From 5c5fbb0a96a421380c680d7f7de85d13ffd0c57f Mon Sep 17 00:00:00 2001
From: notanatol <anatol@ethswarm.org>
Date: Wed, 9 Feb 2022 10:21:10 -0600
Subject: [PATCH 1/2] feat: role inheritance

---
 pkg/auth/auth.go | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/pkg/auth/auth.go b/pkg/auth/auth.go
index 2bc7266e0d1..3c86a55ab9e 100644
--- a/pkg/auth/auth.go
+++ b/pkg/auth/auth.go
@@ -39,6 +39,9 @@ func New(encryptionKey, passwordHash string, logger logging.Logger) (*Authentica
 	[request_definition]
 	r = sub, obj, act
 
+	[role_definition]
+	g = _, _
+
 	[policy_definition]
 	p = sub, obj, act
 
@@ -46,7 +49,7 @@ func New(encryptionKey, passwordHash string, logger logging.Logger) (*Authentica
 	e = some(where (p.eft == allow))
 
 	[matchers]
-	m = r.sub == p.sub && (keyMatch(r.obj, p.obj) || keyMatch(r.obj, '/v1'+p.obj)) && regexMatch(r.act, p.act)`)
+	m = (g(r.sub, p.sub) || r.sub == p.sub) && (keyMatch(r.obj, p.obj) || keyMatch(r.obj, '/v1'+p.obj)) && regexMatch(r.act, p.act)`)
 
 	if err != nil {
 		return nil, err
@@ -289,5 +292,15 @@ func applyPolicies(e *casbin.Enforcer) error {
 		{"consumer", "/stewardship/*", "PUT"},
 	})
 
+	if err != nil {
+		return err
+	}
+
+	// TODO rectify these based on requested inheritance rules
+	_, err = e.AddGroupingPolicies([][]string{
+		{"accountant", "creator"},
+		{"maintainer", "creator"},
+	})
+
 	return err
 }

From 1aa32b360a1408a0928940e35460a526ecc9bf4b Mon Sep 17 00:00:00 2001
From: notanatol <anatol@ethswarm.org>
Date: Sat, 12 Feb 2022 15:22:35 -0600
Subject: [PATCH 2/2] feat: role hierarchy

---
 pkg/auth/auth.go | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/pkg/auth/auth.go b/pkg/auth/auth.go
index 3c86a55ab9e..61dca75765d 100644
--- a/pkg/auth/auth.go
+++ b/pkg/auth/auth.go
@@ -296,10 +296,11 @@ func applyPolicies(e *casbin.Enforcer) error {
 		return err
 	}
 
-	// TODO rectify these based on requested inheritance rules
+	// consumer > creator > accountant > maintainer
 	_, err = e.AddGroupingPolicies([][]string{
+		{"creator", "consumer"},
 		{"accountant", "creator"},
-		{"maintainer", "creator"},
+		{"maintainer", "accountant"},
 	})
 
 	return err