-
Notifications
You must be signed in to change notification settings - Fork 7
/
RolesAndPolicies.yml
218 lines (215 loc) · 11.9 KB
/
RolesAndPolicies.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
# Possible limitation types and values the types accept
#
# The types are defined by eZ Publish's Role service
# All values must be arrays even if it is a single value
#
# ContentType limitation example:
# identifier: Class
# values: [1, 2, 3] # List of content type ids. Can be specified using identifier as well
#
# Language limitation example:
# identifier: Language
# values: [eng-GB, eng-US] # List of valid language codes
#
# Location limitation example"
# identifier: Node
# values: [2, 345] # List of location ids. Can be specified using remote id as well
#
# Owner limitation
# identifier: Owner
# values: [x] # must be either 1 (owner) or 2 (session)
#
# ParentContentType limitation example:
# identifier: ParentClass
# values: [1, 2, 3] # List of content type ids. Can be specified using identifier as well
#
# ParentDepth limitation example:
# identifier: ParentDepth
# values: [x]
#
# ParentOwner limitation example:
# identifier: ParentOwner
# values: [x] # either 1 (owner) or 2 (session)
#
# ParentUserGroup limitation example:
# identifier: ParentGroup
# values: [1] # must be 1 (owner)
#
# Section limitation example:
# identifier: Section
# values: [1, 2, 3] # List of section ids. Can be specified using identifier as well
#
# Siteaccess limitation example: (Not implemented yet in eZ Publish 5 API)
# identifier: SiteAccess
# values: [siteaccess, siteaccess] # List of siteaccess name strings
#
# Subtree limitation example:
# identifier: Subtree
# values: [/1/2/3/4, /1/2/3/15] # List of subtree path strings, needs to be the location path
#
# UserGroup limitation example:
# identifier: UserGroup
# values: [1] # must be 1 (owner)
-
type: role
mode: create
name: xyz # Name of the role
policies: # Optional
-
module: xyz
function: xyz # to grant access to all function, use '*' (including simple quotes)
limitations: # Optional
-
identifier: xyz
values: [x, y]
-
module: xyz
function: xyz
limitations:
-
identifier: xyz
values: [x, y]
assign: # Optional
-
type: user|group # Must be user or group
ids: [x, y, z] # List of user IDs to assign the new role to
limitations: # Optional limitation on role assignment
-
identifier: xyz # natively supported: Subtree and Section
values: [x, y]
# The list in references tells the manager to store specific values for later use by other steps in the current migration.
# NB: these are NEW VARIABLES THAT YOU ARE CREATING. They are not used in the current migration step!
references: # Optional
# short syntax:
referenceId: attributeId # (possible values and meaning are explained for the 'long syntax')
# long syntax:
-
identifier: referenceId # A string used to identify the reference
attribute: attributeId # An attribute to get the value of for the reference.
# Supports: role_id and role_identifier
# The shorthand 'id' can be used instead of 'role_id'
# The shorthand 'identifier' can be used instead of 'role_identifier'
overwrite: true|false # Optional, default false. If not set, and the reference already exists, an exception is thrown
if: # Optional. If set, the migration step will be skipped unless the condition is matched
"reference:_ref_name": # name of a reference to be used for the test
_operator_: value # allowed operators: eq, gt, gte, lt, lte, ne, count, length, regexp, satisfies
-
type: role
mode: update
match: # Only one of the following can be specified, to define which roles to update
id: x # int|int[]
identifier: xyz # string|string[]
all: ~ # matches ALL roles
or: # match any of the conditions below. *NB:* less efficient that using the array notation for a single condition
-
_condition_: value # where _condition_ can be any of ones specified above, including 'and' and 'or'
-
_condition_: value # where _condition can be any of ones specified above, including 'and' and 'or'
and: # match all of the conditions below
-
_condition_: value # where _condition_ can be any of ones specified above, including 'and' and 'or'
-
_condition_: value # where _condition_ can be any of ones specified above, including 'and' and 'or'
not: # matches elements NOT satisfying the wrapped condition
_condition_: value # where _condition_ can be any of ones specified above, including 'and' and 'or'
match_tolerate_misses: false # optional. Do not fail the execution if there is no item matching, when matching by id or identifier
new_name: # Optional (note: this field might be renamed in the future)
assign: # Optional
-
type: # Must be user or group
ids: [x, y, z] # List of user IDs to assign the new role to
limitations: # Optional role limitation on assignment
-
identifier: xyz
values: [x, y]
unassign: # Optional. Same values as for 'assign'
policies: # Optional.
# NB: *take care* this does not work like content type updates or content updates.
# If this set, all previously existing policies not specified in this list will be removed!
# The safest and simplest way to make sure that you do not forget any of the existing policies is to first
# generate an update migration that has the complete specification of the role as it currently is defined,
# and then edit manually. See the main readme file for an example of such a command.
-
module: xyz
function: xyz
limitations:
-
identifier: xyz
values: [x, z]
# The list in references tells the manager to store specific values for later use by other steps in the current migration.
# NB: these are NEW VARIABLES THAT YOU ARE CREATING. They are not used in the current migration step!
references: # Optional
# short syntax:
referenceId: attributeId # (possible values and meaning are explained for the 'long syntax')
# long syntax:
-
identifier: referenceId # A string used to identify the reference
attribute: attributeId # An attribute to get the value of for the reference.
# Supports: role_id and role_identifier
# The shorthand 'id' can be used instead of 'role_id'
# The shorthand 'identifier' can be used instead of 'role_identifier'
# 'count' can be used to set a reference to the number of items matched
overwrite: true|false # Optional, default false. If not set, and the reference already exists, an exception is thrown
expect: one|any|many # Optional. If set, the number of matched items will be validated, and the type of values set to created references will change
# 'one': only one element should be matched; reference values will be scalars
# 'any': zero or more element should be matched; reference values will be arrays
# 'many': one or more element should be matched; reference values will be arrays
if: # Optional. If set, the migration step will be skipped unless the condition is matched
"reference:_ref_name": # name of a reference to be used for the test
_operator_: value # allowed operators: eq, gt, gte, lt, lte, ne, count, length, regexp, satisfies
-
type: role
mode: delete
match: # Only one of the following can be specified, to define which roles to remove
id: x # int|int[]
identifier: xyz # string|string[]
all: ~ # matches ALL roles
or: # match any of the conditions below. *NB:* less efficient that using the array notation for a single condition
-
_condition_: value # where _condition_ can be any of ones specified above, including 'and' and 'or'
-
_condition_: value # where _condition can be any of ones specified above, including 'and' and 'or'
and: # match all of the conditions below
-
_condition_: value # where _condition_ can be any of ones specified above, including 'and' and 'or'
-
_condition_: value # where _condition_ can be any of ones specified above, including 'and' and 'or'
not: # matches elements NOT satisfying the wrapped condition
_condition_: value # where _condition_ can be any of ones specified above, including 'and' and 'or'
match_tolerate_misses: false # optional. Do not fail the execution if there is no item matching, when matching by id or identifier
references: # Optional. See above for allowed values
expect: one|any|many # Optional. If set, the number of matched items will be validated, and the type of values set to created references will change
# 'one': only one element should be matched; reference values will be scalars
# 'any': zero or more element should be matched; reference values will be arrays
# 'many': one or more element should be matched; reference values will be arrays
if: # Optional. If set, the migration step will be skipped unless the condition is matched
"reference:_ref_name": # name of a reference to be used for the test
_operator_: value # allowed operators: eq, gt, gte, lt, lte, ne, count, length, regexp, satisfies
-
type: role
mode: load
match: # Only one of the following can be specified, to define which roles to remove
id: x # int|int[]
identifier: xyz # string|string[]
all: ~ # matches ALL roles
or: # match any of the conditions below. *NB:* less efficient that using the array notation for a single condition
-
_condition_: value # where _condition_ can be any of ones specified above, including 'and' and 'or'
-
_condition_: value # where _condition can be any of ones specified above, including 'and' and 'or'
and: # match all of the conditions below
-
_condition_: value # where _condition_ can be any of ones specified above, including 'and' and 'or'
-
_condition_: value # where _condition_ can be any of ones specified above, including 'and' and 'or'
not: # matches elements NOT satisfying the wrapped condition
_condition_: value # where _condition_ can be any of ones specified above, including 'and' and 'or'
match_tolerate_misses: false # optional. Do not fail the execution if there is no item matching, when matching by id or identifier
references: # Optional. See above for allowed values
expect: one|any|many # Optional. If set, the number of matched items will be validated, and the type of values set to created references will change
# 'one': only one element should be matched; reference values will be scalars
# 'any': zero or more element should be matched; reference values will be arrays
# 'many': one or more element should be matched; reference values will be arrays
if: # Optional. If set, the migration step will be skipped unless the condition is matched
"reference:_ref_name": # name of a reference to be used for the test
_operator_: value # allowed operators: eq, gt, gte, lt, lte, ne, count, length, regexp, satisfies