---
apiVersion: api.cerbos.dev/v1
resourcePolicy:
  version: "default"
  scope: "acme"
  importDerivedRoles:
    - alpha
    - beta
  schemas:
    principalSchema:
      ref: cerbos:///principal.json
    resourceSchema:
      ref: cerbos:///leave_request.json
  resource: leave_request
  rules:
    - actions: ["create"]
      derivedRoles:
        - employee_that_owns_the_record
      effect: EFFECT_ALLOW

    - actions: ["view:public"]
      derivedRoles:
        - any_employee
      effect: EFFECT_ALLOW
      name: public-view