connect
search

User Policy Syntax

This page contains relevant information for users that are writing custom user policies using the REGO syntax:

  • the utils library, the variables, and helper functions that are available through it
  • a list of possible values for the type, action, and origin arguments that are used in the utils helper functions.

The custom user policies are created using the REGO syntax. For more information about the REGO syntax, see the Policy Language guide.

utils library syntax

Besides the available REGO syntax, Connect comes with a custom library that can be made available in the REGO policy editor.

The library can be imported using the following construction in the REGO policy editor:

import data.oz.utils

Contextual variables

SyntaxDetails
current_userReturns the current user that the policy is being evaluated on
current_organizationReturns the current organization that the policy is being evaluated on

Helper functions

SyntaxParametrizationResults
user(user_id)user_id is an ID identifying a Connect userReturns the user with the given user_id
organization(org_id)org-id is an ID identifying a Connect organizationReturns the organization with the given organization_id
role(role_id)role_id is an ID identifying a Connect user roleReturns the user role with the given role_id
is_user_ip_whitelisted(scope)scope is the scope of the IP Whitelisting as configured in the Organization settings; Video Playback or DownloadChecks the user’s IP and returns True if the user’s IP is whitelisted to perform the scope action.

Returns False otherwise.
is_updating_protected_fields(fields)fields is an array of fields in the Connect DBReturns True if attempting to update at least one field in the array of fields that is protected in the Connect DB.

Returns False otherwise.
is_current_user_assigned(role_id)role_id is an ID identifying a Connect user roleReturns True if the the current user has the user role with the role_id assigned to them.

Returns False otherwise.
is_current_user_sysadmin()Returns True if the current user is set as a sysadmin.

Returns False otherwise.
is_current_user_on_current_org()Returns True if the user is accessing the current organization.

Returns False otherwise.
is_user_sysadmin(user_id)user_id is an ID identifying a Connect userReturns True if the user with the user_id is set as a sysadmin.

Returns False otherwise.
is_user_on_org(user_id, org_id)user_id is an ID identifying a Connect user

org_id is an ID identifying a Connect organization		Returns True if the user with the user_id is part of the organization with the org_id.

Returns False otherwise.
is_user_assigned(user_id, role_id)Returns True if the user with the user_id has the user role with the role_id assigned to them.

Returns False otherwise.
is_during_weekend()Returns True if the policy is being evaluated during the weekend.

Returns False otherwise.
is_type_action(type, action)type is the type of resource (Title, Media item, etc.)

action is a single action (Read, List, Delete, etc.)		Constructs an input for an allow or deny block, that contains the following information:
  • the resource as defined by type;
  • the action as defined by action.
The information is then passed down to allow/restrict access for a user role in a user policy.
is_type_action_origin(type, action, origin)type is the type of resource (Title, Media item, etc.)

action is a single action (Read, List, Delete, etc.)

origin is the service that is triggering the policy evaluation (metadata-service, zypline-api, zypline-web)		Constructs an input for an allow or deny block, that contains the following information:
  • the resource as defined by type
  • the action as defined by action
  • the origin of where the action is attempted on the resource as defined by origin.
The information is then passed down to allow/restrict access for a user role in a user policy.
is_type_multiaction(type, actions)type is the type of resource (Title, Media item, etc.)

actions - an array of actions (Read, List, Delete, etc.)		Constructs an input for an allow or deny block, that contains the following information:
  • the resource as defined by type;
  • the list of actions as defined by actions.
The information is then passed down to allow/restrict access for a user role in a user policy.
is_type_multiaction_origin(type, actions, origin)type is the type of resource (Title, Media item, etc.)

actions is an array of actions (Read, List, Delete, etc.)

origin the service that is triggering the policy evaluation (metadata-service, zypline-api, zypline-web)		Constructs an input for an allow or deny block, that contains the following information:
  • the resource as defined by type;
  • the list of actions as defined by actions;
  • the origin of where the action is attempted on the resource as defined by origin.
The information is then passed down to allow/restrict access for a user role in a user policy.

Origins

Important

These are the available services that can be called in the origin property.

  • billing-service
  • history service
  • iam-service
  • metadata-service
  • notification-service
  • search-service
  • streaming-api
  • task-service
  • zypline-api
  • zypline-web

Types and Actions

General

Note

This is a high-level list of actions, that interact with one or more resources in Connect. Use this as a starting point for writing user policies.

  • Count
  • List
  • Read
  • Create
  • Update
  • Delete
  • Trash
  • Restore
  • Upload
  • Download
  • Start
  • Stop
  • Start
  • Stop
  • Import
  • Export
  • Preview
  • Validate

Service-specific

Important

Notation: <PepTypeName> (<GraphQL type>)

Use <PepTypeName> when writing policies.

ServiceType + Actions
Zypline WebZyplineWebDebug: Used in order to enforce access to the Debug page.
  • READ: org_admin
ZyplineWebDiscoverAnalytics: Enables access to Discover App Analytics page
  • READ: org_operator
ZyplineWebDashboard: Enables access to dashboards
  • READ: org_operator
Zypline APIAnnotation (Annotation)
  • LIST: no condition
  • READ: no condition
  • CREATE: Can create if the current user has sys_admin role OR THE current user is not sys_admin but the annotation is of type User ELSE reject.
  • UPDATE: Users with sys_admin role can do anything. Users without sys_admin role can not change the type of the annotation and can update only unprotected fields (i.e. isIssue)
  • DELETE: Users with sys_admin role can delete. Users without sys_admin role must have the delete right and the annotation must be of type User. They can not delete System annotations.
AuditLogs (AuditEventConnection)
  • READ: Users with sys_admin role can see all audit logs. Users without sys_admin role are checked if they have access to the requested model type.
AudioTrack (AudioTrackProperties)
  • UPDATE: no condition
AutoQC (runAutoQC -> Workflow)
  • EXECUTE: no condition
AutoQCReport (AutoQcReport)
  • LIST: no condition
  • READ: no condition
BacklotRequestDetails (BacklotRequestDetails)
  • READ: no condition
Batch (Batch)
  • LIST: no condition
  • READ: no condition
  • CREATE: no condition
  • UPDATE: no condition
  • RESET: no condition
  • SEND_DELIVERY_REPORT: no condition
  • IMPORT: no condition
  • DELETE: has delete right
BugProfile (BugProfile)
  • LIST: no condition
  • READ: no condition
  • CREATE: is sys admin or org admin
  • UPDATE: is sys admin or org admin
  • DELETE: is sys admin or org admin and has delete right
CaptionProfile (CaptionProfile)
  • LIST: no condition
  • READ: no condition
  • CREATE: is sys admin or org admin
  • UPDATE: is sys admin or org admin
  • DELETE: is sys admin or org admin and has delete right
Clip (Clip)
  • LIST: no condition
  • READ: no condition
  • CREATE & UPDATE: The owner of the inputFile can create and update a Clip. The rule looks like: If the input file is not read only AND the user belongs to an organization AND the user is the creator of the file THEN the user can create/modify Clip
  • DELETE: In addition to the rule from Create/Update the user also must have the delete right.
  • EXTRACT: no condition
Comment (Comment)
  • LIST: no condition
  • READ: no condition
  • CREATE: no condition
  • UPDATE: no condition
CompositionDefinition (CompositionDefinition)
  • LIST: no condition
  • READ: no condition
  • CREATE: no condition
  • UPDATE: no condition
CompositionTemplate (CompositionTemplate)
  • LIST: no condition
  • READ: no condition
  • CREATE: is sys admin or org admin
  • UPDATE: is sys admin or org admin
  • DELETE: is sys admin or org admin and has delete right
DeepAnalysis (runDeepAnalysis -> Workflow)
  • EXECUTE: no condition
DeliverableTemplate (DeliverableTemplate)
  • READ: no condition
  • CREATE: is sys admin or org admin
  • UPDATE: is sys admin or org admin
  • DELETE: is sys admin or org admin and has delete right
Deliverable (Deliverable)
  • READ: no condition
DemuxProfile (DemuxProfile)
  • LIST: no condition
  • READ: no condition
  • CREATE: is sys admin or org admin
  • UPDATE: is sys admin or org admin
  • DELETE: is sys admin or org admin and has delete right
Demux
  • READ (demuxLanguage -> DemuxLanguage): no condition
  • READ (suggestDemux -> DemuxOptions): no condition
  • EXECUTE (demuxFile -> Workflow): no condition
DRMProvider (DRMProvider)
  • LIST: no condition
  • READ: no condition
  • CREATE: is sys admin or org admin
  • UPDATE: is sys admin or org admin
  • DELETE: is sys admin or org admin and has delete right
ErrorStack (GraphQLString)
  • READ: is sys admin
ExtractedMedia (ExtractedMedia)
  • LIST: no condition
  • READ: no condition
  • DELETE: has delete right
File
  • LIST (File): no condition
  • READ (File): no condition
  • CREATE (File/Workflow): no condition
  • UPDATE (File): no condition
  • DELETE (File): has delete right
  • RESTORE (restoreFileFromTrash -> File): no condition
  • IMPORT_METADATA_FILE (importMetadataFile/importFileWithMetadata -> Workflow): no condition
  • CONFORM (startConforming -> ConformingResponse): no condition
  • ARCHIVE (File): no condition
  • UNARCHIVE (File): no condition
  • IMPORT_PKL_FILE (importPklFile -> Package): no condition
  • INGEST (File): no condition
  • IMPORT_TRACK_TAGS (importTrackTags -> Workflow): no condition
  • CREATE_THUMBNAIL (File): no condition
  • REVERSE_TRANSCODE (reverseTranscode -> Workflow): no condition
  • ENCODE_IAB (encodeIab -> Workflow): no condition
  • TRANSCRIBE (transcribeFile -> Workflow): no condition
  • TRANSCODE (transcodeFile -> Workflow): no condition
  • PREVIEW (FilePreviewUrl): is sys admin or has download right and user’s IP is whitelisted
  • DOWNLOAD (FileDownloadUrl): is sys admin or has download right and user’s IP is whitelisted
  • UPLOAD (startUpload -> FileUploadResponse): has upload right
FileDelivery (FileDelivery)
  • LIST: no condition
  • READ: no condition
  • CREATE: no condition
FileDesignation (FileDesignation)
  • LIST: no condition
  • READ: no condition
  • CREATE: is sys admin or org admin
  • UPDATE: is sys admin or org admin
  • DELETE: is sys admin or org admin and has delete right
FileFileDesignation (FileFileDesignationEdge)
  • CREATE: no condition
  • DELETE: no condition
FileNamingConvention (FileNamingConvention)
  • LIST: no condition
  • READ: no condition
  • CREATE: is sys admin or org admin
  • UPDATE: is sys admin or org admin
  • DELETE: is sys admin or org admin and has delete right
ImageSequenceFrameProperties (ImageSequenceFrameProperties)
  • READ: no condition
IngestQcRule (IngestQcRule)
  • LIST: no condition
  • READ: no condition
  • CREATE: is sys admin or org admin
  • UPDATE: is sys admin or org admin
  • DELETE: is sys admin or org admin and has delete right
Job (Job)
  • LIST: no condition
  • READ: no condition
  • CREATE: no condition
  • UPDATE: no condition
  • DELETE: has delete right
  • EXECUTE: no condition
  • CANCEL: no condition
JobStats (JobCount)
  • READ: no condition
Macro (Macro)
  • LIST: no condition
  • READ: no condition
  • UPDATE: is sys admin or org admin
MacroExecution (MacroExecution)
  • LIST: no condition
  • READ: no condition
  • CREATE: no condition
  • CANCEL: no condition
  • DELETE: has delete right
Marker (Marker)
  • LIST: no condition
  • READ: no condition
  • CREATE: no condition
  • UPDATE: no condition
  • DELETE: has delete right
MasterDisplayValues (MasterDisplayValues)
  • READ: no condition
Package (Package)
  • LIST: no condition
  • READ: no condition
  • CREATE: no condition
  • UPDATE: no condition
  • EXECUTE: no condition
  • CANCEL: no condition
  • TRANSCODE: no condition
  • DELETE: has delete right
PackageDelivery (PackageDelivery/Workflow)
  • LIST: no condition
  • READ: no condition
  • CREATE: no condition
Platform (Platform)
  • LIST: no condition
  • READ: no condition
  • CREATE: is sys admin or org admin
  • UPDATE: is sys admin or org admin
  • DELETE: is sys admin or org admin and has delete right
PlatformPackageTemplate (PlatformPackageTemplate)
  • CREATE: no condition
  • UPDATE: no condition
PackageTemplate (PackageTemplate)
  • LIST: no condition
  • READ: no condition
  • CREATE: only sys admin or org admin
  • UPDATE: only sys admin or org admin
  • DELETE: only sys admin or org admin with delete right
Plugin (Plugin)
  • LIST: is sys admin
  • CREATE: is sys admin or org admin
  • DELETE: is sys admin or org admin and has delete right
PluginsPage (PluginsPage)
  • LIST: is sys admin or org admin
QcProfile (QcProfile)
  • LIST: no condition
  • READ: no condition
  • CREATE: is sys admin or org admin
  • UPDATE: is sys admin or org admin
  • DELETE: is sys admin or org admin and has delete right
SidecarCaptions (File)
  • LIST: no condition
  • READ: no condition
Slate (generateSlate -> Workflow)
  • CREATE: no condition
SmartAgent (SmartAgent)
  • LIST: no condition
  • READ: no condition
  • CREATE: is sys admin or org admin
  • UPDATE: is sys admin or org admin
  • DELETE: is sys admin or org admin and has delete right
  • EXECUTE: is sys admin or org admin
StoreFile (StoreFileConnection)
  • LIST: no condition
TimedTextProfile (TimedTextProfile)
  • LIST: no condition
  • READ: no condition
  • CREATE: is sys admin or org admin
  • UPDATE: is sys admin or org admin
  • DELETE: is sys admin or org admin and has delete right
  • CONVERT: no condition
Title (Title)
  • LIST: no condition
  • READ: no condition
  • CREATE: no condition
  • UPDATE: no condition
  • IMPORT_IMF: no condition
  • SYNC: no condition
  • DELETE: has delete right
TitleDesignation (TitleDesignation)
  • CREATE: no condition
  • DELETE: no condition
TitleStats (TitleCount) - deprecated
  • READ: no condition
Track (Track)
  • READ: no condition
  • UPDATE: no condition
TrackFileDesignation (TrackFileDesignation)
  • CREATE: no condition
  • UPDATE: no condition
TranscoderProfile (TranscoderProfile)
  • LIST: no condition
  • READ: no condition
  • CREATE: is sys admin or org admin
  • UPDATE: is sys admin or org admin
  • DELETE: is sys admin or org admin and has delete right
  • IMPORT: is sys admin or org admin
  • EXPORT: is sys admin or org admin
TranscoderProvider (TranscoderProvider)
  • LIST: no condition
  • READ: no condition
  • CREATE: is sys admin or org admin
  • UPDATE: is sys admin or org admin
  • DELETE: is sys admin or org admin and has delete right
TranscribeLanguages (TranscribeLanguages)
  • READ: no condition
TransferProvider (TransferProvider)
  • LIST: no condition
  • READ: no condition
  • CREATE: is sys admin or org admin
  • UPDATE: is sys admin or org admin
  • DELETE: is sys admin or org admin and has delete right
RrtqTask (Task)
  • LIST: no condition
VideoTrack (VideoTrackProperties)
  • UPDATE: no condition
VirtualAsset (VirtualAsset)
  • LIST: no condition
  • READ: no condition
  • CREATE: no condition
  • UPDATE: no condition
  • DELETE: has delete right
VirtualFolder (VirtualFolder)
  • LIST: no condition
  • READ: no condition
  • CREATE: no condition
  • UPDATE: no condition
  • DELETE: has delete right
VirtualFolderContent (VirtualFolderContent)
  • READ: no condition
XMEML (CompositionDefinition)
  • IMPORT: no condition
Workflow (Workflow)
  • LIST: no condition
  • READ: no condition
  • CREATE: no condition
  • SWF_SIGNAL: no condition
  • DELETE: no condition
Streaming APIUniqueUsersAnalyticsMetric, ActiveSessionsAnalyticsMetric, RegistrationsAnalyticsMetric, AverageSessionTimeAnalyticsMetric, HoursWatchedPerUserAnalyticsMetric, NumberOfUsersByCountryAnalyticsMetric, NumberOfUsersByCityAnalyticsMetric, NumberOfUsersByAgeAnalyticsMetric, TopTitlesAnalyticsMetric, TopGroupsAnalyticsMetric
  • LIST: no conditions
StreamingAnalyticsPDF
  • GENERATE: no condition
  • DOWNLOAD: no condition
StreamingAnalyticsPdfStatus
  • READ: no condition
Application
  • LIST: no condition
  • READ: no condition
  • CREATE: no condition
  • UPDATE: no condition
  • DELETE: no condition
Node
  • LIST: no condition
  • READ: no condition
  • CREATE: no condition
  • UPDATE: no condition
  • DELETE: no condition
Edge
  • LIST: no condition
  • READ: no condition
  • CREATE: no condition
  • DELETE: no condition
  • REORDER: no condition
StreamingThumbnail
  • READ: no condition
StreamingReindex
  • READ: no condition
  • REINDEX: no condition
StreamingNodeMetadata
  • LIST: no condition
StreamingDynamicCollection
  • LIST: no condition
NodeUser
  • LIST: no condition
UserFavorite
  • LIST: no condition
UserHistory
  • LIST: no condition
  • VIEW_COUNT: no condition
Install
  • READ: no condition
  • LIST: no condition
Instance
  • LIST: no condition
  • READ: no condition
  • CREATE: no condition
  • UPDATE: no condition
  • DELETE: no condition
EntityType
  • LIST: no condition
  • READ: no condition
  • CREATE: no condition
  • UPDATE: no condition
  • DELETE: no condition
EmailTemplate
  • LIST: no condition
  • READ: no condition
  • CREATE: no condition
  • UPDATE: no condition
  • DELETE: no condition
Export
  • CHECK: no condition
  • DOWNLOAD: no condition
  • GENERATE: no condition
  • DELETE: no condition
UserSsoConfig
  • LIST: no condition
  • READ: no condition
  • CREATE: no condition
  • UPDATE: no condition
  • DELETE: no condition
LocatorMapper
  • LIST: no condition
  • READ: no condition
  • CREATE: no condition
  • UPDATE: no condition
  • DELETE: no condition
Media
  • READ: no condition
  • CREATE: no condition
  • UPDATE: no condition
  • DELETE: no condition
  • PROCESS: no condition
  • PROCESS_ALL: no condition
MediaWorkflow
  • READ: no condition
  • LIST: no condition
NotificationTopic
  • LIST: no condition
  • READ: no condition
  • CREATE: no condition
  • UPDATE: no condition
  • DELETE: no condition
Notification
  • LIST: no condition
  • READ: no condition
  • CREATE: no condition
  • UPDATE: no condition
  • DELETE: no condition
  • SEND: no condition
NotificationHistory
  • LIST: no condition
StreamingDeviceSubscription
  • LIST: no condition
StreamingNotificationMetrics
  • LIST: no condition
StreamingDevice
  • READ: no condition
  • LIST: no condition
  • UNREGISTER_DEVICE: no condition
  • SUBSCRIBE: no condition
  • UNSUBSCRIBE: no condition
Theme
  • READ: no condition
  • LIST: no condition
  • CREATE: no condition
  • UPDATE: no condition
  • DELETE: no condition
  • SEND: no condition
  • CREATE_DEFAULT_NODE_THEME_MAPPINGS: no condition
  • CREATE_TIMED_NODE_THEME_MAPPINGS: no condition
NodeTheme
  • LIST: no condition
  • DELETE: no condition
ProductNode
  • LIST: no condition
UserListNode
  • LIST: no condition
  • ADD_USER_LIST_NODE: no condition
  • REMOVE_USER_LIST_NODE: no condition
UserList
  • READ: no condition
  • LIST: no condition
  • CREATE: no condition
  • UPDATE: no condition
  • DELETE: no condition
UserPool
  • READ: no condition
  • LIST: no condition
  • CREATE: no condition
  • UPDATE: no condition
  • DELETE: no condition
UserGroup
  • READ: no condition
  • LIST: no condition
  • CREATE: no condition
  • UPDATE: no condition
  • DELETE: no condition
UserGroupLink
  • CREATE: no condition
  • DELETE: no condition
  • REMOVE_USER_GROUP_LINK: no condition
StreamingUserSubscription
  • LIST: no condition
StreamingConsumerUser
  • READ: no condition
  • LIST: no condition
  • CREATE: no condition
  • UPDATE: no condition
  • DELETE: no condition
  • RESEND_USER_INVITATION: no condition
  • RESET_USER_PASSWORD: no condition
Product
  • READ: no condition
  • LIST: no condition
  • CREATE: no condition
  • UPDATE: no condition
  • DELETE: no condition
  • CLONE: no condition
ProductPlan
  • READ: no condition
  • LIST: no condition
  • CREATE: no condition
  • UPDATE: no condition
  • DELETE: no condition
ProductCharge
  • READ: no condition
  • LIST: no condition
  • DOWNLOAD: no condition
  • SEND: no condition
  • REFUND: no condition
ProductCoupon
  • READ: no condition
  • LIST: no condition
  • CREATE: no condition
  • UPDATE: no condition
  • EXPIRE_COUPON: no condition
  • REDEEM_PRODUCT_COUPON_FOR_USER: no condition
ProductContent
  • LIST: no condition
  • CREATE: no condition
  • DELETE: no condition
  • SET_DEFAULT: no condition
ProductSubscription
  • READ: no condition
  • LIST: no condition
  • GRANT_SUBSCRIPTION: no condition
  • CANCEL_PRODUCT_SUBSCRIPTION: no condition
  • TERMINATE_PRODUCT_SUBSCRIPTION: no condition
NodeTag
  • READ: no condition
  • LIST: no condition
  • CREATE: no condition
  • DELETE: no condition
StreamingOrganization
  • READ: no condition
  • CREATE: no condition
  • UPDATE: no condition
  • INITIALIZE: no condition
  • EXPORT: no condition
  • IMPORT: no condition
  • CHECK_IMPORT: no condition
StreamingServerInfo
  • READ: no condition
Setting
  • READ: no condition
  • LIST: no condition
  • CREATE: no condition
  • UPDATE: no condition
  • DELETE: no condition
TranscodeMap
  • READ: no condition
  • LIST: no condition
  • CREATE: no condition
  • UPDATE: no condition
  • DELETE: no condition
Workflow
  • READ: no condition
  • LIST: no condition
  • DELETE: no condition
IAM ServiceApiKeys
  • LIST: no condition
  • CREATE: either the user has API Keys Access rights and for update, the key is owned by the user making the request, or the user needs sys_admin role
  • UPDATE: either the user has API Keys Access rights and for update, the key is owned by the user making the request, or the user needs sys_admin role
Organization
  • READ: no condition
  • LIST: no condition
  • CREATE: user needs sys_admin role
  • UPDATE: no condition
  • DELETE: user needs sys_admin role
  • ListAllOrganizations: used by FE at bootstrapping time to list the organizations menu. No condition
IdentityProviders
  • READ: no condition
User
  • READ: no condition
  • LIST: no condition
  • ListSysUsers: user needs sys_admin role
  • CREATE: no condition
  • ResetToken: no condition
  • Trash, Restore, SetSysAdmin, UnsetSysAdmin: user needs sys_admin role
  • UPDATE: no condition
  • DELETE: user needs sys_admin role
  • AssignRole, UnassignRole: no condition
AvatarUpload
  • START: no condition
Role
  • READ
  • LIST
  • CREATE
  • UPDATE
  • DELETE
  • ENABLE
  • DISABLE
Policy
  • READ
  • LIST
  • CREATE
  • UPDATE
  • DELETE
PolicyRuleResource
  • LIST
Metadata ServiceAttribute
  • LIST: no condition
  • READ: no condition
  • CREATE: user needs org_admin role
  • UPDATE: user needs org_admin role
  • DELETE: user needs org_admin role
  • COPY: user needs org_admin role
LimitationsByType
  • LIST: no condition
AttributeValue
  • LIST: no condition
  • READ: no condition
  • CREATE: no condition
  • UPDATE: no condition
  • DELETE: no condition
BulkAttributeValues
  • LIST: no condition
  • UPDATE: no condition
Entity
  • LIST: no condition
  • READ: no condition
  • CREATE: no condition
  • UPDATE: no condition
  • DELETE: no condition
EntityAttributeAndValue
  • LIST: no condition
EntityType
  • LIST: no condition
  • READ: no condition
  • CREATE: user needs org_admin role
  • UPDATE: user needs org_admin role
  • DELETE: user needs org_admin role
  • DissolveHierarchy: user needs org_admin role
MetadataExport
  • EXPORT: no condition
MetadataImport
  • IMPORT: no condition
MetadataTemplate
  • LIST: no condition
  • READ: no condition
  • PREVIEW: no condition
  • GenerateEntityContext: no condition
  • CREATE: user needs org_admin role
  • UPDATE: user needs org_admin role
  • DELETE: user needs org_admin role
MetadataValidateSchema
  • VALIDATE: no condition
MetadataValidationErrors
  • READ: no condition
Group
  • LIST: no condition
  • READ: no condition
  • CREATE: user needs sys_admin or org_admin role
  • UPDATE: user needs sys_admin or org_admin role
  • DELETE: user needs sys_admin or org_admin role
Task ServiceTaskServiceHeadersType
  • READ: no condition
TaskServiceTaskType
  • LIST: no condition
  • READ: no condition
  • TaskClose: no condition
  • TaskComplete: no condition
  • TaskOnHold: no condition
  • TaskReject: no condition
  • TaskReopen: no condition
  • TaskApprove: no condition
  • CREATE: user needs org_operator role
  • UPDATE: either the task is assigned to the user making the request or the user needs org_operator role
  • DELETE:user needs org_operator role
TaskServiceMediaItemType
  • LIST: no condition
  • READ: no condition
  • CREATE: user needs org_operator role
  • UPDATE: user needs org_operator role
  • DELETE: user needs org_operator role
Notification ServiceNotificationUserSettingsType
  • READ: no condition
  • UPDATE: no condition
NotificationEvent
  • LIST: no condition
  • COUNT: no condition
  • MARKVIEWED: no condition
History ServiceHistoryType
  • LIST: no condition
Search ServiceSearchResult
  • READ: no condition
SearchFilters
  • READ: no condition
SearchSync
  • START: no condition
Billing ServiceBillableEventUser
  • LIST: no condition
BillableEvent
  • LIST: no condition
  • CREATE: no condition. Used from other back-end services.
EC2ComputeCostEvent
  • CREATE: no condition. Used from other back-end services.
MediaConvertCostEvent
  • CREATE: no condition. Used from other back-end services.
RekognitionCostEvent
  • CREATE: no condition. Used from other back-end services.
AsperaCostEven
    CREATE: no condition. Used from other back-end services.
HybrikCostEvent
  • LIST: no condition
BatonCostEvent
  • CREATE: no condition. Used from other back-end services.

Default Roles

file_operator

Description

The user has full access to the organization to perform actions on any file.

Code sample
import data.organizations


default allow = false


# functions
is_user_ip_whitelisted(scope) {
 cidr := organizations[input.organization.id].organizationRights[scope][_]
 net.cidr_contains(cidr, input.user.ip)
}


# bootstrap web


allow {
 input.type == "User"
 input.action == "Read"
}


allow {
 input.type == "Organization"
 input.action == "Read"
}


allow {
 input.type == "StreamingOrganization"
 input.action == "Read"
}


allow {
 input.type == "Role"
 input.action == "List"
}


allow {
 input.type == "TaskServiceHeadersType"
 input.action == "Read"
}


# bootstrap web end


allow {
 input.type == "File"
 input.action == "Upload"
}


allow {
 input.type == "File"
 input.action == "Download"
 input.origin == "zypline-web"
}


allow {
 input.type == "File"
 input.action == "Download"
 input.origin == "zypline-api"
 is_user_ip_whitelisted("downloadWhitelistIps")
}

la_operator

Description

The user can only view and take action on the pages to which their role type has access. The user can only view the Tasks menu.

Code sample
import data.organizations


default allow = false


# functions
is_task_assigned_in_status(status, allowed_actions) {
 input.type == "TaskServiceTaskType"
 input.resource.assigneeId == input.user.id
 input.resource.status == status
 allowed_actions[_] = input.action
}


is_user_ip_whitelisted(scope) {
 cidr := organizations[input.organization.id].organizationRights[scope][_]
 net.cidr_contains(cidr, input.user.ip)
}


# bootstrap web


allow {
 input.type == "User"
 input.action == "Read"
}


allow {
 input.type == "Organization"
 input.action == "Read"
}


allow {
 input.type == "StreamingOrganization"
 input.action == "Read"
}


allow {
 input.type == "Role"
 input.action == "List"
}


allow {
 input.type == "TaskServiceHeadersType"
 input.action == "Read"
}


# bootstrap web end


allow {
 input.type == "User"
 input.action == "Update"
 input.resource.id == input.user.id
}


allow {
 input.type == "Group"
 input.action == "Read"
}


allow {
 input.type == "Attribute"
 input.action == "List"
}


allow {
 input.type == "TaskServiceMediaItemType"
 input.action == "List"
}


allow {
 input.action == "Read"
 input.type == "MetadataEntityType"
}


allow {
 actions := [
   "Read",
   "Update",
   "Preview"
 ]


 input.origin == "task-service"
 input.type == "TaskServiceTaskType"
 input.resource.assigneeId == input.user.id
 actions[_] = input.action
}


allow {
 input.action == "List"
 input.type == "TaskServiceTaskType"
}


allow {
 actions := [
   "List",
   "Read",
   "Update",
   "UpdateLimited",
   "Preview"
 ]


 input.origin == "zypline-web"
 input.type == "TaskServiceTaskType"
 actions[_] = input.action
}


# task statuses
allow { is_task_assigned_in_status("checked_out", ["TaskComplete"]) }


allow {
 input.action == "Delete"
 input.type == "File"
}


# for the task details page
allow {
 actions := [
   "Read",
   "Update",
   "Ingest",
   "Preview"
 ]
 input.type == "File"
 input.origin == "zypline-api"
 actions[_] == input.action
}


allow {
 input.action == "Read"
 input.type == "FileDesignation"
 input.origin == "zypline-api"
}


allow {
 actions := [
   "List",
   "Read",
   "Create"
 ]
 input.type == "FileFileDesignation"
 input.origin == "zypline-api"
 actions[_] == input.action
}


allow {
 input.type == "Clip"
 input.action == "List"
 input.origin == "zypline-api"
}


allow {
 actions := [
   "Read",
   "Update"
 ]


 input.type == "Title"
 input.origin == "zypline-api"
}


allow {
 input.action == "Read"
 input.type == "CompositionDefinition"
 input.origin == "zypline-api"
}


allow {
 actions := [
   "List",
   "Create",
   "Update"
 ]


 input.type == "Annotation"
 input.origin == "zypline-api"
 actions[_] == input.action
}


allow {
 input.action == "Delete"
 input.type == "Annotation"
 input.origin == "zypline-api"
}


allow {
 input.action == "List"
 input.type == "SidecarCaptions"
 input.origin == "zypline-api"
}


allow {
 actions := [
   "List",
   "Create",
   "Update"
 ]


 input.type == "Comment"
 input.origin == "zypline-api"
 actions[_] == input.action
}


allow {
 input.action == "List"
 input.type == "Platform"
 input.origin == "zypline-api"
}


allow {
 actions := [
   "List",
   "Create"
 ]


 input.type == "ApiKeys"
 actions[_] = input.action
}


allow {
 input.type == "ApiKeys"
 input.action == "Disable"
}


allow {
 actions := [
   "Read",
   "Update",
 ]


 actions[_] = input.action
 input.type == "NotificationUserSettingsType"
 input.origin == "notification-service"
}


allow {
 actions := [
   "List",
   "Count",
   "MarkViewed",
 ]


 actions[_] = input.action
 input.type == "NotificationEvent"
 input.origin == "notification-service"
}

org_admin

Description

The user can perform any action within his organization, however, he cannot edit the systems global settings.

Code sample
import data.oz.utils
default allow = true


allow = false {
 actions := [
   "List",
   "Create",
   "Delete"
 ]


 input.type == "Organization"
 actions[_] == input.action
}


allow = false {
 input.type == "Organization"
 input.action == "Update"
 input.resource.id != input.organization.id
}


allow = false { utils.is_type_multiaction("StreamingOrganization", ["Initialize", "Reinitialize", "CheckInitializationStatus"]) }

org_operator

Description

The user has access to the main menu options. In addition, he can create, complete, assign, and reassign tasks. However, this user cannot edit the global or the organization settings, he cannot edit templates, profiles or create new users.

Code sample
import data.organizations
|
default allow = false


# functions
is_task_in_status(status, allowed_actions) {
 input.type == "TaskServiceTaskType"
 input.resource.status == status
 allowed_actions[_] = input.action
}


is_user_ip_whitelisted(scope) {
 cidr := organizations[input.organization.id].organizationRights[scope][_]
 net.cidr_contains(cidr, input.user.ip)
}


# IAM Service
allow {
 actions := [
   "List",
   "Create"
 ]


 input.type == "ApiKeys"
 actions[_] = input.action
}


allow {
 input.type == "ApiKeys"
 input.action == "Disable"
}


allow {
 actions := [
   "List",
   "Read",
 ]


 input.origin == "iam-service"
 input.type == "Organization"
 actions[_] = input.action
}


allow {
 input.origin == "iam-service"
 input.type == "IdentityProviders"
 input.action == "Read"
}


allow {
 actions := [
   "List",
   "Read",
   "Update",
 ]


 input.origin == "iam-service"
 input.type == "User"
 actions[_] = input.action
}


allow {
 input.origin == "iam-service"
 input.type == "AvatarUpload"
 input.action == "Start"
}


# Metadata Service
allow {
 actions := [
   "List",
   "Read",
 ]


 input.origin == "metadata-service"
 input.type == "Attribute"
 actions[_] = input.action
}


allow {
 input.origin == "metadata-service"
 input.type == "LimitationsByType"
 input.action == "List"
}


allow {
 actions := [
   "List",
   "Read",
   "Create",
   "Update",
 ]


 input.origin == "metadata-service"
 input.type == "AttributeValue"
 actions[_] = input.action
}


allow {
 input.origin == "metadata-service"
 input.type == "AttributeValue"
 input.action == "Delete"
}


allow {
 actions := [
   "List",
   "Update",
 ]


 input.origin == "metadata-service"
 input.type == "BulkAttributeValues"
 actions[_] = input.action
}


allow {
 input.origin == "metadata-service"
 input.type == "EntityAttributeAndValue"
 input.action == "List"
}


allow {
 actions := [
   "List",
   "Read",
 ]


 input.origin == "metadata-service"
 input.type == "MetadataEntityType"
 actions[_] = input.action
}


allow {
 actions := [
   "List",
   "Read",
 ]


 input.origin == "metadata-service"
 input.type == "Entity"
 actions[_] = input.action
}


allow {
 actions := [
   "List",
   "Read",
 ]


 input.origin == "metadata-service"
 input.type == "Group"
 actions[_] = input.action
}


allow {
 input.origin == "metadata-service"
 input.type == "MetadataExport"
 input.action == "Export"
}


allow {
 input.origin == "metadata-service"
 input.type == "MetadataImport"
 input.action == "Import"
}


allow {
 actions := [
   "List",
   "Read",
   "Preview",
   "GenerateEntityContext",
 ]


 input.origin == "metadata-service"
 input.type == "MetadataTemplate"
 actions[_] = input.action
}


allow {
 input.origin == "metadata-service"
 input.type == "MetadataValidateSchema"
 input.action == "Validate"
}


allow {
 input.origin == "metadata-service"
 input.type == "MetadataValidationErrors"
 input.action == "Read"
}


# Task Service
allow {
 input.origin == "task-service"
 input.type == "TaskServiceHeadersType"
 input.action == "Read"
}


# includes rules for web
allow {
 actions := [
   "Create",
   "Preview",
   "List",
   "ListAll",
   "Read",
   "Update",
   "UpdateAdmin"
 ]


 input.type == "TaskServiceTaskType"
 actions[_] = input.action
}


# includes rules for web
allow {
 input.type == "TaskServiceTaskType"
 input.action == "Delete"
}


allow {
 actions := [
   "List",
   "Read",
 ]


 input.origin == "task-service"
 input.type == "TaskServiceMediaItemType"
 actions[_] = input.action
}


allow { is_task_in_status("open", ["TaskOnHold", "TaskClose"]) }
allow { is_task_in_status("checked_out", ["TaskOnHold", "TaskClose"]) }
allow { is_task_in_status("waiting_for_review", ["TaskApprove", "TaskReject", "TaskOnHold", "TaskClose"]) }
allow { is_task_in_status("rejected", ["TaskReopen", "TaskOnHold", "TaskClose"]) }
allow { is_task_in_status("on_hold", ["TaskReopen", "TaskClose"]) }
allow { is_task_in_status("resolved", ["TaskReopen", "TaskClose"]) }
allow { is_task_in_status("closed", ["TaskReopen"]) }


# Notification Service
allow {
 actions := [
   "Read",
   "Update",
 ]


 input.origin == "notification-service"
 input.type == "NotificationUserSettingsType"
 actions[_] = input.action
}


allow {
 actions := [
   "List",
   "Count",
   "MarkViewed",
 ]


 input.origin == "notification-service"
 input.type == "NotificationEvent"
 actions[_] = input.action
}


# History Service
allow {
 input.origin == "history-service"
 input.type == "HistoryType"
 input.action == "List"
}


# Billing Service
allow {
 input.origin == "billing-service"
 input.type == "BillableEventUser"
 input.action == "List"
}


allow {
 actions := [
   "List",
   "Create",
 ]


 input.origin == "billing-service"
 input.type == "BillableEvent"
 actions[_] = input.action
}


allow {
 input.origin == "billing-service"
 input.type == "EC2ComputeCostEvent"
 input.action == "Create"
}


allow {
 input.origin == "billing-service"
 input.type == "MediaConvertCostEvent"
 input.action == "Create"
}


allow {
 input.origin == "billing-service"
 input.type == "RekognitionCostEvent"
 input.action == "Create"
}


allow {
 input.origin == "billing-service"
 input.type == "AsperaCostEvent"
 input.action == "Create"
}


allow {
 input.origin == "billing-service"
 input.type == "HybrikCostEvent"
 input.action == "Create"
}


allow {
 input.origin == "billing-service"
 input.type == "BatonCostEvent"
 input.action == "Create"
}


# Search Service
allow {
 input.origin == "search-service"
 input.type == "SearchResult"
 input.action == "Read"
}


allow {
 input.origin == "search-service"
 input.type == "SearchFilters"
 input.action == "Read"
}


allow {
 input.origin == "search-service"
 input.type == "SearchSync"
 input.action == "Start"
}


allow {
 input.origin == "search-service"
 input.type == "SearchHistoryResult"
 input.action == "Read"
}


# Zypline API
allow {
 actions := [
   "List",
   "Read",
   "Create"
 ]


 input.origin == "zypline-api"
 input.type == "Annotation"
 actions[_] = input.action
}


allow {
 input.origin == "zypline-api"
 input.type == "Annotation"
 input.action == "Update"
 input.resource.type == "user"
 count(object.filter(input.metadata.input, ["isIssue"])) == 0
}


allow {
 input.origin == "zypline-api"
 input.type == "Annotation"
 input.action == "Update"
 input.resource.type == "user"
 input.resource.createdById == input.user.id
}


allow {
 input.origin == "zypline-api"
 input.type == "Annotation"
 input.action == "Delete"
 input.resource.type == "user"
 input.resource.createdById == input.user.id
}


allow {
 input.origin == "zypline-api"
 input.type == "AuditLogs"
 input.action == "Read"
}


allow {
 input.origin == "zypline-api"
 input.type == "AudioTrack"
 input.action == "Update"
}


allow {
 input.origin == "zypline-api"
 input.type == "AutoQC"
 input.action == "Execute"
}


allow {
 actions := [
   "List",
   "Read",
 ]


 input.origin == "zypline-api"
 input.type == "AutoQCReport"
 actions[_] = input.action
}


allow {
 actions := [
   "List",
   "Read",
 ]


 input.origin == "zypline-api"
 input.type == "BacklotRequest"
 actions[_] = input.action
}


allow {
 input.origin == "zypline-api"
 input.type == "BacklotRequestDetails"
 input.action == "Read"
}


allow {
 actions := [
   "Reset",
   "SendDeliveryReport"
 ]


 input.origin == "zypline-api"
 input.type == "Batch"
 actions[_] = input.action
}


# includes rules for web
allow {
 actions := [
   "List",
   "Read",
   "Create",
   "Update",
   "Import"
 ]


 input.type == "Batch"
 actions[_] = input.action
}


# includes rules for web
allow {
 input.type == "Batch"
 input.action == "Delete"
}


allow {
 actions := [
   "List",
   "Read",
 ]


 input.origin == "zypline-api"
 input.type == "CaptionProfile"
 actions[_] = input.action
}


allow {
 actions := [
   "List",
   "Read",
   "Extract",
   "Create",
   "Update"
 ]


 input.origin == "zypline-api"
 input.type == "Clip"
 actions[_] = input.action
}


# includes rules for web
allow {
 input.type == "Clip"
 input.action == "Delete"
}


allow {
 actions := [
   "List",
   "Read",
   "Create",
   "Update",
 ]


 input.origin == "zypline-api"
 input.type == "Comment"
 actions[_] = input.action
}


allow {
 input.origin == "zypline-api"
 input.type == "CompositionDefinition"
 input.action == "List"
}


# includes rules for web
allow {
 actions := [
   "Read",
   "Create",
   "Update",
 ]


 input.type == "CompositionDefinition"
 actions[_] = input.action
}


# includes rules for web
allow {
 input.type == "CompositionDefinition"
 input.action == "Delete"
}


allow {
 actions := [
   "List",
   "Read",
 ]


 input.origin == "zypline-api"
 input.type == "CompositionTemplate"
 actions[_] = input.action
}


allow {
 input.origin == "zypline-api"
 input.type == "DeepAnalysis"
 input.action == "Execute"
}


allow {
 input.origin == "zypline-api"
 input.type == "DeliverableTemplate"
 input.action == "Read"
}


allow {
 input.origin == "zypline-api"
 input.type == "Deliverable"
 input.action == "Read"
}


allow {
 actions := [
   "List",
   "Read",
 ]


 input.origin == "zypline-api"
 input.type == "DemuxProfile"
 actions[_] = input.action
}


allow {
 actions := [
   "Read",
   "Execute"
 ]


 input.origin == "zypline-api"
 input.type == "Demux"
 actions[_] == input.action
}


allow {
 actions := [
   "List",
   "Read",
 ]


 input.origin == "zypline-api"
 input.type == "DRMProvider"
 actions[_] = input.action
}


allow {
 actions := [
   "List",
   "Read",
 ]


 input.origin == "zypline-api"
 input.type == "WatermarkProvider"
 actions[_] = input.action
}


allow {
 input.origin == "zypline-api"
 input.type == "PreviewURL"
 input.action == "Read"
}


allow {
 actions := [
   "List",
   "Read",
 ]


 input.origin == "zypline-api"
 input.type == "DownloadURL"
 actions[_] = input.action
}


allow {
 actions := [
   "List",
   "Read",
 ]


 input.origin == "zypline-api"
 input.type == "ExtractedMedia"
 actions[_] = input.action
}


allow {
 input.origin == "zypline-api"
 input.type == "ExtractedMedia"
 input.action == "Delete"
}


allow {
 actions := [
   "Create",
   "Conform",
   "Archive",
   "Unarchive",
   "ImportPklFile",
   "Ingest",
   "CreateThumbnail",
   "ReverseTranscode",
   "EncodeIab",
   "Transcribe",
   "Transcode",
 ]


 input.origin == "zypline-api"
 input.type == "File"
 actions[_] = input.action
}


# includes rules for web
allow {
 actions := [
   "List",
   "Read",
   "Update",
   "Preview",
   "ImportMetadataFile",
   "ImportTrackTags",
   "Restore",
   "BulkRestore",
   "BulkTagItems",
   "BulkUntagItems",
   "BulkAttachItems",
   "BulkDetachItems",
   "BulkDeliverFiles"
 ]


 input.type == "File"
 actions[_] = input.action
}


# includes rules for web
allow {
 actions := [
   "Delete",
   "BulkDelete",
   "Trash",
   "BulkTrash"
 ]


 input.type == "File"
 actions[_] = input.action
}


allow {
 actions := [
   "List",
   "Read",
   "Create",
 ]


 input.origin == "zypline-api"
 input.type == "FileDelivery"
 actions[_] = input.action
}


allow {
 actions := [
   "List",
   "Read",
 ]


 input.origin == "zypline-api"
 input.type == "FileDesignation"
 actions[_] = input.action
}


allow {
 actions := [
   "List",
   "Read",
   "Create"
 ]


 input.origin == "zypline-api"
 input.type == "FileFileDesignation"
 actions[_] == input.action
}


allow {
 input.origin == "zypline-api"
 input.type == "FileFileDesignation"
 input.action == "Delete"
}


allow {
 actions := [
   "List",
   "Read",
 ]


 input.origin == "zypline-api"
 input.type == "FileNamingConvention"
 actions[_] = input.action
}


allow {
 input.origin == "zypline-api"
 input.type == "FileStats"
 input.action == "Read"
}


allow {
 input.origin == "zypline-api"
 input.type == "ImageSequenceFrameProperties"
 input.action == "Read"
}


allow {
 actions := [
   "List",
   "Read",
 ]


 input.origin == "zypline-api"
 input.type == "IngestQcRule"
 actions[_] = input.action
}


# includes rules for web
allow {
 actions := [
   "List",
   "Read",
   "Create",
   "Update",
 ]


 input.type == "Job"
 actions[_] = input.action
}


allow {
 input.origin == "zypline-api"
 input.type == "Job"
 input.action == "Execute"
}


# includes rules for web
allow {
 input.type == "Job"
 input.action == "Delete"
}


allow {
 input.origin == "zypline-api"
 input.type == "JobStats"
 input.action == "Read"
}


allow {
 actions := [
   "Read",
   "Update"
 ]


 input.origin == "zypline-api"
 input.type == "Macro"
 actions[_] == input.action
}


# includes rules for web
allow {
 input.type == "Macro"
 input.action == "List"
}


allow {
 actions := [
   "List",
   "Read",
   "Create",
   "Cancel",
 ]


 input.origin == "zypline-api"
 input.type == "MacroExecution"
 actions[_] = input.action
}


allow {
 input.origin == "zypline-api"
 input.type == "MacroExecution"
 input.action == "Delete"
}


allow {
 actions := [
   "List",
   "Read",
   "Create",
   "Update",
 ]


 input.origin == "zypline-api"
 input.type == "Marker"
 actions[_] = input.action
}


allow {
 input.origin == "zypline-api"
 input.type == "Marker"
 input.action == "Delete"
}


allow {
 input.origin == "zypline-api"
 input.type == "MasterDisplayValues"
 input.action == "Read"
}


allow {
 actions := [
   "List",
   "Execute",
   "Cancel",
   "Transcode",
 ]


 input.origin == "zypline-api"
 input.type == "Package"
 actions[_] = input.action
}


# includes rules for web
allow {
 actions := [
   "Create",
   "Read",
   "Update"
 ]


 input.type == "Package"
 actions[_] = input.action
}


# includes rules for web
allow {
 input.type == "Package"
 input.action == "Delete"
}


# includes rules for web
allow {
 input.type == "Package"
 input.action == "Download"
}


allow {
 actions := [
   "List",
   "Read",
   "Create",
 ]


 input.origin == "zypline-api"
 input.type == "PackageDelivery"
 actions[_] = input.action
}


allow {
 actions := [
   "List",
   "Read",
 ]


 input.origin == "zypline-api"
 input.type == "Platform"
 actions[_] = input.action
}


allow {
 actions := [
   "Create",
   "Update",
 ]


 input.origin == "zypline-api"
 input.type == "PlatformPackageTemplate"
 actions[_] = input.action
}


allow {
 actions := [
   "List",
   "Read",
   "Create",
   "Update",
 ]


 input.origin == "zypline-api"
 input.type == "PackageTemplate"
 actions[_] = input.action
}


allow {
input.origin == "zypline-api"
 input.type == "PackageTemplate"
 input.action == "Delete"
}


allow {
 actions := [
   "List",
   "Read",
 ]


 input.origin == "zypline-api"
 input.type == "QcProfile"
 actions[_] = input.action
}


allow {
 actions := [
   "List",
   "Read",
 ]


 input.origin == "zypline-api"
 input.type == "SidecarCaptions"
 actions[_] = input.action
}


allow {
 input.origin == "zypline-api"
 input.type == "Slate"
 input.action == "Create"
}


allow {
 actions := [
   "List",
   "Read",
 ]


 input.origin == "zypline-api"
 input.type == "SmartAgent"
 actions[_] = input.action
}


allow {
 input.origin == "zypline-api"
 input.type == "StoreFile"
 input.action == "List"
}


allow {
 actions := [
   "List",
   "Read",
   "Convert",
 ]


 input.origin == "zypline-api"
 input.type == "TimedTextProfile"
 actions[_] = input.action
}


# includes rules for web
allow {
 actions := [
   "List",
   "Read",
   "Create",
   "Update",
   "ImportImf",
   "Sync",
 ]


 input.type == "Title"
 actions[_] = input.action
}


# includes rules for web
allow {
 input.type == "Title"
 input.action == "Delete"
}


allow {
 input.origin == "zypline-api"
 input.type == "TitleDesignation"
 input.action == "Create"
}


allow {
 input.origin == "zypline-api"
 input.type == "TitleDesignation"
 input.action == "Delete"
}


allow {
 input.origin == "zypline-api"
 input.type == "TitleStats"
 input.action == "Delete"
}


allow {
 actions := [
   "Read",
   "Update",
 ]


 input.origin == "zypline-api"
 input.type == "Track"
 actions[_] = input.action
}


allow {
 actions := [
   "List",
   "Read",
   "Create",
   "Update",
 ]


 input.origin == "zypline-api"
 input.type == "TrackFileDesignation"
 actions[_] = input.action
}


allow {
 actions := [
   "List",
   "Read",
 ]


 input.origin == "zypline-api"
 input.type == "TranscoderProfile"
 actions[_] = input.action
}


allow {
 actions := [
   "List",
   "Read",
 ]


 input.origin == "zypline-api"
 input.type == "TranscoderProvider"
 actions[_] = input.action
}


allow {
 input.origin == "zypline-api"
 input.type == "TranscribeLanguages"
 input.action == "Read"
}


allow {
 actions := [
   "List",
   "Read",
 ]


 input.origin == "zypline-api"
 input.type == "TransferProvider"
 actions[_] = input.action
}


allow {
 input.origin == "zypline-api"
 input.type == "RrtqTask"
 input.action == "List"
}


allow {
 input.origin == "zypline-api"
 input.type == "VideoTrack"
 input.action == "Update"
}


# includes rules for web
allow {
 actions := [
   "List",
   "Read",
   "Create",
   "Update",
 ]


 input.type == "VirtualAsset"
 actions[_] = input.action
}


# includes rules for web
allow {
 input.type == "VirtualAsset"
 input.action == "Delete"
}


allow {
 actions := [
   "List",
   "Read",
   "Sync",
   "Create",
   "Update"
 ]
 input.origin == "zypline-api"
 input.type == "VirtualFolder"
 actions[_] == input.action
}


allow {
 input.origin == "zypline-api"
 input.type == "VirtualFolder"
 input.action == "Delete"
}


allow {
 input.origin == "zypline-api"
 input.type == "VirtualFolderContent"
 input.action == "Read"
}


allow {
 input.origin == "zypline-api"
 input.type == "XMEML"
 input.action == "Import"
}


allow {
 actions := [
   "Cancel",
   "SwfSignal",
 ]


 input.origin == "zypline-api"
 input.type == "Workflow"
 actions[_] = input.action
}


# includes rules for web
allow {
 actions := [
   "List",
   "Read"
 ]


 input.type == "Workflow"
 actions[_] = input.action
}


# includes rules for web
allow {
 input.type == "Workflow"
 input.action == "Delete"
}


# Streaming API
allow {
 input.origin == "streaming-api"
 input.type == "UniqueUsersAnalyticsMetric"
 input.action == "List"
}


allow {
 input.origin == "streaming-api"
 input.type == "ActiveSessionsAnalyticsMetric"
 input.action == "List"
}


allow {
 input.origin == "streaming-api"
 input.type == "RegistrationsAnalyticsMetric"
 input.action == "List"
}


allow {
 input.origin == "streaming-api"
 input.type == "AverageSessionTimeAnalyticsMetric"
 input.action == "List"
}


allow {
 input.origin == "streaming-api"
 input.type == "HoursWatchedPerUserAnalyticsMetric"
 input.action == "List"
}


allow {
 input.origin == "streaming-api"
 input.type == "NumberOfUsersByCountryAnalyticsMetric"
 input.action == "List"
}


allow {
 input.origin == "streaming-api"
 input.type == "NumberOfUsersByCityAnalyticsMetric"
 input.action == "List"
}


allow {
 input.origin == "streaming-api"
 input.type == "NumberOfUsersByAgeAnalyticsMetric"
 input.action == "List"
}


allow {
 input.origin == "streaming-api"
 input.type == "TopTitlesAnalyticsMetric"
 input.action == "List"
}


allow {
 input.origin == "streaming-api"
 input.type == "TopGroupsAnalyticsMetric"
 input.action == "List"
}


allow {
 actions := [
   "Generate",
   "Download",
 ]


 input.origin == "streaming-api"
 input.type == "StreamingAnalyticsPDF"
 actions[_] = input.action
}


allow {
 input.origin == "streaming-api"
 input.type == "StreamingAnalyticsPdfStatus"
 input.action == "Read"
}


# includes rules for web
allow {
 actions := [
   "Read",
   "List",
   "Create",
   "Update"
 ]


 input.type == "Application"
 actions[_] = input.action
}


# includes rules for web
allow {
 input.type == "Application"
 input.action == "Delete"
}


# includes rules for web
allow {
 actions := [
   "Read",
   "List",
   "Create",
   "Update"
 ]


 input.type == "Node"
 actions[_] = input.action
}


# includes rules for web
allow {
 input.type == "Node"
 input.action == "Delete"
}


allow {
 actions := [
   "Read",
   "List",
   "Create",
   "Reorder",
 ]


 input.origin == "streaming-api"
 input.type == "Edge"
 actions[_] = input.action
}


allow {
 input.origin == "streaming-api"
 input.type == "Edge"
 input.action == "Delete"
}


allow {
 input.origin == "streaming-api"
 input.type == "StreamingThumbnail"
 input.action == "Read"
}


allow {
 actions := [
   "Read",
   "Reindex",
 ]


 input.origin == "streaming-api"
 input.type == "StreamingReindex"
 actions[_] = input.action
}


allow {
 input.origin == "streaming-api"
 input.type == "StreamingNodeMetadata"
 input.action == "List"
}


allow {
 input.origin == "streaming-api"
 input.type == "StreamingDynamicCollection"
 input.action == "List"
}


allow {
 input.origin == "streaming-api"
 input.type == "NodeUser"
 input.action == "List"
}


allow {
 input.origin == "streaming-api"
 input.type == "UserFavorite"
 input.action == "List"
}


allow {
 input.origin == "streaming-api"
 input.type == "UserFavorite"
 input.action == "List"
}


allow {
 actions := [
   "List",
   "ViewCount",
 ]


 input.origin == "streaming-api"
 input.type == "UserHistory"
 actions[_] = input.action
}


allow {
 actions := [
   "Read",
   "List",
 ]


 input.origin == "streaming-api"
 input.type == "Install"
 actions[_] = input.action
}


allow {
 actions := [
   "Read",
   "List",
   "Create",
   "Update",
 ]


 input.origin == "streaming-api"
 input.type == "Instance"
 actions[_] = input.action
}


allow {
 input.origin == "streaming-api"
 input.type == "Instance"
 input.action == "Delete"
}


allow {
 actions := [
   "Read",
   "List",
   "Create",
   "Update",
 ]


 input.origin == "streaming-api"
 input.type == "EntityType"
 actions[_] = input.action
}


allow {
 input.origin == "streaming-api"
 input.type == "EntityType"
 input.action == "Delete"
}


# includes rules for web
allow {
 actions := [
   "Read",
   "List",
   "Create",
   "Update"
 ]


 input.type == "EmailTemplate"
 actions[_] = input.action
}


# includes rules for web
allow {
 input.type == "EmailTemplate"
 input.action == "Delete"
}


allow {
 actions := [
   "Check",
   "Download",
   "Generate",
 ]


 input.origin == "streaming-api"
 input.type == "Export"
 actions[_] = input.action
}


allow {
 input.origin == "streaming-api"
 input.type == "Export"
 input.action == "Delete"
}


allow {
 actions := [
   "Read",
   "List",
   "Create",
   "Update",
 ]


 input.origin == "streaming-api"
 input.type == "UserSsoConfig"
 actions[_] = input.action
}


allow {
 input.origin == "streaming-api"
 input.type == "UserSsoConfig"
 input.action == "Delete"
}


allow {
 actions := [
   "Read",
   "List",
   "Create",
   "Update",
 ]


 input.origin == "streaming-api"
 input.type == "LocatorMapper"
 actions[_] = input.action
}


allow {
 input.origin == "streaming-api"
 input.type == "LocatorMapper"
 input.action == "Delete"
}


allow {
 actions := [
   "Read",
   "Create",
   "Update",
   "Process",
   "ProcessAll",
 ]


 input.origin == "streaming-api"
 input.type == "Media"
 actions[_] = input.action
}


allow {
 input.origin == "streaming-api"
 input.type == "Media"
 input.action == "Delete"
}


allow {
 actions := [
   "Read",
   "List",
 ]


 input.origin == "streaming-api"
 input.type == "MediaWorkflow"
 actions[_] = input.action
}


allow {
 actions := [
   "Read",
   "List",
   "Create",
   "Update",
 ]


 input.origin == "streaming-api"
 input.type == "NotificationTopic"
 actions[_] = input.action
}


allow {
 input.origin == "streaming-api"
 input.type == "NotificationTopic"
 input.action == "Delete"
}


# includes rules for web
allow {
 actions := [
   "Read",
   "List",
   "Create",
   "Update"
 ]


 input.type == "Notification"
 actions[_] = input.action
}


allow {
 input.origin == "streaming-api"
 input.type == "Notification"
 input.action == "Send"
}


# includes rules for web
allow {
 input.type == "Notification"
 input.action == "Delete"
}


allow {
 input.origin == "streaming-api"
 input.type == "NotificationHistory"
 input.action == "List"
}


allow {
 input.origin == "streaming-api"
 input.type == "StreamingDeviceSubscription"
 input.action == "List"
}


allow {
 input.origin == "streaming-api"
 input.type == "StreamingNotificationMetrics"
 input.action == "List"
}


allow {
 actions := [
   "Read",
   "List",
   "UnregisterDevice",
   "Subscribe",
   "Unsubscribe",
 ]


 input.origin == "streaming-api"
 input.type == "StreamingDevice"
 actions[_] = input.action
}


# includes rules for web
allow {
 actions := [
   "Read",
   "List",
   "Create",
   "Update",
   "Send",
   "CreateDefaultNodeThemeMappings",
   "CreateTimedNodeThemeMappings"
 ]


 input.type == "Theme"
 actions[_] = input.action
}


# includes rules for web
allow {
 input.type == "Theme"
 input.action == "Delete"
}


allow {
 input.origin == "streaming-api"
 input.type == "NodeTheme"
 input.action == "List"
}


allow {
 input.origin == "streaming-api"
 input.type == "NodeTheme"
 input.action == "Delete"
}


allow {
 input.origin == "streaming-api"
 input.type == "ProductNode"
 input.action == "List"
}


allow {
 actions := [
   "List",
   "AddUserListNode",
   "RemoveUserListNode",
 ]


 input.origin == "streaming-api"
 input.type == "UserListNode"
 actions[_] = input.action
}


# includes rules for web
allow {
 actions := [
   "Read",
   "List",
   "Create",
   "Update"
 ]


 input.type == "UserList"
 actions[_] = input.action
}


# include rules for web
allow {
 input.type == "UserList"
 input.action == "Delete"
}


# includes rules for web
allow {
 actions := [
   "Read",
   "List",
   "Create",
   "Update"
 ]


 input.type == "UserPool"
 actions[_] = input.action
}


# includes rules for web
allow {
 input.type == "UserPool"
 input.action == "Delete"
}


# includes rules for web
allow {
 actions := [
   "Read",
   "List",
   "Create",
   "Update"
 ]


 input.type == "UserGroup"
 actions[_] = input.action
}


# includes rules for web
allow {
 input.type == "UserGroup"
 input.action == "Delete"
}


allow {
 actions := [
   "Create",
   "RemoveUserGroupLink",
 ]


 input.origin == "streaming-api"
 input.type == "UserGroupLink"
 actions[_] = input.action
}


allow {
 input.origin == "streaming-api"
 input.type == "UserGroupLink"
 input.action == "Delete"
}


allow {
 input.origin == "streaming-api"
 input.type == "StreamingUserSubscription"
 input.action == "List"
}


# includes rules for web
allow {
 actions := [
   "Read",
   "List",
   "Create",
   "Update",
   "ResendUserInvitation",
   "ResetUserPassword",
 ]


 input.type == "StreamingConsumerUser"
 actions[_] = input.action
}


# includes rules for web
allow {
 input.type == "StreamingConsumerUser"
 input.action == "Delete"
}


# includes rules for web
allow {
 actions := [
   "Read",
   "List",
   "Create",
   "Update"
 ]


 input.type == "Product"
 actions[_] = input.action
}


allow {
 input.origin == "streaming-api"
 input.type == "Product"
 input.action == "Clone"
}


# includes rules for web
allow {
 input.type == "Product"
 input.action == "Delete"
}


# includes rules for web
allow {
 actions := [
   "Read",
   "List",
   "Create",
   "Update"
 ]


 input.type == "ProductPlan"
 actions[_] = input.action
}


# includes rules for web
allow {
 input.type == "ProductPlan"
 input.action == "Delete"
}


allow {
 actions := [
   "Read",
   "List",
   "Download",
   "Send",
   "Refund",
 ]


 input.origin == "streaming-api"
 input.type == "ProductCharge"
 actions[_] = input.action
}


allow {
 actions := [
   "ExpireCoupon",
   "RedeemProductCouponForUser"
 ]


 input.origin == "streaming-api"
 input.type == "ProductCoupon"
 actions[_] = input.action
}


# includes rules for web
allow {
 actions := [
   "List",
   "Read",
   "Create",
   "Update"
 ]


 input.type == "ProductCoupon"
 actions[_] = input.action
}


allow {
 actions := [
   "List",
   "Create",
   "SetDefault"
 ]


 input.origin == "streaming-api"
 input.type == "ProductContent"
 actions[_] = input.action
}


allow {
 input.origin == "streaming-api"
 input.type == "ProductContent"
 input.action == "Delete"
}


allow {
 actions := [
   "Read",
   "List",
   "GrantSubscription",
   "CancelProductSubscription",
   "TerminateProductSubscription",
 ]


 input.origin == "streaming-api"
 input.type == "ProductSubscription"
 actions[_] = input.action
}


allow {
 actions := [
   "Read",
   "List",
   "Create",
 ]


 input.origin == "streaming-api"
 input.type == "NodeTag"
 actions[_] = input.action
}


allow {
 input.origin == "streaming-api"
 input.type == "NodeTag"
 input.action == "Delete"
}


allow {
 actions := [
   "Read",
   "Create",
   "Update",
   "Export",
   "Import",
   "CheckImport",
 ]


 input.origin == "streaming-api"
 input.type == "StreamingOrganization"
 actions[_] = input.action
}


# includes rules for web
allow {
 input.origin == "streaming-api"
 input.type == "StreamingServerInfo"
 input.action == "Read"
}


allow {
 actions := [
   "Read",
   "List",
   "Create",
   "Update",
 ]


 input.origin == "streaming-api"
 input.type == "Setting"
 actions[_] = input.action
}


allow {
 input.origin == "streaming-api"
 input.type == "Setting"
 input.action == "Delete"
}


allow {
 actions := [
   "Read",
   "List",
   "Create",
   "Update",
 ]


 input.origin == "streaming-api"
 input.type == "TranscodeMap"
 actions[_] = input.action
}


allow {
 input.origin == "streaming-api"
 input.type == "TranscodeMap"
 input.action == "Delete"
}


allow {
 actions := [
   "Read",
   "List",
 ]


 input.origin == "streaming-api"
 input.type == "StreamingWorkflow"
 actions[_] = input.action
}


allow {
 input.origin == "streaming-api"
 input.type == "StreamingWorkflow"
 input.action == "Delete"
}


# Zypline Web


allow {
 input.origin == "zypline-web"
 input.type == "ZyplineWebDashboard"
 input.action == "Read"
}


allow {
 input.origin == "zypline-web"
 input.type == "ZyplineWebDiscoverAnalytics"
 input.action == "Read"
}


# Pages functionality


allow {
actions := [
"Read",
"Create",
"Update",
"Delete",
"List",
]


input.origin == "streaming-api"
input.type == "DiscoverLayoutPage"
actions[_] = input.action
}


allow {
actions := [
"Create",
"Update",
"Delete",
"List",
]


input.origin == "streaming-api"
input.type == "DiscoverLayoutView"
actions[_] = input.action
}


allow {
actions := [
"Create",
"Update",
"Read",
"List",
]


input.origin == "zypline-web"
input.type == "ZyplineWebDiscoverApplicationPages"
actions[_] = input.action
}


allow {
input.origin == "zypline-web"
input.type == "ZyplineWebDiscoverApplicationPages"
input.action == "Delete"
}


# Pages functionality


allow {
actions := [
"Read",
"Create",
"Update",
"Delete",
"List",
]


input.origin == "streaming-api"
input.type == "DiscoverLayoutPage"
actions[_] = input.action
}


allow {
actions := [
"Create",
"Update",
"Delete",
"List",
]


input.origin == "streaming-api"
input.type == "DiscoverLayoutView"
actions[_] = input.action
}


allow {
actions := [
"Create",
"Update",
"Read",
"List",
]


input.origin == "zypline-web"
input.type == "ZyplineWebDiscoverApplicationPages"
actions[_] = input.action
}


allow {
input.origin == "zypline-web"
input.type == "ZyplineWebDiscoverApplicationPages"
input.action == "Delete"
}


allow {
 actions := [
   "List",
   "Read",
 ]


 input.type == "AppleCatalogTitle"
 actions[_] = input.action
}


allow {
 actions := [
   "List",
   "Read",
 ]


 input.type == "AppleCatalogDelivery"
 actions[_] = input.action
}


allow {
 actions := [
   "List",
   "Read",
 ]
 input.type == "PlatformDelivery"
 actions[_] = input.action
}


allow {
 input.origin == "streaming-api"
 input.type == "NodeMediaRendition"
 input.action == "List"
}

readonly_operator

Description

The user has full access to the organization to VIEW but cannot actually perform any actions.

Code sample
import data.oz.utils


default allow = false


# TODO: move all of the is_user_managing_account rules to the utils package, so that they can be used in any policy
is_user_managing_account {
   # TODO: change to set once it is supported in the oz.utils package
   utils.is_type_multiaction("User", ["Read", "Update"])
   input.resource.id == utils.current_user.id
}


is_user_managing_account { utils.is_type_action("AvatarUpload", "Start") }


is_user_managing_account {
   # TODO: change to set once it is supported in the oz.utils package
   utils.is_type_multiaction("NotificationEvent", ["List", "Count", "MarkViewed"])
}


is_user_managing_account {
   # TODO: change to set once it is supported in the oz.utils package
   utils.is_type_multiaction("NotificationUserSettingsType", ["Read", "Update"])
   input.resource.userId == utils.current_user.id
}


is_user_managing_account {
   # TODO: change to set once it is supported in the oz.utils package
   # change this from Update to Disable
   utils.is_type_multiaction("ApiKeys", ["Create", "Update"])
   input.resource.userId == utils.current_user.id
}


# change this from Delete to Disable
is_user_managing_account { utils.is_type_action_origin("ApiKeys", "Delete", "zypline-web") }


allow { utils.is_web_bootstrapping }
allow { is_user_managing_account }


# Because zypline-web expects a truthy Update decision for every details page
allow {
 input.action == "Update"
 input.origin == "zypline-web"
}


# Allow any type if it is a List or Read action
allow {
 actions := {
   "List",
   "Read",
   "Preview"
 }


 actions[input.action]
}
The Users / Permissions TabThe Presets Tab
AteliereContact us
© 2025 Ateliere Creative Technologies. All rights reserved.