Hello, 'mandatory' should be set to 'true' for all resources. It is used in some validations, however, in general, its semantics has changed over time and is not consistently enforced. This is how resources are specified in all existing service-definitions.
If 'isValidLeaf' is set to true (default is false) for a resource which has children (that is, there is some resource whose 'parent' value points to it), then it defines a valid resource hierarchy with this resource being the leaf. If A->B->C is a resource structure, where A is B's parent and B is C's parent, and B is marked with 'isValidLeaf' set to true, then [A, B] also defines a valid and complete resource hierarchy (in addition to resource hierarchy [A,B,C]). For a leaf resource, you may specify an attribute 'accessTypeRestrictions' whose value is typically a subset of accessTypes which are valid for it. Hope this helps! -Abhay On Wed, Sep 16, 2020 at 11:32 AM Elliot West <tea...@gmail.com> wrote: > Hello, > > I'm trying to figure out how to implement a service configuration for a > complex custom resource hierarchy and have been peeking into the definition > for Hive for inspiration as this has a similar hierarchy > (database/table/column). I'm curious to know how the 'mandatory' and > 'isValidLeaf' attributes are interpreted in the policy engine. > > My first assumption was that 'mandatory' might be used for resource types > that may not always be present in particular classes of access request. In > Hive for example, if I wish to drop a table, I would not expect the access > request to describe a column name. However, I see this is not how the Hive > service is implemented - column is mandatory. > > I'm also guessing that isValidLeaf=false would be used to denote a > resource attribute that does not in and of itself point to resource, but is > merely a coordinate to such a resource? > > Can anyone provide any insights as I fear I'm likely on the wrong track. > > Many thanks, > > Elliot. >
