diff --git a/deploy/schemas/notifications/schema_subscribers_event_types.yaml b/deploy/schemas/notifications/schema_subscribers_event_types.yaml new file mode 100644 index 0000000..61ac892 --- /dev/null +++ b/deploy/schemas/notifications/schema_subscribers_event_types.yaml @@ -0,0 +1,58 @@ +schema: |- + definition user {} + + definition group { + relation member: user | group#member + } + + definition role { + relation inventory_host_view: user:* + } + + definition role_binding { + relation subject: user | group#member + relation granted: role + permission inventory_host_view = subject & granted->inventory_host_view + } + + definition workspace { + relation parent: workspace + relation user_grant: role_binding + relation direct_notification_subscriber: user with event_types + permission inventory_host_view = user_grant->inventory_host_view + permission notification_subscriber = direct_notification_subscriber + parent->notification_subscriber + } + + definition inventory/host { + relation workspace: workspace + permission view = workspace->inventory_host_view + // These have to be at least as granular as the associated permission + permission view_notification = view & workspace->notification_subscriber + } + + caveat event_types(event_type string, event_types list) { + event_type in event_types + } +relationships: |- + // There is a host_admin role + role:host_admin#inventory_host_view@user:* + + // There is a workspace (org1/w1) underneath a root org workspace (org1) + workspace:org1/w1#parent@workspace:org1 + + // There is a host within workspace:org/w1 + inventory/host:h1#workspace@workspace:org1/w1 + + // There are two subscribers to host notifications in org1 for specific event types + workspace:org1#direct_notification_subscriber@user:u1[event_types:{"event_types":["host_new_cve"]}] + workspace:org1#direct_notification_subscriber@user:u2[event_types:{"event_types":["host_new_cve","host_patch_failure"]}] + + // But only u1 has permissions (via the host_admin role) + workspace:org1/w1#user_grant@role_binding:u1_w1_host_admin + role_binding:u1_w1_host_admin#granted@role:host_admin + role_binding:u1_w1_host_admin#subject@user:u1 + + // u3 also has permissions, but is not subscribed. + workspace:org1/w1#user_grant@role_binding:u3_w1_host_admin + role_binding:u3_w1_host_admin#granted@role:host_admin + role_binding:u3_w1_host_admin#subject@user:u3