IssacTran · June 28, 2016 03:14
diff --git a/gistfile1.txt b/gistfile1.txt
 description: Developer Project Policy
 context:
  project: 'gto' # GTO project
 for:
  resource:
    - equals:
        kind: job
      allow: [read,run]
    - equals:
        kind: node
      allow: [read,refresh]
    - equals:
        kind: event
      allow: [read] # allow read events
  adhoc:
    - deny: '*' # deny running/killing adhoc jobs
  job: 
    - match:
        group: 'platforms/.*/dev/.*|platforms/.*/cert/.*|platforms/.*/perf/.*|platforms/sms/.*'
      allow: [read,run,kill]
    - match:
        group: '.*lib.*'
      allow: [run]
  node:
    - allow: '*' # allow read/run for all nodes
 by:
  group: [rd_developer]

 ---

 description: Developer Application Policy
 context:
  application: 'rundeck'
 for:
  resource:
    - equals:
        kind: project
      deny: [create]
    - equals:
        kind: system
      deny: [read]
    - equals:
        kind: user
      deny: [admin]
  project:
    - match:
        name: 'gto'
      allow: 'read'
 by:
  group: [rd_developer]
	description: Developer Project Policy
	context:
	project: 'gto' # GTO project
	for:
	resource:
	- equals:
	kind: job
	allow: [read,run]
	- equals:
	kind: node
	allow: [read,refresh]
	- equals:
	kind: event
	allow: [read] # allow read events
	adhoc:
	- deny: '*' # deny running/killing adhoc jobs
	job:
	- match:
	group: 'platforms/./dev/.\|platforms/./cert/.\|platforms/./perf/.\|platforms/sms/.*'
	allow: [read,run,kill]
	- match:
	group: '.lib.'
	allow: [run]
	node:
	- allow: '*' # allow read/run for all nodes
	by:
	group: [rd_developer]

	---

	description: Developer Application Policy
	context:
	application: 'rundeck'
	for:
	resource:
	- equals:
	kind: project
	deny: [create]
	- equals:
	kind: system
	deny: [read]
	- equals:
	kind: user
	deny: [admin]
	project:
	- match:
	name: 'gto'
	allow: 'read'
	by:
	group: [rd_developer]