validateSOD validates a Separation of Duties constraint.
(constraint *Constraint, groupingPolicy [][]string)
| 200 | |
| 201 | // validateSOD validates a Separation of Duties constraint. |
| 202 | func (model Model) validateSOD(constraint *Constraint, groupingPolicy [][]string) error { |
| 203 | if len(constraint.Roles) != 2 { |
| 204 | return errors.NewConstraintViolationError(constraint.Key, "sod requires exactly 2 roles") |
| 205 | } |
| 206 | |
| 207 | role1, role2 := constraint.Roles[0], constraint.Roles[1] |
| 208 | userRoles := buildUserRoleMap(groupingPolicy) |
| 209 | |
| 210 | // Check if any user has both roles |
| 211 | for user, roles := range userRoles { |
| 212 | if roles[role1] && roles[role2] { |
| 213 | return errors.NewConstraintViolationError(constraint.Key, |
| 214 | fmt.Sprintf("user '%s' cannot have both roles '%s' and '%s'", user, role1, role2)) |
| 215 | } |
| 216 | } |
| 217 | |
| 218 | return nil |
| 219 | } |
| 220 | |
| 221 | // validateSODMax validates a maximum role count constraint for a role set. |
| 222 | func (model Model) validateSODMax(constraint *Constraint, groupingPolicy [][]string) error { |
no test coverage detected