permit(
  principal == User::"alice",
  action == Action::"view",
  resource == Photo::"VacationPhoto94.jpg"
);

permit(
  principal in Group::"jane_friends",
  action == Action::"view",
  resource == Photo::"VacationPhoto94.jpg"
);

permit(
  principal == User::"alice",
  action == Action::"view",
  resource in Album::"jane_vacation"
);

permit(
  principal == User::"alice",
  action in [Action::"view", Action::"edit", Action::"delete"],
  resource in Album::"jane_vacation"
);

// Alice has "admin" permissions on the album
permit(
  principal == User::"alice",
  action in Action::"admin",
  resource in Album::"jane_vacation"
);

// Solution #1: Using multiple policies
permit(
  principal == User::"alice",
  action in Action::"admin",
  resource in Album::"jane_vacation"
);

permit(
  principal == User::"alice",
  action == Action::"edit",
  resource in Album::"jane_vacation"
);

// Solution #2: Using conditions in a single policy.
// Note - depending on the implementation of a backend datastore,
// shifting rules into the conditions may result in changes to
// performance or search/lookup capabilities, as the condition clauses
// can be less amenable to indexing.
permit(
  principal == User::"alice",
  action,
  resource in Album::"jane_vacation"
)
when {
  action in PhotoflashRole::"viewer" ||
  action == Action::"edit"
};

permit(
  principal,
  action == Action::"view",
  resource in Album::"jane_vacation"
);

permit(
  principal,
  action == Action::"view",
  resource in Album::"jane_vacation"
);

permit(
  principal == User::"alice",
  action in [Action::"listAlbums", Action::"listPhotos", Action::"view"],
  resource in Account::"jane"
);

permit(
  principal == User::"alice",
  action,
  resource in Account::"jane"
);

permit (
    principal,
    action in
        [Action::"UpdateList",
         Action::"CreateTask",
         Action::"UpdateTask",
         Action::"DeleteTask"],
    resource
)
when
{
    principal in resource.editors
};

// Policy 4: Admins can perform any action on any resource