# Role-based permissions configuration
# Defines what each role can do in the system

# Permission format: resource:action
# Examples: jobs:create, data:read, users:manage

roles:
  admin:
    description: "Full system access"
    permissions:
      - "*"
    
  data_scientist:
    description: "ML experiment management"
    permissions:
      - "jobs:create"
      - "jobs:read"
      - "jobs:update"
      - "jobs:delete:own"
      - "data:read"
      - "data:create"
      - "models:read"
      - "models:create"
      - "models:update:own"
      - "metrics:read"
    
  data_engineer:
    description: "Data pipeline and infrastructure"
    permissions:
      - "data:create"
      - "data:read"
      - "data:update"
      - "data:delete"
      - "jobs:read"
      - "jobs:update"
      - "pipelines:create"
      - "pipelines:read"
      - "pipelines:update"
      - "storage:read"
      - "storage:write"
    
  viewer:
    description: "Read-only access"
    permissions:
      - "jobs:read"
      - "data:read"
      - "models:read"
      - "metrics:read"
      - "pipelines:read"
    
  operator:
    description: "System operations and monitoring"
    permissions:
      - "jobs:read"
      - "jobs:update"
      - "jobs:restart"
      - "metrics:read"
      - "system:read"
      - "system:status"
      - "logs:read"

# Permission groups for easier management
groups:
  ml_developer:
    description: "Combined data scientist and data engineer"
    inherits:
      - data_scientist
      - data_engineer
    
  read_only:
    description: "Read access to all resources"
    permissions:
      - "jobs:read"
      - "data:read"
      - "models:read"
      - "pipelines:read"
      - "metrics:read"
      - "system:read"

# Resource hierarchy for permission inheritance
hierarchy:
  jobs:
    children:
      create: true
      read: true
      update: true
      delete: true
      restart: true
    special:
      own: "User can only access their own resources"
  
  data:
    children:
      create: true
      read: true
      update: true
      delete: true
      upload: true
      download: true
  
  models:
    children:
      create: true
      read: true
      update: true
      delete: true
      deploy: true
    special:
      own: "User can only access their own models"
  
  system:
    children:
      read: true
      status: true
      manage: true
      config: true
  
  metrics:
    children:
      read: true
      export: true
      delete: true
  
  pipelines:
    children:
      create: true
      read: true
      update: true
      delete: true
      run: true
      stop: true

# Default permissions for new users
defaults:
  new_user_role: "viewer"
  admin_users:
    - "admin"
    - "root"
    - "system"