#####################################################################
# This example demonstrates using a parameters to control access to 
# files based on the attributes of the principals. files are named by 
# URNs and are not principals.
# 
# A principal's access rights are controlled by the Alpha principal.  If a
# principal has the role role::read(urn:filename) that
# principal can read filename.  The policy is that the manager of the owner of
# a file can read it. (Presumably the owner can, too, but that is not encoded
# here.)
#
# The setup.py file creates four principals Alpha, Bob, Maryann and Joe
# 
# The attr.py file lays out the policy that the manager of the owner of a file
# can read it in Credential 1. Credential 2 establishes Bob as the manager of
# Joe. and Credential 3 establishes Joe as the owner of the file.
#
# The query.py file runs 2 queries.  First it confirms that Bob can read
# fileA, then it confirms that Maryann cannot. 

# file_read_rt2
#
# Credential 1 (alpha.read(?F) <- alpha.managerOf(?E:alpha.ownerOf(?F)))
# [keyid:alpha].role:read([urn:?F])<-
#    [keyid:alpha].role:managerOf([principal:?E[keyid:alpha].role:ownerOf([urn:?F])]

# Credential 2
#[keyid:Alpha].role:managerOf([Keyid:Joe]) <- [keyid:Bob]

# Credential 3
#[keyid:Alpha].role:ownerOf([urn:'file://fileA']) <- [keyid:Joe]