SeedCompany
diff --git a/‎dbschema/budget.esdl‎
Lines changed: 34 additions & 0 deletions b/‎dbschema/budget.esdl‎
Lines changed: 34 additions & 0 deletions
diff --git a/‎dbschema/ceremony.esdl‎
Lines changed: 14 additions & 0 deletions b/‎dbschema/ceremony.esdl‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎dbschema/comments.esdl‎
Lines changed: 61 additions & 0 deletions b/‎dbschema/comments.esdl‎
Lines changed: 61 additions & 0 deletions
diff --git a/‎dbschema/engagement.esdl‎
Lines changed: 43 additions & 0 deletions b/‎dbschema/engagement.esdl‎
Lines changed: 43 additions & 0 deletions
diff --git a/‎dbschema/field-region.esdl‎
Lines changed: 13 additions & 0 deletions b/‎dbschema/field-region.esdl‎
Lines changed: 13 additions & 0 deletions
diff --git a/‎dbschema/field-zone.esdl‎
Lines changed: 13 additions & 0 deletions b/‎dbschema/field-zone.esdl‎
Lines changed: 13 additions & 0 deletions
diff --git a/‎dbschema/file.esdl‎
Lines changed: 18 additions & 0 deletions b/‎dbschema/file.esdl‎
Lines changed: 18 additions & 0 deletions
diff --git a/‎dbschema/funding-account.esdl‎
Lines changed: 13 additions & 0 deletions b/‎dbschema/funding-account.esdl‎
Lines changed: 13 additions & 0 deletions
diff --git a/‎dbschema/language.esdl‎
Lines changed: 53 additions & 0 deletions b/‎dbschema/language.esdl‎
Lines changed: 53 additions & 0 deletions
diff --git a/‎dbschema/location.esdl‎
Lines changed: 8 additions & 0 deletions b/‎dbschema/location.esdl‎
Lines changed: 8 additions & 0 deletions
@@ -7,6 +7,23 @@ module default {
     universalTemplate: File;
 
     records := .<budget[is Budget::Record];
+
+    access policy CanSelectUpdateReadGeneratedFromAppPoliciesForBudget
+    allow select, update read using (
+      (
+        exists (<Role>{'Administrator', 'FieldOperationsDirector', 'LeadFinancialAnalyst', 'Controller', 'FinancialAnalyst', 'Marketing', 'Fundraising', 'ExperienceOperations', 'Leadership', 'ProjectManager', 'RegionalDirector'} intersect global currentRoles)
+        or (
+          Role.ConsultantManager in global currentRoles
+          and (
+            .isMember
+            or .sensitivity <= Sensitivity.Medium
+          )
+        )
+      )
+    );
+
+    access policy CanUpdateWriteInsertDeleteGeneratedFromAppPoliciesForBudget
+    allow update write, insert, delete;
   }
 }
 
@@ -29,6 +46,23 @@ module Budget {
       readonly := true;
       on target delete delete source;
     };
+
+    access policy CanSelectUpdateReadGeneratedFromAppPoliciesForBudgetRecord
+    allow select, update read using (
+      (
+        exists (<default::Role>{'Administrator', 'FieldOperationsDirector', 'LeadFinancialAnalyst', 'Controller', 'FinancialAnalyst', 'Marketing', 'Fundraising', 'ExperienceOperations', 'Leadership', 'ProjectManager', 'RegionalDirector'} intersect global default::currentRoles)
+        or (
+          default::Role.ConsultantManager in global default::currentRoles
+          and (
+            .isMember
+            or .sensitivity <= default::Sensitivity.Medium
+          )
+        )
+      )
+    );
+
+    access policy CanUpdateWriteInsertDeleteGeneratedFromAppPoliciesForBudgetRecord
+    allow update write, insert, delete;
   }
 
   scalar type Status extending enum<
 
@@ -7,6 +7,20 @@ module Engagement {
     actualDate: cal::local_date;
 
     constraint exclusive on (.engagement);
+
+    access policy CanSelectUpdateReadGeneratedFromAppPoliciesForCeremony
+    allow select, update read using (
+      (
+        exists (<default::Role>{'Administrator', 'FieldOperationsDirector', 'FieldPartner', 'FinancialAnalyst', 'LeadFinancialAnalyst', 'Controller', 'Marketing', 'Fundraising', 'ExperienceOperations', 'Leadership', 'ProjectManager', 'RegionalDirector', 'StaffMember'} intersect global default::currentRoles)
+        or (
+          exists (<default::Role>{'Consultant', 'ConsultantManager', 'Intern', 'Mentor', 'Translator'} intersect global default::currentRoles)
+          and .isMember
+        )
+      )
+    );
+
+    access policy CanUpdateWriteInsertDeleteGeneratedFromAppPoliciesForCeremony
+    allow update write, insert, delete;
   }
   type DedicationCeremony extending Ceremony {}
   type CertificationCeremony extending Ceremony {}
 
@@ -1,6 +1,19 @@
 module Comments {
   abstract type Aware extending default::Resource {
     commentThreads := .<container[is Thread];
+
+    access policy CanSelectUpdateReadGeneratedFromAppPoliciesForCommentable
+    allow select, update read using (
+      exists (<default::Role>{'Administrator', 'Leadership'} intersect global default::currentRoles)
+    );
+
+    access policy CanUpdateWriteGeneratedFromAppPoliciesForCommentable
+    allow update write;
+
+    access policy CanInsertDeleteGeneratedFromAppPoliciesForCommentable
+    allow insert, delete using (
+      default::Role.Administrator in global default::currentRoles
+    );
   }
 
   type Thread extending default::Resource, Mixin::Embedded {
@@ -10,12 +23,60 @@ module Comments {
     comments := .<thread[is Comment];
     firstComment := (select .comments order by .createdAt asc limit 1);
     latestComment := (select .comments order by .createdAt desc limit 1);
+
+    access policy CanSelectUpdateReadGeneratedFromAppPoliciesForCommentThread
+    allow select, update read using (
+      (
+        exists (<default::Role>{'Administrator', 'Leadership'} intersect global default::currentRoles)
+        or .isCreator
+      )
+    );
+
+    access policy CanUpdateWriteGeneratedFromAppPoliciesForCommentThread
+    allow update write;
+
+    access policy CanInsertGeneratedFromAppPoliciesForCommentThread
+    allow insert using (
+      default::Role.Administrator in global default::currentRoles
+    );
+
+    access policy CanDeleteGeneratedFromAppPoliciesForCommentThread
+    allow delete using (
+      (
+        default::Role.Administrator in global default::currentRoles
+        or .isCreator
+      )
+    );
   }
 
   type Comment extending default::Resource {
     required thread: Thread {
       on target delete delete source;
     };
     required body: default::RichText;
+
+    access policy CanSelectUpdateReadGeneratedFromAppPoliciesForComment
+    allow select, update read using (
+      (
+        exists (<default::Role>{'Administrator', 'Leadership'} intersect global default::currentRoles)
+        or .isCreator
+      )
+    );
+
+    access policy CanUpdateWriteGeneratedFromAppPoliciesForComment
+    allow update write;
+
+    access policy CanInsertGeneratedFromAppPoliciesForComment
+    allow insert using (
+      default::Role.Administrator in global default::currentRoles
+    );
+
+    access policy CanDeleteGeneratedFromAppPoliciesForComment
+    allow delete using (
+      (
+        default::Role.Administrator in global default::currentRoles
+        or .isCreator
+      )
+    );
   }
 }
@@ -47,6 +47,44 @@ module default {
     };
 
     description: RichText;
+
+    access policy CanSelectUpdateReadGeneratedFromAppPoliciesForEngagement
+    allow select, update read using (
+      (
+        exists (<Role>{'Administrator', 'ProjectManager', 'RegionalDirector', 'FieldOperationsDirector', 'FinancialAnalyst', 'LeadFinancialAnalyst', 'Controller', 'Marketing', 'Fundraising', 'ExperienceOperations', 'Leadership', 'StaffMember'} intersect global currentRoles)
+        or (
+          exists (<Role>{'Consultant', 'ConsultantManager', 'FieldPartner', 'Intern', 'Mentor', 'ProjectManager', 'RegionalDirector', 'FieldOperationsDirector', 'Translator'} intersect global currentRoles)
+          and .isMember
+        )
+      )
+    );
+
+    access policy CanUpdateWriteGeneratedFromAppPoliciesForEngagement
+    allow update write;
+
+    access policy CanInsertGeneratedFromAppPoliciesForEngagement
+    allow insert using (
+      (
+        Role.Administrator in global currentRoles
+        or (
+          exists (<Role>{'ProjectManager', 'RegionalDirector', 'FieldOperationsDirector', 'FinancialAnalyst', 'LeadFinancialAnalyst', 'Controller'} intersect global currentRoles)
+          and .isMember
+          and <str>.project.status = 'InDevelopment'
+        )
+      )
+    );
+
+    access policy CanDeleteGeneratedFromAppPoliciesForEngagement
+    allow delete using (
+      (
+        Role.Administrator in global currentRoles
+        or (
+          exists (<Role>{'ProjectManager', 'RegionalDirector', 'FieldOperationsDirector', 'FinancialAnalyst', 'LeadFinancialAnalyst', 'Controller'} intersect global currentRoles)
+          and .isMember
+          and <str>.status = 'InDevelopment'
+        )
+      )
+    );
   }
 
   type LanguageEngagement extending Engagement {
@@ -119,6 +157,11 @@ module default {
       update __old__.language.projectContext
       set { projects -= __old__.project }
     );
+
+    access policy CanSelectUpdateReadGeneratedFromAppPoliciesForLanguageEngagement
+    allow select, update read using (
+      Role.ConsultantManager in global currentRoles
+    );
   }
 
   type InternshipEngagement extending Engagement {
 
@@ -6,5 +6,18 @@ module default {
 
     required fieldZone: FieldZone;
     required director: User;
+
+    access policy CanSelectUpdateReadGeneratedFromAppPoliciesForFieldRegion
+    allow select, update read using (
+      exists (<Role>{'Administrator', 'Consultant', 'ConsultantManager', 'FieldPartner', 'FinancialAnalyst', 'LeadFinancialAnalyst', 'Controller', 'Marketing', 'Fundraising', 'ExperienceOperations', 'Leadership', 'ProjectManager', 'RegionalDirector', 'FieldOperationsDirector', 'StaffMember'} intersect global currentRoles)
+    );
+
+    access policy CanUpdateWriteGeneratedFromAppPoliciesForFieldRegion
+    allow update write;
+
+    access policy CanInsertDeleteGeneratedFromAppPoliciesForFieldRegion
+    allow insert, delete using (
+      Role.Administrator in global currentRoles
+    );
   }
 }
@@ -7,5 +7,18 @@ module default {
     required director: User;
 
     fieldRegions := .<fieldZone[is FieldRegion];
+
+    access policy CanSelectUpdateReadGeneratedFromAppPoliciesForFieldZone
+    allow select, update read using (
+      exists (<Role>{'Administrator', 'Consultant', 'ConsultantManager', 'FieldPartner', 'FinancialAnalyst', 'LeadFinancialAnalyst', 'Controller', 'Marketing', 'Fundraising', 'ExperienceOperations', 'Leadership', 'ProjectManager', 'RegionalDirector', 'FieldOperationsDirector', 'StaffMember'} intersect global currentRoles)
+    );
+
+    access policy CanUpdateWriteGeneratedFromAppPoliciesForFieldZone
+    allow update write;
+
+    access policy CanInsertDeleteGeneratedFromAppPoliciesForFieldZone
+    allow insert, delete using (
+      Role.Administrator in global currentRoles
+    );
   }
 }
@@ -4,6 +4,11 @@ module default {
     required totalFiles: int32 {
       default := 0;
     };
+
+    access policy CanSelectUpdateReadGeneratedFromAppPoliciesForDirectory
+    allow select, update read using (
+      exists (<Role>{'FinancialAnalyst', 'LeadFinancialAnalyst', 'Controller'} intersect global currentRoles)
+    );
   }
 
   # TODO how to front latest version info?
@@ -38,5 +43,18 @@ module File {
       depth: int16; # todo enforce
     }
 #     multi link children: Node;
+
+    access policy CanSelectUpdateReadGeneratedFromAppPoliciesForFileNode
+    allow select, update read using (
+      exists (<default::Role>{'Administrator', 'Leadership'} intersect global default::currentRoles)
+    );
+
+    access policy CanUpdateWriteGeneratedFromAppPoliciesForFileNode
+    allow update write;
+
+    access policy CanInsertDeleteGeneratedFromAppPoliciesForFileNode
+    allow insert, delete using (
+      default::Role.Administrator in global default::currentRoles
+    );
   }
 }
@@ -7,5 +7,18 @@ module default {
     required accountNumber: int16 {
       constraint expression on (__subject__ >= 0 and __subject__ <= 9);
     }
+
+    access policy CanSelectUpdateReadGeneratedFromAppPoliciesForFundingAccount
+    allow select, update read using (
+      exists (<Role>{'Administrator', 'ConsultantManager', 'FinancialAnalyst', 'LeadFinancialAnalyst', 'Controller', 'Leadership', 'ProjectManager', 'RegionalDirector', 'FieldOperationsDirector', 'StaffMember'} intersect global currentRoles)
+    );
+
+    access policy CanUpdateWriteGeneratedFromAppPoliciesForFundingAccount
+    allow update write;
+
+    access policy CanInsertDeleteGeneratedFromAppPoliciesForFundingAccount
+    allow insert, delete using (
+      Role.Administrator in global currentRoles
+    );
   }
 }
@@ -87,6 +87,25 @@ module default {
     }
 
     index on ((.name, .ownSensitivity, .leastOfThese, .isSignLanguage, .isDialect));
+
+    access policy CanSelectUpdateReadGeneratedFromAppPoliciesForLanguage
+    allow select, update read using (
+      (
+        exists (<Role>{'Administrator', 'ConsultantManager', 'ExperienceOperations', 'LeadFinancialAnalyst', 'Controller', 'FinancialAnalyst', 'Fundraising', 'Marketing', 'Leadership', 'ProjectManager', 'RegionalDirector', 'FieldOperationsDirector', 'StaffMember'} intersect global currentRoles)
+        or (
+          exists (<Role>{'Consultant', 'ConsultantManager', 'FieldPartner', 'Intern', 'Mentor', 'Translator'} intersect global currentRoles)
+          and .isMember
+        )
+      )
+    );
+
+    access policy CanUpdateWriteGeneratedFromAppPoliciesForLanguage
+    allow update write;
+
+    access policy CanInsertDeleteGeneratedFromAppPoliciesForLanguage
+    allow insert, delete using (
+      Role.Administrator in global currentRoles
+    );
   }
 
   scalar type population extending int32 {
@@ -109,6 +128,40 @@ module Ethnologue {
     };
     name: str;
     population: default::population;
+
+    access policy CanSelectUpdateReadGeneratedFromAppPoliciesForEthnologueLanguage
+    allow select, update read using (
+      (
+        exists (<default::Role>{'Administrator', 'ExperienceOperations', 'Leadership', 'ProjectManager', 'RegionalDirector', 'FieldOperationsDirector'} intersect global default::currentRoles)
+        or (
+          default::Role.ConsultantManager in global default::currentRoles
+          and .sensitivity <= default::Sensitivity.Medium
+        )
+        or (
+          exists (<default::Role>{'Consultant', 'ConsultantManager', 'FieldPartner', 'Translator'} intersect global default::currentRoles)
+          and .isMember
+        )
+        or (
+          default::Role.Fundraising in global default::currentRoles
+          and (
+            .isMember
+            or .sensitivity <= default::Sensitivity.Medium
+          )
+        )
+        or (
+          exists (<default::Role>{'Marketing', 'Fundraising', 'ExperienceOperations'} intersect global default::currentRoles)
+          and .sensitivity <= default::Sensitivity.Low
+        )
+      )
+    );
+
+    access policy CanUpdateWriteGeneratedFromAppPoliciesForEthnologueLanguage
+    allow update write;
+
+    access policy CanInsertDeleteGeneratedFromAppPoliciesForEthnologueLanguage
+    allow insert, delete using (
+      default::Role.Administrator in global default::currentRoles
+    );
   }
 
   scalar type code extending str {
 
@@ -13,6 +13,14 @@ module default {
     defaultFieldRegion: FieldRegion;
     defaultMarketingRegion: Location;
     mapImage: File;
+
+    access policy CanSelectUpdateReadUpdateWriteGeneratedFromAppPoliciesForLocation
+    allow select, update read, update write;
+
+    access policy CanInsertDeleteGeneratedFromAppPoliciesForLocation
+    allow insert, delete using (
+      Role.Administrator in global currentRoles
+    );
   }
 }
Original file line number	Diff line number	Diff line change
`@@ -7,5 +7,18 @@ module default {`
`7`	`7`	`required accountNumber: int16 {`
`8`	`8`	`constraint expression on (__subject__ >= 0 and __subject__ <= 9);`
`9`	`9`	`}`
	`10`	`+`
	`11`	`+ access policy CanSelectUpdateReadGeneratedFromAppPoliciesForFundingAccount`
	`12`	`+ allow select, update read using (`
	`13`	`+ exists (<Role>{'Administrator', 'ConsultantManager', 'FinancialAnalyst', 'LeadFinancialAnalyst', 'Controller', 'Leadership', 'ProjectManager', 'RegionalDirector', 'FieldOperationsDirector', 'StaffMember'} intersect global currentRoles)`
	`14`	`+ );`
	`15`	`+`
	`16`	`+ access policy CanUpdateWriteGeneratedFromAppPoliciesForFundingAccount`
	`17`	`+ allow update write;`
	`18`	`+`
	`19`	`+ access policy CanInsertDeleteGeneratedFromAppPoliciesForFundingAccount`
	`20`	`+ allow insert, delete using (`
	`21`	`+ Role.Administrator in global currentRoles`
	`22`	`+ );`
`10`	`23`	`}`
`11`	`24`	`}`
Original file line number	Diff line number	Diff line change
`@@ -13,6 +13,14 @@ module default {`
`13`	`13`	`defaultFieldRegion: FieldRegion;`
`14`	`14`	`defaultMarketingRegion: Location;`
`15`	`15`	`mapImage: File;`
	`16`	`+`
	`17`	`+ access policy CanSelectUpdateReadUpdateWriteGeneratedFromAppPoliciesForLocation`
	`18`	`+ allow select, update read, update write;`
	`19`	`+`
	`20`	`+ access policy CanInsertDeleteGeneratedFromAppPoliciesForLocation`
	`21`	`+ allow insert, delete using (`
	`22`	`+ Role.Administrator in global currentRoles`
	`23`	`+ );`
`16`	`24`	`}`
`17`	`25`	`}`
`18`	`26`