################################################################################
# Map Open ID Connect provider roles to ZendHQ roles
################################################################################

# Each line in this file must contain a regular expression matching OIDC provider
# role names followed by ZendHQ role names separated by at least two spaces or
# <TAB> characters.
#
# ZendHQ role names can contain multiple roles separated by commas. Any indented
# line (begins with a space or <TAB>) continues the roles list of the most recent
# rule.
#
# <provider role regex> <TAB><TAB> <zendhq role 1>, <zendhq role 2>, ...
# <TAB> <zendhq role 3>, <zendhq role 4>, ...
#
# Empty lines and lines whose first non-whitespace char is `;` or `#` are comments
# and ignored when reading the file.
#
# The file can contain multiple rules that are processed in the order they appear
# in this file. The first regular expression matching the OIDC role name will be
# used. The daemon performs a full regular expression match against the
# OIDC provider role names (i.e., the entire role name must match the regex).
#
# A user may have multiple OIDC provider roles. The ZendHQ roles for each of the
# user's OIDC roles will be combined to determine the user's effective ZendHQ roles.
#
# ZendHQ role names have the format:
#   zendhq.<component>[.<permission>]
#
# where <component> is one of:
#   conf  - ZendHQ Configuration including Monitoring rules
#   ct    - Code Tracing
#   jq    - Job Queue
#   mon   - Monitoring
#   zray  - Z-Ray
#
# and <permission> is one of:
#   read    - Read-only access
#   write   - Read and write access
#   execute - Privileged access
#
# If <permission> is omitted, full administrator access (read, write, execute) is
# granted.
#
# The `zendhq.` prefix is reserved for ZendHQ roles. Do not use it in your OIDC
# provider role names. ZendHQ roles are applied directly to users and bypass the
# OIDC role mapping. Mapped roles are combined with any direct ZendHQ roles.

################################################################################
# Examples:
#
# Map the OIDC provider role name "zendhq-admin" to all the ZendHQ administrator roles:
;zendhq-admin       zendhq.conf
;                   zendhq.ct
;                   zendhq.jq
;                   zendhq.mon
;                   zendhq.zray

# Map the OIDC provider role name "zendhq-devel" to multiple ZendHQ roles:
;zendhq-devel       zendhq.conf.read, zendhq.conf.write
;                   zendhq.ct.read, zendhq.ct.write
;                   zendhq.jq.read, zendhq.jq.write
;                   zendhq.mon.read, zendhq.mon.write
;                   zendhq.zray.read, zendhq.zray.write

# Map the OIDC provider role name "zendhq-guest" to read-only ZendHQ roles:
;zendhq-guest       zendhq.conf.read
;                   zendhq.ct.read
;                   zendhq.jq.read
;                   zendhq.mon.read
;                   zendhq.zray.read
