Resource Ownership
Grant additional permissions to the "owner" of a resource.
This might be some fixed piece of application-specific data, like the person who opened an issue, or wrote a comment.
Oso Policy
actor User { }resource Repository { roles = ["maintainer"];}resource Issue { roles = ["reader", "admin"]; permissions = ["read", "comment", "update", "close"]; relations = { repository: Repository, creator: User }; # repository maintainers can administer issues "admin" if "maintainer" on "repository"; "reader" if "admin"; "reader" if "creator"; "read" if "reader"; "comment" if "reader"; "update" if "creator"; "close" if "creator"; "close" if "admin";}test "issue creator can update and close issues" { setup { has_relation(Issue{"537"}, "repository", Repository{"anvil"}); has_relation(Issue{"42"}, "repository", Repository{"anvil"}); has_relation(Issue{"537"}, "creator", User{"alice"}); } assert allow(User{"alice"}, "close", Issue{"537"}); assert allow(User{"alice"}, "update", Issue{"537"}); assert_not allow(User{"alice"}, "close", Issue{"42"});}test "repository maintainers can close issues" { setup { has_relation(Issue{"537"}, "repository", Repository{"anvil"}); has_relation(Issue{"42"}, "repository", Repository{"anvil"}); has_relation(Issue{"537"}, "creator", User{"alice"}); has_role(User{"bob"}, "maintainer", Repository{"anvil"}); } assert allow(User{"bob"}, "close", Issue{"537"}); assert_not allow(User{"bob"}, "update", Issue{"537"}); assert allow(User{"bob"}, "close", Issue{"42"});}