cleanup authz

1 files changed, 22 insertions, 3 deletions

diff --git a/crates/iam/src/main.rs b/crates/iam/src/main.rs
index c2ab5a3..ae44b46 100644
--- a/crates/iam/src/main.rs
+++ b/crates/iam/src/main.rs
@@ -58,7 +58,26 @@ async fn exec() -> Result<Option<String>> {
             std::env::set_var(ENV_SPICE_SERVER, "http://[::1]:50051");
 
             let secd = Secd::init(Some(
-                "definition user {}\ndefinition organization {\n relation member: user \n }\n",
+                r#"
+definition user {}
+
+definition organization {
+    relation r_member: user
+    relation r_admin: user
+
+    permission member = r_admin + r_member
+    permission admin = r_admin
+}
+
+definition plugin {
+    relation r_creator: user | organization#admin
+    relation r_editor: user
+    relation r_viewer: user
+
+    permission creator =                    r_creator + r_creator->admin
+    permission editor =           r_editor + r_creator + r_creator->admin
+    permission viewer = r_viewer + r_editor + r_creator + r_creator->admin
+}"#,
             ))
             .await
             .map_err(|e| CliError::SecdInitializationFailure(e.to_string()))?;
@@ -72,7 +91,7 @@ async fn exec() -> Result<Option<String>> {
                     "organization".into(),
                     Uuid::parse_str("862f38b5-7f88-4b55-800f-af8da059e3a7").unwrap(),
                 ),
-                relation: "member".into(),
+                relation: "r_member".into(),
             }])
             .await
             .unwrap();
@@ -87,7 +106,7 @@ async fn exec() -> Result<Option<String>> {
                         "organization".into(),
                         Uuid::parse_str("862f38b5-7f88-4b55-800f-af8da059e3a7").unwrap(),
                     ),
-                    relation: "memb".into(),
+                    relation: "member".into(),
                 })
                 .await
             {