AETHER-2234 move and update aether-roc-umbrella
Change-Id: I7ca845b92dff1fce5fd87d42053a43d80cc55f34
diff --git a/aether-roc-umbrella/files/opa-rbac/aether-3.0.0.rego b/aether-roc-umbrella/files/opa-rbac/aether-3.0.0.rego
new file mode 100644
index 0000000..29df86e
--- /dev/null
+++ b/aether-roc-umbrella/files/opa-rbac/aether-3.0.0.rego
@@ -0,0 +1,149 @@
+# SPDX-FileCopyrightText: 2021-present Open Networking Foundation <info@opennetworking.org>
+#
+# SPDX-License-Identifier: LicenseRef-ONF-Member-Only-1.0
+
+package aether_3_0_0
+
+echo[config] {
+ config := input
+}
+
+allowed[config] {
+ ap_list := ap_lists # refer to rule below
+ application := applications
+ connectivity_service := connectivityservices
+ device_group := devicegroups
+ enterprise := enterprises
+ ip_domain := ip_domains
+ network := networks
+ site := sites
+ template := templates
+ traffic_class := trafficclasses
+ upf := upfs
+ vcs := vcss
+ config := {
+ "ap-list": {
+ "ap-list": [
+ ap_list
+ ]
+ },
+ "application": {
+ "application": [
+ application
+ ]
+ },
+ "connectivity-service": {
+ "connectivity-service": [
+ connectivity_service
+ ]
+ },
+ "device-group": {
+ "device-group": [
+ device_group
+ ]
+ },
+ "enterprise": {
+ "enterprise": [
+ enterprise
+ ]
+ },
+ "ip-domain": {
+ "ip-domain": [
+ ip_domain
+ ]
+ },
+ "network": {
+ "network": [
+ network
+ ]
+ },
+ "site": {
+ "site": [
+ site
+ ]
+ },
+ "template": {
+ "template": [
+ template
+ ]
+ },
+ "traffic_class": {
+ "traffic_class": {
+ traffic_class
+ }
+ },
+ "upf": {
+ "upf": [
+ upf
+ ]
+ },
+ "vcs": {
+ "vcs": [
+ vcs
+ ]
+ }
+ }
+}
+
+ap_lists[ap_list] {
+ ap_list := input.ap_list.ap_list[_]
+ ["AetherROCAdmin", ap_list.enterprise][_] == input.groups[i]
+}
+
+applications[application] {
+ application := input.application.application[_]
+ ["AetherROCAdmin", application.enterprise][_] == input.groups[i]
+}
+
+connectivityservices[connectivity_service] {
+ connectivity_service := input.connectivity_service.connectivity_service[_]
+}
+
+devicegroups[device_group] {
+ device_group := input.device_group.device_group[_]
+ site := sites
+ device_group.site == site[_].id # allow only the device_groups of a known site
+}
+
+enterprises[enterprise] {
+ enterprise := input.enterprise.enterprise[_]
+ ["AetherROCAdmin", enterprise.id][_] == input.groups[i]
+}
+
+ip_domains[ip_domain] {
+ ip_domain := input.ip_domain.ip_domain[_]
+ ["AetherROCAdmin", ip_domain.enterprise][_] == input.groups[i]
+}
+
+networks[network] {
+ network := input.network.network[_]
+ ["AetherROCAdmin", network.enterprise][_] == input.groups[i]
+}
+
+sites[site] {
+ site := input.site.site[_]
+ ["AetherROCAdmin", site.enterprise][_] == input.groups[i]
+}
+
+templates[template] {
+ template := input.template.template[_]
+}
+
+trafficclasses[traffic_class] {
+ traffic_class := input.traffic_class.traffic_class[_]
+}
+
+upfs[upf] {
+ upf := input.upf.upf[_]
+ ["AetherROCAdmin", upf.enterprise][_] == input.groups[i]
+}
+
+vcss[vcs] {
+ vcs := input.vcs.vcs[_]
+ ["AetherROCAdmin", vcs.enterprise][_] == input.groups[i]
+}
+
+can_update_enterprise = true {
+ update_enterprise := input.updates.enterprise.enterprise[_]
+ ["AetherROCAdmin", update_enterprise.id][_] == input.groups[i]
+}