seb54000 · September 21, 2018 07:39
diff --git a/basic-app.json b/basic-app.json
 {
  "description": "MyGroup allowed access to MyProject only",
  "context": {
    "application": "rundeck"
  },
  "for": {
    "project": [
      {
        "match": {
          "name": "MyProject"
        },
        "allow": [
          "read"
        ]
      }
    ]
  },
  "by": {
    "group": "MyGroup"
  }
 }
diff --git a/basic-project.json b/basic-project.json
 {
  "description": "MyGroup access rules to MyProject.",
  "context": {
    "project": "MyProject"
  },
  "for": {
    "resource": [
      {
        "equals": {
          "kind": "event"
        },
        "allow": [
          "read"
        ]
      }
    ],
    "job": [
      {
        "allow": [
          "read"
        ]
      },
      {
        "match": {
          "group": "^mygroup($|/.*)"
        },
        "allow": [
          "read",
          "run"
        ]
      }
    ],
    "adhoc": [
      {
        "deny": "run"
      }
    ],
    "node": [
      {
        "contains": {
          "tags": "mytag"
        },
        "allow": [
          "read",
          "run"
        ]
      },
      {
        "equals": {
          "rundeck_server": "true"
        },
        "allow": [
          "read",
          "run"
        ]
      }
    ]
  },
  "by": {
    "group": "MyGroup"
  }
 }
diff --git a/basic.aclpolicy b/basic.aclpolicy
 # Application scope
 description: MyGroup allowed access to MyProject only
 context:
  application: 'rundeck'
 for:
  project:
    - match:
        name: 'MyProject'
      allow: [read]
 by:
  group: MyGroup

 ---

 # Project scope
 description: MyGroup access rules to MyProject.
 context:
  project: 'MyProject'
 for:
  resource:
    - equals:
        kind: event
      allow: [read] # allow read of all activity (jobs run by all users)
  job:
    - allow: [read] # allow read of all jobs
    - match:
        group: '^mygroup($|/.*)'
      allow: [read,run] # allow run access for jobs within the "mygroup" top level group
  adhoc:
    - deny: run # don't allow adhoc execution
  node:
    - contains:
        tags: mytag
      allow: [read, run] # allow run on nodes with the tag 'mytag'
    - equals:
        rundeck_server: 'true'
      allow: [read, run] # allow run on rundeck server node
 by:
  group: MyGroup
	{
	"description": "MyGroup allowed access to MyProject only",
	"context": {
	"application": "rundeck"
	},
	"for": {
	"project": [
	{
	"match": {
	"name": "MyProject"
	},
	"allow": [
	"read"
	]
	}
	]
	},
	"by": {
	"group": "MyGroup"
	}
	}
	{
	"description": "MyGroup access rules to MyProject.",
	"context": {
	"project": "MyProject"
	},
	"for": {
	"resource": [
	{
	"equals": {
	"kind": "event"
	},
	"allow": [
	"read"
	]
	}
	],
	"job": [
	{
	"allow": [
	"read"
	]
	},
	{
	"match": {
	"group": "^mygroup($\|/.*)"
	},
	"allow": [
	"read",
	"run"
	]
	}
	],
	"adhoc": [
	{
	"deny": "run"
	}
	],
	"node": [
	{
	"contains": {
	"tags": "mytag"
	},
	"allow": [
	"read",
	"run"
	]
	},
	{
	"equals": {
	"rundeck_server": "true"
	},
	"allow": [
	"read",
	"run"
	]
	}
	]
	},
	"by": {
	"group": "MyGroup"
	}
	}
	# Application scope
	description: MyGroup allowed access to MyProject only
	context:
	application: 'rundeck'
	for:
	project:
	- match:
	name: 'MyProject'
	allow: [read]
	by:
	group: MyGroup

	---

	# Project scope
	description: MyGroup access rules to MyProject.
	context:
	project: 'MyProject'
	for:
	resource:
	- equals:
	kind: event
	allow: [read] # allow read of all activity (jobs run by all users)
	job:
	- allow: [read] # allow read of all jobs
	- match:
	group: '^mygroup($\|/.*)'
	allow: [read,run] # allow run access for jobs within the "mygroup" top level group
	adhoc:
	- deny: run # don't allow adhoc execution
	node:
	- contains:
	tags: mytag
	allow: [read, run] # allow run on nodes with the tag 'mytag'
	- equals:
	rundeck_server: 'true'
	allow: [read, run] # allow run on rundeck server node
	by:
	group: MyGroup