Hi,
I'm trying to implement policies to limit who can send group invitations and who can accept group applications. Currently I have the following
{
"Action": "*", "Effect": "Allow", "Resource": "pfrn:group--group!*/Invitations/*", "Principal": { "MemberOf": { "RoleId": "admins" }, "ChildOf": { "EntityType": "title", "EntityId": "7AB" } }, "Comment": "Only Admins can access invitations","Condition": null }, { "Action": "*", "Effect": "Allow", "Resource": "pfrn:group--group!*/Applications/*", "Principal": { "MemberOf": { "RoleId": "admins" }, "ChildOf": { "EntityType": "title", "EntityId": "7AB" } }, "Comment": "Only Admins can access applications", "Condition": null }
I am not sure whether it is correct or event if it makes sense.
I have not tried the invite flow, but for applications, non-admin members are able to accept applications.
The application flow is not much of a concern, as I can pipe it through CloudScript and validate the user doing the acceptance. Invitations are a different issue, as sending an invitation from CloudScript sets the title entity as the inviting entity