diff --git a/migrations/initial/005_auth_roles.up.sql b/migrations/initial/005_auth_roles.up.sql index 76767f2..a105952 100644 --- a/migrations/initial/005_auth_roles.up.sql +++ b/migrations/initial/005_auth_roles.up.sql @@ -3,16 +3,16 @@ INSERT INTO rbac_role (name, title, context, permissions) VALUES -- System roles ('system:admin', 'System admins', NULL, '{"*"}'), - ('system:manager', 'System manager', NULL, '{"*.view.*", "*.list.*", "*.count.*", "*.create.*", "*.update.*", "*.delete.*", "*.restore.*", "*.approve.*", "*.reject.*", "role.**", "user.password.reset"}'), - ('system:analyst', 'System analyst', NULL, '{"*.view.*", "*.list.*", "*.count.*", "role.check", "user.password.reset"}'), - ('system:viewer', 'System viewer', NULL, '{"*.view.*", "*.list.*", "*.count.*", "role.check", "user.password.reset"}'), - ('system:compliance', 'System compliance', NULL, '{"*.view.*", "*.list.*", "*.count.*", "*.approve.*", "*.reject.*", "role.check", "user.password.reset"}'), + ('system:manager', 'System manager', NULL, '{"*.{view|list|count|create|update|delete|restore|approve|reject|reset}.*", "role.**", "user.password.reset", "account.member.**"}'), + ('system:analyst', 'System analyst', NULL, '{"*.{view|list|count}.*", "*.*.{view|list|count}.*", "role.check", "user.password.reset"}'), + ('system:viewer', 'System viewer', NULL, '{"*.{view|list|count}.*", "role.check", "user.password.reset"}'), + ('system:compliance', 'System compliance', NULL, '{"*.{view|list|count|approve|reject}.*", "*.*.{view|list|count|approve|reject}.*", "role.check", "user.password.reset"}'), -- Account roles' - ('account:admin', 'Account admins', NULL, '{"*.*.{account|owner}", "role.check", "user.password.reset"}'), - ('account:writer', 'Account writer', NULL, '{"*.{view|list|restore}.{account|owner}", "role.check", "user.password.reset"}'), - ('account:analyst', 'Account analyst', NULL, '{"*.view.{account|owner}", "*.list.{account|owner}", "role.check", "user.password.reset"}'), - ('account:viewer', 'Account viewer', NULL, '{"*.view.{account|owner}", "*.list.{account|owner}", "role.check", "user.password.reset"}'), - ('account:compliance', 'Account compliance', NULL, '{"*.view.{account|owner}", "*.list.{account|owner}", "*.approve.{account|owner}", "*.reject.{account|owner}", "role.check", "user.password.reset"}'); + ('account:admin', 'Account admins', NULL, '{"*.*.{account|owner}", "*.*.*.{account|owner}", "role.check", "user.password.reset"}'), + ('account:writer', 'Account writer', NULL, '{"*.{view|list|restore}.{account|owner}", "*.*.{view|list|restore}.{account|owner}", "role.check", "user.password.reset"}'), + ('account:analyst', 'Account analyst', NULL, '{"*.{view|list}.{account|owner}", "*.*.{view|list}.{account|owner}", "role.check", "user.password.reset"}'), + ('account:viewer', 'Account viewer', NULL, '{"*.{view|list}.{account|owner}", "*.*.{view|list}.{account|owner}", "role.check", "user.password.reset"}'), + ('account:compliance', 'Account compliance', NULL, '{"*.{view|list|approve|reject}.{account|owner}", "*.*.{view|list|approve|reject}.{account|owner}", "role.check", "user.password.reset"}'); INSERT INTO m2m_account_member_role(member_id, role_id) SELECT m.id as member_id, (SELECT id FROM rbac_role WHERE name = 'system:admin') AS role_id