apiVersion: api.cerbos.dev/v1
resourcePolicy:
  version: default
  resource: ticket

  rules:
    - actions:
        - "*"
      effect: EFFECT_ALLOW
      roles:
        - admin
    - actions:
        - read
        - update
      effect: EFFECT_ALLOW
      roles:
        - customer
      condition:
        match:
          expr: request.resource.attr.cust_id == request.principal.id
    - actions:
        - create
        - delete
      effect: EFFECT_DENY
      roles:
        - customer