Up permissions migration

geniusrabbit · Mar 29, 2024 · 191b8c2 · 191b8c2
1 parent 799dee2
commit 191b8c2
Showing 1 changed file with 9 additions and 9 deletions.
diff --git a/migrations/initial/005_auth_roles.up.sql b/migrations/initial/005_auth_roles.up.sql
@@ -3,16 +3,16 @@ INSERT INTO rbac_role
   (name, title, context, permissions) VALUES
   -- System roles
   ('system:admin',       'System admins',      NULL, '{"*"}'),
-  ('system:manager',     'System manager',     NULL, '{"*.view.*", "*.list.*", "*.count.*", "*.create.*", "*.update.*", "*.delete.*", "*.restore.*", "*.approve.*", "*.reject.*", "role.**", "user.password.reset"}'),
-  ('system:analyst',     'System analyst',     NULL, '{"*.view.*", "*.list.*", "*.count.*", "role.check", "user.password.reset"}'),
-  ('system:viewer',      'System viewer',      NULL, '{"*.view.*", "*.list.*", "*.count.*", "role.check", "user.password.reset"}'),
-  ('system:compliance',  'System compliance',  NULL, '{"*.view.*", "*.list.*", "*.count.*", "*.approve.*", "*.reject.*", "role.check", "user.password.reset"}'),
+  ('system:manager',     'System manager',     NULL, '{"*.{view|list|count|create|update|delete|restore|approve|reject|reset}.*", "role.**", "user.password.reset", "account.member.**"}'),
+  ('system:analyst',     'System analyst',     NULL, '{"*.{view|list|count}.*", "*.*.{view|list|count}.*", "role.check", "user.password.reset"}'),
+  ('system:viewer',      'System viewer',      NULL, '{"*.{view|list|count}.*", "role.check", "user.password.reset"}'),
+  ('system:compliance',  'System compliance',  NULL, '{"*.{view|list|count|approve|reject}.*", "*.*.{view|list|count|approve|reject}.*", "role.check", "user.password.reset"}'),
   -- Account roles'
-  ('account:admin',      'Account admins',     NULL, '{"*.*.{account|owner}", "role.check", "user.password.reset"}'),
-  ('account:writer',     'Account writer',     NULL, '{"*.{view|list|restore}.{account|owner}", "role.check", "user.password.reset"}'),
-  ('account:analyst',    'Account analyst',    NULL, '{"*.view.{account|owner}", "*.list.{account|owner}", "role.check", "user.password.reset"}'),
-  ('account:viewer',     'Account viewer',     NULL, '{"*.view.{account|owner}", "*.list.{account|owner}", "role.check", "user.password.reset"}'),
-  ('account:compliance', 'Account compliance', NULL, '{"*.view.{account|owner}", "*.list.{account|owner}", "*.approve.{account|owner}", "*.reject.{account|owner}", "role.check", "user.password.reset"}');
+  ('account:admin',      'Account admins',     NULL, '{"*.*.{account|owner}", "*.*.*.{account|owner}", "role.check", "user.password.reset"}'),
+  ('account:writer',     'Account writer',     NULL, '{"*.{view|list|restore}.{account|owner}", "*.*.{view|list|restore}.{account|owner}", "role.check", "user.password.reset"}'),
+  ('account:analyst',    'Account analyst',    NULL, '{"*.{view|list}.{account|owner}", "*.*.{view|list}.{account|owner}", "role.check", "user.password.reset"}'),
+  ('account:viewer',     'Account viewer',     NULL, '{"*.{view|list}.{account|owner}", "*.*.{view|list}.{account|owner}", "role.check", "user.password.reset"}'),
+  ('account:compliance', 'Account compliance', NULL, '{"*.{view|list|approve|reject}.{account|owner}", "*.*.{view|list|approve|reject}.{account|owner}", "role.check", "user.password.reset"}');
 
 INSERT INTO m2m_account_member_role(member_id, role_id)
   SELECT m.id as member_id, (SELECT id FROM rbac_role WHERE name = 'system:admin') AS role_id