Resource Ownership

Grant additional permissions to the "owner" of a resource.

This might be some fixed piece of application-specific data, like the person who opened an issue, or wrote a comment.

Oso Policy


actor User { }
resource Repository {
    roles = ["maintainer"];
}
resource Issue {
    roles = ["reader", "admin"];
    permissions = ["read", "comment", "update", "close"];
    relations = { repository: Repository, creator: User };
    # repository maintainers can administer issues
    "admin" if "maintainer" on "repository";
    "reader" if "admin";
    "reader" if "creator";
    "read" if "reader";
    "comment" if "reader";
    "update" if "creator";
    "close" if "creator";
    "close" if "admin";
}
test "issue creator can update and close issues" {
    setup {
        has_relation(Issue{"537"}, "repository", Repository{"anvil"});
        has_relation(Issue{"42"}, "repository", Repository{"anvil"});
        has_relation(Issue{"537"}, "creator", User{"alice"});
    }
    assert allow(User{"alice"}, "close", Issue{"537"});
    assert allow(User{"alice"}, "update", Issue{"537"});
    assert_not allow(User{"alice"}, "close", Issue{"42"});
}
test "repository maintainers can close issues" {
    setup {
        has_relation(Issue{"537"}, "repository", Repository{"anvil"});
        has_relation(Issue{"42"}, "repository", Repository{"anvil"});
        has_relation(Issue{"537"}, "creator", User{"alice"});
        has_role(User{"bob"}, "maintainer", Repository{"anvil"});
    }
    assert allow(User{"bob"}, "close", Issue{"537"});
    assert_not allow(User{"bob"}, "update", Issue{"537"});
    assert allow(User{"bob"}, "close", Issue{"42"});
}

Resource Sharing