-
Notifications
You must be signed in to change notification settings - Fork 3
/
permissions.acl
138 lines (122 loc) · 4.51 KB
/
permissions.acl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
/*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
//////Member Access
//Members to have access only to their own account
rule MemberAccessOwnRecord {
description: "Allow Member to access only their profile"
participant(p): "org.clp.biznet.Member"
operation: ALL
resource(r): "org.clp.biznet.Member"
condition: (r.getIdentifier() === p.getIdentifier())
action: ALLOW
}
//Members Not to have access to other member accounts
rule MemberAccessMembers {
description: "Deny Member access to other Member accounts"
participant: "org.clp.biznet.Member"
operation: ALL
resource: "org.clp.biznet.Member"
action: DENY
}
//Members have access to Partners on the network
rule MemberAccessPartners {
description: "Allow Member access to all Partners on the network"
participant: "org.clp.biznet.Member"
operation: ALL
resource: "org.clp.biznet.Partner"
action: ALLOW
}
//Members to have access only to EarnPoints transaction where they are the member
rule MemberAccessEarnPoints {
description: "Allow Member access only to EarnPoints transaction where they are the member"
participant(p): "org.clp.biznet.Member"
operation: ALL
resource(r): "org.clp.biznet.EarnPoints"
condition: (r.member.getIdentifier() === p.getIdentifier())
action: ALLOW
}
//Members to have access only to UsePoints transaction where they are the member
rule MemberAccessUsePoints {
description: "Allow Member access only to UsePoints transaction where they are the member"
participant(p): "org.clp.biznet.Member"
operation: ALL
resource(r): "org.clp.biznet.UsePoints"
condition: (r.member.getIdentifier() === p.getIdentifier())
action: ALLOW
}
//////Partner Access
//Partners to have access only to their own account
rule PartnerAccessOwnRecord {
description: "Allow Partner to access only their profile"
participant(p): "org.clp.biznet.Partner"
operation: ALL
resource(r): "org.clp.biznet.Partner"
condition: (r.getIdentifier() === p.getIdentifier())
action: ALLOW
}
//Partners Not to have access to other partner accounts
rule PartnerAccessPartner {
description: "Deny Partner access to other Partner accounts"
participant: "org.clp.biznet.Partner"
operation: ALL
resource: "org.clp.biznet.Partner"
action: DENY
}
//Partners Not to have access to Members on the network
rule PartnerAccessMember {
description: "Deny Partner access to Members on the network"
participant: "org.clp.biznet.Partner"
operation: ALL
resource: "org.clp.biznet.Member"
action: DENY
}
//Partners to have read access to EarnPoints transaction where they are the partner
rule PartnerAccessEarnPoints {
description: "Allow Partners read only access to EarnPoints transaction where they are the partner"
participant(p): "org.clp.biznet.Partner"
operation: READ
resource(r): "org.clp.biznet.EarnPoints"
condition: (r.partner.getIdentifier() === p.getIdentifier())
action: ALLOW
}
//Partners to have read access to UsePoints transaction where they are the partner
rule PartnerAccessUsePoints {
description: "Allow Partners read only access to UsePoints transaction where they are the partner"
participant(p): "org.clp.biznet.Partner"
operation: READ
resource(r): "org.clp.biznet.UsePoints"
condition: (r.partner.getIdentifier() === p.getIdentifier())
action: ALLOW
}
rule SystemACL {
description: "System ACL to permit all access"
participant: "ANY"
operation: ALL
resource: "org.hyperledger.composer.system.**"
action: ALLOW
}
rule NetworkAdminUser {
description: "Grant business network administrators full access to user resources"
participant: "org.hyperledger.composer.system.NetworkAdmin"
operation: ALL
resource: "**"
action: ALLOW
}
rule NetworkAdminSystem {
description: "Grant business network administrators full access to system resources"
participant: "org.hyperledger.composer.system.NetworkAdmin"
operation: ALL
resource: "org.hyperledger.composer.system.**"
action: ALLOW
}