>
We could expand this later to include some sort of organization or business group but for this example, we will keep it simple.
Users
- Maya is allowed to do everything ( the boss )
allow/**
- Adam is allowed to edit and read any report ( makes changes to the queries )
allow/reports/*/edit|read
- Tyler can only read reports ( reviews reports but doesn't need to approve them )
allow/reports/*/read
- Elisa can do everything but delete ( mostly there to approve, but occasionally edits queries )
allow/reports/*/*
deny/reports/*/delete
- Jenna can edit and read but only the weekly reports ( a new hire working up )
allow/reports/weekly/edit|read