Press n or j to go to the next uncovered block, b, p or k for the previous block.
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 | import { Prop, Schema, SchemaFactory } from '@nestjs/mongoose'; import { Document, Schema as MongooseSchema } from 'mongoose'; @Schema({ timestamps: true, collection: 'policy_definitions' }) export class PolicyDefinition extends Document { @Prop({ required: true, index: true }) tenantId: string; @Prop({ required: true }) name: string; @Prop({ default: null }) description: string; @Prop({ type: [MongooseSchema.Types.Mixed], required: true }) statements: Array<{ effect: 'ALLOW' | 'DENY'; actions: string[]; // e.g. ['read', 'update', 'delete'] resources: string[]; // e.g. ['Invoice', 'User'] dataScope?: | 'OWN' | 'ASSIGNED' | 'CREATED' | 'TEAM' | 'DEPARTMENT' | 'BRANCH' | 'COMPANY' | 'CUSTOM'; conditions?: Array<{ field: string; operator: string; value: any; }>; }>; @Prop({ default: 100 }) priority: number; // Higher number evaluated first in deny-overrides } export const PolicyDefinitionSchema = SchemaFactory.createForClass(PolicyDefinition); PolicyDefinitionSchema.index({ tenantId: 1 }); @Schema({ timestamps: true, collection: 'policy_assignments' }) export class PolicyAssignment extends Document { @Prop({ required: true, index: true }) tenantId: string; @Prop({ required: true, index: true }) policyId: string; @Prop({ default: null, index: true }) userId: string; // Direct user assignment @Prop({ default: null, index: true }) roleId: string; // Assignment by role } export const PolicyAssignmentSchema = SchemaFactory.createForClass(PolicyAssignment); PolicyAssignmentSchema.index({ tenantId: 1, userId: 1 }); @Schema({ timestamps: true, collection: 'field_policies' }) export class FieldPolicy extends Document { @Prop({ required: true, index: true }) tenantId: string; @Prop({ required: true, index: true }) roleId: string; @Prop({ required: true }) entity: string; // e.g. 'Employee' @Prop({ required: true }) field: string; // e.g. 'salary' @Prop({ required: true, default: 'READ' }) access: 'READ' | 'WRITE' | 'HIDE'; } export const FieldPolicySchema = SchemaFactory.createForClass(FieldPolicy); @Schema({ timestamps: true, collection: 'permission_evaluation_logs' }) export class PermissionEvaluationLog extends Document { @Prop({ required: true, index: true }) tenantId: string; @Prop({ required: true, index: true }) userId: string; @Prop({ required: true }) resource: string; @Prop({ required: true }) action: string; @Prop({ required: true }) decision: 'ALLOW' | 'DENY'; @Prop({ default: null }) reason: string; } export const PermissionEvaluationLogSchema = SchemaFactory.createForClass( PermissionEvaluationLog, ); PermissionEvaluationLogSchema.index({ tenantId: 1, createdAt: -1 }); |