Merge origin/dev into dev

2026-06-15 20:05:47 +09:00
parent 4d468cd39f 50ce44c236
commit 202c783920
67 changed files with 6933 additions and 3919 deletions
--- a/docker/ory/keto/namespaces.ts
+++ b/docker/ory/keto/namespaces.ts
@@ -6,11 +6,126 @@ class System implements Namespace {
  related: {
    super_admins: User[]
    authenticated_users: User[]
+
+    // 🌟 신규 글로벌 메뉴 권한 (Admin Control) 정의 - 조회(Read)
+    overview_viewers: User[]
+    tenants_viewers: User[]
+    org_chart_viewers: User[]
+    worksmobile_viewers: User[]
+    ory_ssot_viewers: User[]
+    data_integrity_viewers: User[]
+    users_viewers: User[]
+    permissions_direct_viewers: User[]
+    auth_guard_viewers: User[]
+    api_keys_viewers: User[]
+    audit_logs_viewers: User[]
+
+    // 🌟 신규 글로벌 메뉴 권한 (Admin Control) 정의 - 수정(Write)
+    overview_managers: User[]
+    tenants_managers: User[]
+    org_chart_managers: User[]
+    worksmobile_managers: User[]
+    ory_ssot_managers: User[]
+    data_integrity_managers: User[]
+    users_managers: User[]
+    permissions_direct_managers: User[]
+    auth_guard_managers: User[]
+    api_keys_managers: User[]
+    audit_logs_managers: User[]
  }

  permits = {
    manage_all: (ctx: Context): boolean =>
-      this.related.super_admins.includes(ctx.subject)
+      this.related.super_admins.includes(ctx.subject),
+
+    // 🌟 글로벌 메뉴 허가 규칙 (Permit Rules) - 조회(access_)와 수정(manage_) 완전 분리 이원화
+    access_overview: (ctx: Context): boolean =>
+      this.related.overview_viewers.includes(ctx.subject) ||
+      this.permits.manage_overview(ctx),
+
+    manage_overview: (ctx: Context): boolean =>
+      this.related.overview_managers.includes(ctx.subject) ||
+      this.permits.manage_all(ctx),
+
+    access_tenants: (ctx: Context): boolean =>
+      this.related.tenants_viewers.includes(ctx.subject) ||
+      this.permits.manage_tenants(ctx),
+
+    manage_tenants: (ctx: Context): boolean =>
+      this.related.tenants_managers.includes(ctx.subject) ||
+      this.permits.manage_all(ctx),
+
+    access_org_chart: (ctx: Context): boolean =>
+      this.related.org_chart_viewers.includes(ctx.subject) ||
+      this.permits.manage_org_chart(ctx),
+
+    manage_org_chart: (ctx: Context): boolean =>
+      this.related.org_chart_managers.includes(ctx.subject) ||
+      this.permits.manage_all(ctx),
+
+    access_worksmobile: (ctx: Context): boolean =>
+      this.related.worksmobile_viewers.includes(ctx.subject) ||
+      this.permits.manage_worksmobile(ctx),
+
+    manage_worksmobile: (ctx: Context): boolean =>
+      this.related.worksmobile_managers.includes(ctx.subject) ||
+      this.permits.manage_all(ctx),
+
+    access_ory_ssot: (ctx: Context): boolean =>
+      this.related.ory_ssot_viewers.includes(ctx.subject) ||
+      this.permits.manage_ory_ssot(ctx),
+
+    manage_ory_ssot: (ctx: Context): boolean =>
+      this.related.ory_ssot_managers.includes(ctx.subject) ||
+      this.permits.manage_all(ctx),
+
+    access_data_integrity: (ctx: Context): boolean =>
+      this.related.data_integrity_viewers.includes(ctx.subject) ||
+      this.permits.manage_data_integrity(ctx),
+
+    manage_data_integrity: (ctx: Context): boolean =>
+      this.related.data_integrity_managers.includes(ctx.subject) ||
+      this.permits.manage_all(ctx),
+
+    access_users: (ctx: Context): boolean =>
+      this.related.users_viewers.includes(ctx.subject) ||
+      this.permits.manage_users(ctx),
+
+    manage_users: (ctx: Context): boolean =>
+      this.related.users_managers.includes(ctx.subject) ||
+      this.permits.manage_all(ctx),
+
+    access_permissions_direct: (ctx: Context): boolean =>
+      this.related.permissions_direct_viewers.includes(ctx.subject) ||
+      this.permits.manage_permissions_direct(ctx),
+
+    manage_permissions_direct: (ctx: Context): boolean =>
+      this.related.permissions_direct_managers.includes(ctx.subject) ||
+      this.permits.manage_all(ctx),
+
+    access_auth_guard: (ctx: Context): boolean =>
+      this.related.auth_guard_viewers.includes(ctx.subject) ||
+      this.permits.manage_auth_guard(ctx),
+
+    manage_auth_guard: (ctx: Context): boolean =>
+      this.related.auth_guard_managers.includes(ctx.subject) ||
+      this.permits.manage_all(ctx),
+
+    access_api_keys: (ctx: Context): boolean =>
+      this.related.api_keys_viewers.includes(ctx.subject) ||
+      this.permits.manage_api_keys(ctx),
+
+    manage_api_keys: (ctx: Context): boolean =>
+      this.related.api_keys_managers.includes(ctx.subject) ||
+      this.permits.manage_all(ctx),
+
+    access_audit_logs: (ctx: Context): boolean =>
+      this.related.audit_logs_viewers.includes(ctx.subject) ||
+      this.permits.manage_audit_logs(ctx),
+
+    manage_audit_logs: (ctx: Context): boolean =>
+      this.related.audit_logs_managers.includes(ctx.subject) ||
+      this.permits.manage_all(ctx)
  }
 }

@@ -22,9 +137,63 @@ class Tenant implements Namespace {
    parents: Tenant[]
    developer_console_viewer: (User | SubjectSet<System, "super_admins">)[]
    developer_console_grant_manager: (User | SubjectSet<System, "super_admins">)[]
+
+    // 🌟 신규 직접 관계 (Direct Relations) 정의
+    profile_viewers: (User | SubjectSet<System, "super_admins">)[]
+    profile_managers: (User | SubjectSet<System, "super_admins">)[]
+
+    permissions_viewers: (User | SubjectSet<System, "super_admins">)[]
+    permissions_managers: (User | SubjectSet<System, "super_admins">)[]
+
+    organization_viewers: (User | SubjectSet<System, "super_admins">)[]
+    organization_managers: (User | SubjectSet<System, "super_admins">)[]
+
+    schema_viewers: (User | SubjectSet<System, "super_admins">)[]
+    schema_managers: (User | SubjectSet<System, "super_admins">)[]
  }

  permits = {
+    // 1. 프로필 (Profile) 탭 허가 규칙
+    view_profile: (ctx: Context): boolean =>
+      this.related.profile_viewers.includes(ctx.subject) ||
+      this.permits.manage_profile(ctx) ||
+      this.permits.view(ctx), // 멤버/관리자/소유자는 기본 조회 가능
+
+    manage_profile: (ctx: Context): boolean =>
+      this.related.profile_managers.includes(ctx.subject) ||
+      this.permits.manage(ctx), // 관리자/소유자는 기본 수정 가능
+
+    // 2. 권한 관리 (Permissions) 탭 허가 규칙
+    view_permissions: (ctx: Context): boolean =>
+      this.related.permissions_viewers.includes(ctx.subject) ||
+      this.permits.manage_permissions(ctx) ||
+      this.permits.view(ctx),
+
+    manage_permissions: (ctx: Context): boolean =>
+      this.related.permissions_managers.includes(ctx.subject) ||
+      this.permits.manage_admins(ctx), // 소유자는 기본 관리 가능
+
+    // 3. 조직 관리 (Organization) 탭 허가 규칙
+    view_organization: (ctx: Context): boolean =>
+      this.related.organization_viewers.includes(ctx.subject) ||
+      this.permits.manage_organization(ctx) ||
+      this.permits.view(ctx),
+
+    manage_organization: (ctx: Context): boolean =>
+      this.related.organization_managers.includes(ctx.subject) ||
+      this.permits.manage(ctx),
+
+    // 4. 사용자 스키마 (Schema) 탭 허가 규칙
+    view_schema: (ctx: Context): boolean =>
+      this.related.schema_viewers.includes(ctx.subject) ||
+      this.permits.manage_schema(ctx) ||
+      this.permits.view(ctx),
+
+    manage_schema: (ctx: Context): boolean =>
+      this.related.schema_managers.includes(ctx.subject) ||
+      this.permits.manage(ctx),
+
+    // --- 기존 마스터 및 상속 규칙 보존 ---
    view: (ctx: Context): boolean =>
      this.related.members.includes(ctx.subject) ||
      this.related.admins.includes(ctx.subject) ||