diff options
Diffstat (limited to 'gitano-admin/rules/siteadmin.lace')
-rw-r--r-- | gitano-admin/rules/siteadmin.lace | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/gitano-admin/rules/siteadmin.lace b/gitano-admin/rules/siteadmin.lace new file mode 100644 index 0000000..b3818ef --- /dev/null +++ b/gitano-admin/rules/siteadmin.lace @@ -0,0 +1,22 @@ +# Site administration rules + +# You must explicitly allow site administration here for anyone who +# has the rights to do site admin but isn't a member of gitano-admin. + +# ct_site_admin is a predicate which is for ct-admin +allow "CT Site Admins can manage users" ct_site_admin op_user +allow "CT Site Admins can manage groups other than gitano-admin" ct_site_admin op_group !target_group_gitano_admin + +# ctXXX-admins members are permitted to edit ctXXX-* groups +define ct_may_admin_target_group group ${targetgroup/prefix}-admins +define is_ct_project_target targetgroup ~^ct[0-9]+%- +allow "CT project admins can manage ctXXX- groups for their projects" op_group is_ct_project_target ct_may_admin_target_group + +# Anyone is permitted to look at the people in ct-admin and ctXXX-admins +define ct_target_group_is_ct_admin targetgroup ct-admin +define ct_target_group_is_ctxxx_admins targetgroup ~^ct[0-9]+%-admins$ +define ct_show_target_ok anyof ct_target_group_is_ct_admin ct_target_group_is_ctxxx_admins +allow "Anyone may see admin groups" op_groupshow ct_show_target_ok + +# Otherwise we always deny site administration +deny "You may not perform site administration" |