116 lines
2.9 KiB
Plaintext
116 lines
2.9 KiB
Plaintext
-- Example Authorization Requests for Testing
|
|
|
|
-- 1. Admin Managing Users (Should succeed for U0000000001)
|
|
-- Permission: Manage User Accounts (ID: 1)
|
|
-- Policy: user.role = Admin
|
|
{
|
|
"user_id": "U0000000001",
|
|
"resource": "users",
|
|
"action": "manage",
|
|
"resource_data": {}
|
|
}
|
|
-- Expected: ALLOWED (user has role="Super Admin")
|
|
|
|
-- 2. Regional Permission Assignment (Should succeed for same region)
|
|
-- Permission: Assign Project Roles (ID: 3)
|
|
-- Policy: user.region = ${resource.region}
|
|
{
|
|
"user_id": "U0000000001",
|
|
"resource": "personnel",
|
|
"action": "assign_role",
|
|
"resource_data": {
|
|
"region": "01"
|
|
}
|
|
}
|
|
-- Expected: ALLOWED (user region "01" matches resource region "01")
|
|
|
|
-- 3. Regional Permission Assignment (Should fail for different region)
|
|
-- Permission: Assign Project Roles (ID: 3)
|
|
-- Policy: user.region = ${resource.region}
|
|
{
|
|
"user_id": "U0000000003",
|
|
"resource": "personnel",
|
|
"action": "assign_role",
|
|
"resource_data": {
|
|
"region": "01"
|
|
}
|
|
}
|
|
-- Expected: DENIED (user region "03" doesn't match resource region "01")
|
|
|
|
-- 4. Data Collector Cannot Verify Cases
|
|
-- Permission: Verify Case (ID: 14)
|
|
-- Policy: user.action_user_role != Data Collector
|
|
{
|
|
"user_id": "U0000000002",
|
|
"resource": "cases",
|
|
"action": "verify",
|
|
"resource_data": {}
|
|
}
|
|
-- Expected: DENIED (user is Data Collector)
|
|
|
|
-- 5. Certify Data (RFP/PFP only)
|
|
-- Permission: Certify Data (ID: 20)
|
|
-- Policy: user.action_user_role IN RFP,PFP
|
|
{
|
|
"user_id": "U0000000003",
|
|
"resource": "data_processing",
|
|
"action": "certify",
|
|
"resource_data": {}
|
|
}
|
|
-- Expected: ALLOWED (user is Provincial Focal Person)
|
|
|
|
-- 6. Certify Data (Should fail for non-RFP/PFP)
|
|
-- Permission: Certify Data (ID: 20)
|
|
-- Policy: user.action_user_role IN RFP,PFP
|
|
{
|
|
"user_id": "U0000000002",
|
|
"resource": "data_processing",
|
|
"action": "certify",
|
|
"resource_data": {}
|
|
}
|
|
-- Expected: DENIED (user is Data Collector, not RFP/PFP)
|
|
|
|
-- 7. View User Profiles (No policies - should succeed)
|
|
-- Permission: View User Profiles (ID: 2)
|
|
-- No policies defined
|
|
{
|
|
"user_id": "U0000000002",
|
|
"resource": "users",
|
|
"action": "view",
|
|
"resource_data": {}
|
|
}
|
|
-- Expected: ALLOWED (no policies to fail)
|
|
|
|
-- 8. DPS Role Validation
|
|
-- Permission: Validate Data (ID: 18)
|
|
-- Policy: user.role_dps = 1
|
|
{
|
|
"user_id": "U0000000001",
|
|
"resource": "data_processing",
|
|
"action": "validate",
|
|
"resource_data": {}
|
|
}
|
|
-- Expected: ALLOWED (user has role_dps=1)
|
|
|
|
-- 9. Multiple Policies - Regional Workload Assignment
|
|
-- Permission: Assign Workload (ID: 9)
|
|
-- Policy: user.region = ${resource.region}
|
|
{
|
|
"user_id": "U0000000001",
|
|
"resource": "workload",
|
|
"action": "assign",
|
|
"resource_data": {
|
|
"region": "01"
|
|
}
|
|
}
|
|
-- Expected: ALLOWED (user in region 01, resource in region 01)
|
|
|
|
-- 10. Permission Not Found (Should return appropriate error)
|
|
{
|
|
"user_id": "U0000000001",
|
|
"resource": "nonexistent",
|
|
"action": "delete",
|
|
"resource_data": {}
|
|
}
|
|
-- Expected: DENIED with "Permission not found" reason
|