#Exclusion Cases
elfin fossil
Hello @desert meadow , we've made some modifications in the v0.4.3 update related to the validation file and exclusion.
- In validation, we switched to a scenario-based method to write tests more quickly.
- We have changed the 'and not' phrase to 'not' in the DSL. From now on, writing 'not' will function the same as 'and not'.
I would like to explain this in the context of these new version.
schema: >-
entity user {}
entity organization {
relation blocked_carriers @user @carrier#dispatcher
}
entity carrier {
relation org @organization
relation dispatcher @user
relation admin @user
action create_asset = dispatcher not org.blocked_carriers
}
relationships:
- carrier:1#dispatcher@user:1
- carrier:2#dispatcher@user:2
- carrier:1#org@organization:1
- carrier:2#org@organization:1
# - organization:1#blocked_carriers@user:2 - it should return the same result as below
- organization:1#blocked_carriers@carrier:2#dispatcher
scenarios:
- name: "scenario 1"
description: "test description"
checks:
- entity: "carrier:1"
subject: "user:1"
assertions:
create_asset : true
- entity: "carrier:2"
subject: "user:2"
assertions:
create_asset : false
entity_filters:
subject_filters:
In this structure, the 'create_asset' action can be performed by the carrier's dispatcher if the dispatcher is not in the blocked list of the organization to which the carrier is connected. If there's anything I misunderstood, please correct me.
desert meadow
thanks for the information, Tolga! what I need is a bit different. in our use case, carriers are our clients that has different type of users who can access to our system. sometime we need to block one carrier completely (e.g. they violate our polices) so that none of their users would be able to access our system.
elfin fossil
I understand your point better now, @desert meadow.
I have prepared a schema in this way. This allows for the creation of a relationship that puts a carrier into the block list. For example, if we wrote:
- organization:1#blocked_carrier@carrier:2#...
If the user is an admin or dispatcher of Carrier 2, they won't be able to access and will be directly blocked.
schema: >-
entity user {}
entity organization {
relation blocked_carrier @carrier
action blocked = blocked_carrier.dispatcher or blocked_carrier.admin
}
entity carrier {
relation org @organization
relation dispatcher @user
relation admin @user
action create_asset = dispatcher not org.blocked
}
relationships:
- carrier:1#dispatcher@user:1
- carrier:2#dispatcher@user:2
- carrier:1#org@organization:1
- carrier:2#org@organization:1
- organization:1#blocked_carrier@carrier:2#...
scenarios:
- name: "scenario 1"
description: "test description"
checks:
- entity: "carrier:1"
subject: "user:1"
assertions:
create_asset : true
- entity: "carrier:2"
subject: "user:2"
assertions:
create_asset : false
entity_filters:
subject_filters:
I hope this is a good solution for you
desert meadow
this solution looks very interesting. thank you very much, @elfin fossil !
elfin fossil
I'm glad I could help. You can write to us whenever you need.
desert meadow
maybe another quick question, is it possible to refer to a schema file in the schema validation file? such as
schema: my_schema_file.yaml
relationships:
- xxx
scenarios:
- xxx
Hi @desert meadow , there's currently no usage like that. But if you'd like, you can open an issue and we'll make it happen within two weeks.
desert meadow
no worries. I can make it happen with some shell tricks 😉
just want to check whether there is a built-in support as the schema normally is defined in a separate file
keeping syncing the schema between the schema file and the schema validation file is bit annoying - not sure how others approach this? (since I might be doing something unusual here)