LLM Authorization

entity user {}

entity organization {
    relation director @user
    relation member @user
}

entity team {
    relation lead @user
    relation member @user
    relation parent @organization
}

entity db_table {
    relation parent @organization
    relation team @team
    attribute confidentiality_level integer
    
    permission view_director = check_confidentiality_high(confidentiality_level) and parent.director
    permission view_team_lead = check_confidentiality_medium_high(confidentiality_level) and (parent.director or team.lead)
    permission view_team_member = check_confidentiality_medium(confidentiality_level) and (team.lead or team.member)
    permission view_org_member = check_confidentiality_low(confidentiality_level) and parent.member

    action view = view_director or view_team_lead or view_team_member or view_org_member
    action edit = team.lead
}

entity report {
    relation parent @organization
    relation team @team
    attribute confidentiality_level integer
    
    permission view_director = check_confidentiality_high(confidentiality_level) and parent.director
    permission view_team_lead = check_confidentiality_medium_high(confidentiality_level) and (parent.director or team.lead)
    permission view_team_member = check_confidentiality_medium(confidentiality_level) and (team.lead or team.member)
    permission view_org_member = check_confidentiality_low(confidentiality_level) and parent.member

    action view = view_director or view_team_lead or view_team_member or view_org_member
    action edit = team.lead
}

entity excel_file {
    relation parent @organization
    relation team @team
    attribute confidentiality_level integer
    
    permission view_director = check_confidentiality_high(confidentiality_level) and parent.director
    permission view_team_lead = check_confidentiality_medium_high(confidentiality_level) and (parent.director or team.lead)
    permission view_team_member = check_confidentiality_medium(confidentiality_level) and (parent.director or team.lead or team.member)
    permission view_org_member = check_confidentiality_low(confidentiality_level) and (parent.director or team.lead or team.member or parent.member)

    action view = view_director or view_team_lead or view_team_member or view_org_member
    action edit = team.lead
}

rule check_confidentiality_high(confidentiality_level integer) {
	confidentiality_level == 4
}

rule check_confidentiality_medium_high(confidentiality_level integer) {
	confidentiality_level == 3
}

rule check_confidentiality_medium(confidentiality_level integer) {
	confidentiality_level == 2
}

rule check_confidentiality_low(confidentiality_level integer) {
	confidentiality_level == 1
}