(policy default (then (drop (cap))))
 
(token (keyvalue read (cap READ)))
(token (keyvalue write (cap WRITE)))
(token (keyvalue create (cap CREATE)))
(token (keyvalue destroy (cap DESTROY)))
(token (keyvalue execute (cap EXECUTE)))
(token (keyvalue all (
                      (read)
                      (write)
                      (create)
                      (destroy)
                      (execute))))

(berid (cap))

(policy read-only (
  (if (must (
        (equal (attr action "operation") "file-access")))
      (then (grant read))
      (else (audit warning)))))
        
(policy write-for-staff (
  (if (must (
        (equal (attr enviroment "location") "office")
        (equal (attr action "operation") "file-access")
        (has (attr subject "staff"))))
      (then (grant write))
      (else (audit warning)))))

(policy create-for-admin (
  (if (must (
        (equal (attr environment "location") "office")
        (has (
               (attr subject "staff")
               (attr subject "admin")))))
      (then (
             (grant (create))
             (resource 
               (ternary 
                "glenda-can-delete" 
                (env GLENDA_ALLOWED)))))
      (else (audit warning)))))  


(policy destroy-only-for-glenda (
  (if (must ( 
         (equal (attr environment "location") "remote-office")
         (equal (attr resource "glenda-can-delete") true)
         (has   (attr subject "staff"))
         (equal (attr subject "username") "glenda")))
       (then (grant destroy))
       (else (audit warning)))))


(policy execute-processes (
  (if (must (
        (equal (attr environment "location") "office")
        (within 
          (attr envirnoment "time") 
          (time 08 00) 
          (time 18 00))
        (at-least-1 ( 
                      (has (attr action "begin-process"))
                      (has (attr action "end-process"))))
        (has (attr resource "can-execute"))
        (has (attr subject "staff")
             (attr subject "operations"))))
      (then (grant execute))
      (else (audit warning)))))
 
(policy backup (
  (if (must (
        (equal (attr enviroment "location") "office")
        (within
          (attr environment "time")
          (time 01 00)
          (time 03 00))
        (at-least-1 (  
          (equal (attr environment "weekday") "Sunday")
          (eqaul (attr environment "weekday") "Tuesday")))
        (has (attr action "begin-backup"))
        (has (attr resource "dump"))
        (has (attr subject "operations"))
        (has (attr subject "backups"))))
     (then (
       (grant read)
       (audit log "running backup"))
     (else (audit warning)))))

(policy root (
  (if (must (
        (equal (attr environment "location") "office")
        (has (attr subject "root"))))
      (then (grant all)))))