@ddt/iam
Define an allowed or denied set of actions against a set of resources with optional context.
Deny rules trump allow rules.
const role = new Role([
{
effect: 'allow', // optional, defaults to allow
resources: ['secrets:${user.id}:*'],
actions: ['read', 'write'],
},
{
resources: ['secrets:{${user.bestfriends}}:*'],
actions: ['read'],
},
{
effect: 'deny',
resources: ['secrets:admin:*'],
actions: ['read'],
},
])
const context = { user: { id: 456, bestfriends: [123, 563, 1211] } }
// true
role.can('read', 'secrets:563:sshhh', context)
// false
role.can('read', 'secrets:admin:super-secret', context)
const friendsWithAdminContext = { user: { id: 456, bestfriends: ['admin'] } }
// false
role.can('read', 'secrets:admin:super-secret', friendsWithAdminContext)