name: projects_permission
object: projects
description: "Comprehensive access control rules for Project object"

# Roles (defined in demo.app.yml, referenced here)
# This list documents which system roles have permissions on this object
roles:
  - admin
  - manager
  - developer
  - user
  - viewer

# Object-level permissions (CRUD)
object_permissions:
  create: [admin, manager]
  read: [admin, manager, developer, user, viewer]
  update: [admin, manager]
  delete: [admin]
  view_all: [admin]      # Admins can see all projects
  modify_all: [admin]    # Admins can edit all projects

# Field-level security
field_permissions:
  budget:
    read: [admin, manager]
    update: [admin]  # Only admin can change budget
  
  approved_by:
    read: [admin, manager, user]
    update: [] # Read-only, set by system/workflow
  
  approved_at:
    read: [admin, manager, user]
    update: []
  
  approval_comment:
    read: [admin, manager, user]
    update: [admin, manager]

# Record-level rules for dynamic access control
record_rules:
  - name: owner_full_access
    priority: 100
    description: Project owner has full access to their projects
    condition:
      type: simple
      field: owner
      operator: "="
      value: $current_user.id
    permissions:
      read: true
      update: true
      delete: true
  
  - name: public_read_access
    priority: 10
    description: Completed projects are publicly readable
    condition:
      type: simple
      field: status
      operator: "="
      value: completed
    permissions:
      read: true
      update: false
      delete: false

# Sharing rules
sharing_rules:
  - name: manual_share
    type: manual
    description: Users can manually share projects with team members
    enabled: true
    permissions:
      read: true
      update: false
      delete: false

# Action permissions
action_permissions:
  approve:
    execute: [admin, manager]
    conditions:
      - field: status
        operator: "="
        value: in_progress
  
  complete:
    execute: [admin, manager]
  
  clone:
    execute: [admin, manager, developer]
  
  import_projects:
    execute: [admin]
    rate_limit:
      requests_per_hour: 10
  
  bulk_update_status:
    execute: [admin, manager]

# View permissions
view_permissions:
  all_projects:
    access: [admin, manager, developer, user, viewer]
    field_restrictions:
      budget:
        visible_to: [admin, manager]

# Row-level security
row_level_security:
  enabled: true
  default_rule:
    field: owner
    operator: "="
    value: $current_user.id
  exceptions:
    - role: admin
      bypass: true
    - role: manager
      condition:
        type: simple
        field: status
        operator: "!="
        value: completed

# Audit trail
audit:
  enabled: true
  events:
    - permission_grant
    - permission_revoke
    - access_denied
    - sensitive_field_access
  retention_days: 365
  alerts:
    - event: access_denied
      threshold: 5
      window_minutes: 10
      notify: [admin]