[7211a95] | 1 | # |
---|
[f824a9e] | 2 | # This example demonstrates intersections. An intersection is a logical-AND of |
---|
[7211a95] | 3 | # roles or osets. An intersection succeeds if the principal is in the |
---|
| 4 | # intersection of the sets defined by the roles. |
---|
| 5 | # |
---|
| 6 | # The policy set by Acme is that a character must both a preferred customer and |
---|
| 7 | # a WarnerBrothers character to buy rockets. Each of those attributes is |
---|
| 8 | # specified by a role. |
---|
| 9 | # |
---|
| 10 | # This example defines 4 principals, Acme, WarnerBrothers, Coyote and Batman. |
---|
| 11 | # Credential 1 defines the policy requiring both roles to get the buy_rockets |
---|
| 12 | # role. Credential 2 gives the Coyote a preferred_customer role. Credential 3 |
---|
| 13 | # gives Batman the preferred_customer role and Credential 4 recognizes the |
---|
| 14 | # Coyote as a Warner Brothers character. |
---|
| 15 | # |
---|
| 16 | #In order to buy rockets from Acme, you must be BOTH a preferred customer |
---|
| 17 | #AND a WarnerBros character. In this example, the following query will be |
---|
| 18 | #successful: |
---|
| 19 | # |
---|
| 20 | # Acme.buy_rockets <-?- Coyote |
---|
| 21 | # |
---|
| 22 | #The following query will fail (because Batman does not have the |
---|
| 23 | #attribute WarnerBros.character): |
---|
| 24 | # |
---|
| 25 | # Acme.buy_rockets <-?- Batman |
---|
| 26 | # |
---|
[f824a9e] | 27 | # acme_rockets_intersection_rt0 |
---|
| 28 | |
---|
| 29 | # Credential 1 |
---|
| 30 | #[keyid:Acme].role:buy_rockets <- [keyid:Acme].role:preferred_customer |
---|
| 31 | & [keyid:WarnerBros].role:charater |
---|
| 32 | # Credential 2 |
---|
| 33 | # [keyid:Acme].role:preferred_customer <- [keyid:Coyote] |
---|
| 34 | |
---|
| 35 | # Credential 3 |
---|
| 36 | #[keyid:Acme].role:preferred_customer <- [keyid:Batman] |
---|
| 37 | |
---|
| 38 | # Credential 4 |
---|
| 39 | #[keyid:WarnerBros].role:character <- [keyid:Coyote] |
---|