######################################################
# Request Definition
######################################################
[request_definition]
# Explanation:
# - `accountRef`: The account (user) making the request.
# - `organizationRef`: The organization in which the role applies.
# - `permissionRef`: The specific permission being requested.
# - `objectRef`: The object/resource being accessed (specific object or all objects).
# - `action`: The action being requested (CRUD: read, write, update, delete).
r = accountRef, organizationRef, permissionRef, objectRef, action


######################################################
# Policy Definition
######################################################
[policy_definition]
# Explanation:
# - `roleRef`: The role to which the policy is assigned.
# - `organizationRef`: The organization in which the role applies.
# - `permissionRef`: The permission associated with the policy.
# - `objectRef`: The specific object/resource the policy applies to (or all objects).
# - `action`: The CRUD action permitted or denied.
# - `eft`: Effect of the policy (`allow` or `deny`).
p = roleRef, organizationRef, permissionRef, objectRef, action, eft


######################################################
# Role Definition
######################################################
[role_definition]
# Explanation:
# - Maps `accountRef` (user) to `roleRef` (role) within `organizationRef` (scope).
# Casbin requires underscores for placeholders, so we do not literally use accountRef, roleRef, etc. here.
g = _, _, _


######################################################
# Policy Effect
######################################################
[policy_effect]
# Explanation:
# - Grants access if any `allow` policy matches and no `deny` policies match.
e = some(where (p.eft == allow)) && !some(where (p.eft == deny))


######################################################
# Matchers
######################################################
[matchers]
# Explanation:
# - Checks if the user (accountRef) belongs to the roleRef within an organizationRef via `g()`.
# - Ensures the organizationRef, permissionRef, objectRef, and action match the policy.
m = g(r.accountRef, p.roleRef, r.organizationRef) && r.organizationRef == p.organizationRef && r.permissionRef == p.permissionRef && (p.objectRef == r.objectRef || p.objectRef == "*") && r.action == p.action