47 lines
1.4 KiB
Plaintext
47 lines
1.4 KiB
Plaintext
module model
|
|
|
|
type system
|
|
relations
|
|
define superuser: [ user, group#member ]
|
|
|
|
type domain
|
|
|
|
type organization
|
|
relations
|
|
define realm: [ domain ]
|
|
define admin: [ user ] or superuser
|
|
define superuser: superuser from parent
|
|
define parent: [ system ]
|
|
|
|
type group
|
|
relations
|
|
define member: [ user, group#member ]
|
|
define admin: [ user ] or admin from parent or superuser
|
|
define superuser: superuser from parent
|
|
define parent: [ organization ]
|
|
|
|
type user
|
|
relations
|
|
define active: ([ user ] and registered) but not disabled
|
|
define disabled: [ user ]
|
|
define registered: [ user ]
|
|
|
|
type archive
|
|
relations
|
|
define view: [ user with term, group#member with term, user:* ] or owner
|
|
define exec: [ user with ticket, group#member with ticket ] or exec from parent or superuser from principal
|
|
define owner: [ user ] or owner from parent or admin from principal
|
|
define principal: [ group ]
|
|
define parent: [ archive ]
|
|
|
|
condition term(time: timestamp, start_time: timestamp, end_time: timestamp) {
|
|
start_time >= end_time // no time restriction
|
|
|| (time >= start_time && time <= end_time)
|
|
}
|
|
|
|
condition ticket(task: string, usage: double, time: timestamp, tasks: list<string>, quota: double, start_time: timestamp, end_time: timestamp) {
|
|
(task == "*" || task in tasks || "*" in tasks)
|
|
&& (quota < 0.0 || usage < quota)
|
|
&& (start_time >= end_time || time >= start_time && time <= end_time)
|
|
}
|