#####################################################################
# label: 00
# This example demonstrates using an oset (object set) to control access
# to files based on the attributes of the principals.  The script creates
# three principals Alpha, Bob and Joe and sets out the access policy.
# 
# files are named by URNs and are not principals.
# 
# A principal's access rights are controlled by the Alpha principal.  If a 
# principal has the role role::acess(string:'Read', urn:filename) that 
# principal can Read filename.  
# The policy names 2 teams, proj1 and proj1.  A principal is on proj1 if it
# has the role team(string:'proj1') defined by Alpha (written
# [keyid:Alpha].role:team(string:'proj1')).  Each project has an associated set
# of files, defined by object sets.  A file is in proj1's documents if it is in
# the oset of documents('proj1') defined by Alpha, written
# [keyid:Alpha].oset:documents(string:'proj1'))
# 
# The example below lays out the policy that members of a given project can
# Read the documents of that project in Credential 1 and adds file://fileA to
# the document set for proj1 in Credential 2 - note that no principal is
# required for fileA.  Credentials 3 & 4 add Bob to proj1 and Joe to proj2.
#
# The attached query.py file runs 3 queries.  First it confirms that Bob can Read
# fileA, then it confirms that Joe cannot.  Finally it confirms that Joe is in
# proj2.

# access_rt2

# Credential 1
#[keyid:alpha].role:access([string:'Read'],
#                    [urn:?F[keyid:alpha].oset:documents([string:?P])])
#                                     <- [keyid:alpha].role:team([string:?P]) 
# Credential 2
#[keyid:alpha].oset:documents([string:'proj1'])<-[urn:'file//fileA'] 
# Credential 3
# [keyid:alpha].role:team([string:'proj1'])<-[keyid:Bob]
# Credential 4
# [keyid:alpha].role:team([string:'proj2'])<-[keyid:Joe]