-- Example Authorization Requests for Testing

-- 1. Admin Managing Users (Should succeed for U0000000001)
-- Permission: Manage User Accounts (ID: 1)
-- Policy: user.role = Admin
{
  "user_id": "U0000000001",
  "resource": "users",
  "action": "manage",
  "resource_data": {}
}
-- Expected: ALLOWED (user has role="Super Admin")

-- 2. Regional Permission Assignment (Should succeed for same region)
-- Permission: Assign Project Roles (ID: 3)
-- Policy: user.region = ${resource.region}
{
  "user_id": "U0000000001",
  "resource": "personnel",
  "action": "assign_role",
  "resource_data": {
    "region": "01"
  }
}
-- Expected: ALLOWED (user region "01" matches resource region "01")

-- 3. Regional Permission Assignment (Should fail for different region)
-- Permission: Assign Project Roles (ID: 3)
-- Policy: user.region = ${resource.region}
{
  "user_id": "U0000000003",
  "resource": "personnel",
  "action": "assign_role",
  "resource_data": {
    "region": "01"
  }
}
-- Expected: DENIED (user region "03" doesn't match resource region "01")

-- 4. Data Collector Cannot Verify Cases
-- Permission: Verify Case (ID: 14)
-- Policy: user.action_user_role != Data Collector
{
  "user_id": "U0000000002",
  "resource": "cases",
  "action": "verify",
  "resource_data": {}
}
-- Expected: DENIED (user is Data Collector)

-- 5. Certify Data (RFP/PFP only)
-- Permission: Certify Data (ID: 20)
-- Policy: user.action_user_role IN RFP,PFP
{
  "user_id": "U0000000003",
  "resource": "data_processing",
  "action": "certify",
  "resource_data": {}
}
-- Expected: ALLOWED (user is Provincial Focal Person)

-- 6. Certify Data (Should fail for non-RFP/PFP)
-- Permission: Certify Data (ID: 20)
-- Policy: user.action_user_role IN RFP,PFP
{
  "user_id": "U0000000002",
  "resource": "data_processing",
  "action": "certify",
  "resource_data": {}
}
-- Expected: DENIED (user is Data Collector, not RFP/PFP)

-- 7. View User Profiles (No policies - should succeed)
-- Permission: View User Profiles (ID: 2)
-- No policies defined
{
  "user_id": "U0000000002",
  "resource": "users",
  "action": "view",
  "resource_data": {}
}
-- Expected: ALLOWED (no policies to fail)

-- 8. DPS Role Validation
-- Permission: Validate Data (ID: 18)
-- Policy: user.role_dps = 1
{
  "user_id": "U0000000001",
  "resource": "data_processing",
  "action": "validate",
  "resource_data": {}
}
-- Expected: ALLOWED (user has role_dps=1)

-- 9. Multiple Policies - Regional Workload Assignment
-- Permission: Assign Workload (ID: 9)
-- Policy: user.region = ${resource.region}
{
  "user_id": "U0000000001",
  "resource": "workload",
  "action": "assign",
  "resource_data": {
    "region": "01"
  }
}
-- Expected: ALLOWED (user in region 01, resource in region 01)

-- 10. Permission Not Found (Should return appropriate error)
{
  "user_id": "U0000000001",
  "resource": "nonexistent",
  "action": "delete",
  "resource_data": {}
}
-- Expected: DENIED with "Permission not found" reason
