module model

type system
  relations
    define superuser: [ user, group#member ]

type domain

type organization
  relations
    define realm: [ domain ]
    define admin: [ user ] or superuser
    define superuser: superuser from parent
    define parent: [ system ]

type group
  relations
    define member: [ user, group#member ]
    define admin: [ user ] or admin from parent or superuser
    define superuser: superuser from parent
    define parent: [ organization ]

type user
  relations
    define active: ([ user ] and registered) but not disabled
    define disabled: [ user ]
    define registered: [ user ]

type archive
  relations
    define view: [ user with term, group#member with term, user:* ] or owner
    define exec: [ user with ticket, group#member with ticket ] or exec from parent or superuser from principal
    define owner: [ user ] or owner from parent or admin from principal
    define principal: [ group ]
    define parent: [ archive ]

condition term(time: timestamp, start_time: timestamp, end_time: timestamp) {
    start_time >= end_time // no time restriction
    || (time >= start_time && time <= end_time)
  }

condition ticket(task: string, usage: double, time: timestamp, tasks: list<string>, quota: double, start_time: timestamp, end_time: timestamp) {
    (task == "*" || task in tasks || "*" in tasks)
    && (quota < 0.0 || usage < quota)
    && (start_time >= end_time || time >= start_time && time <= end_time)
  }