Example 3: Restrict by container name

Here we want all users from groups group1 and group2 to manage only containers having their name starting with foo- or bar- or $USER-. Otherwize read-only actions are permitted. All administrators are allowed to manage all containers. Anonymous and all other users cannot do anything.

policies.yml

---

- description: Admins can do everything.
               Users from groups are restricted by container name. Or read-only.
               Anonymous users cannot do anything.
  hosts:
    - +.*
  default: Deny
  policies:
    - members:
        - administrators
      rules:
        any:
          Allow:

    - members:
        - user_group1
        - user_group2
      rules:
        containers:
          ContainerName:
            - ^foo-
            - ^bar-
            - ^$USER-
        any:
          ReadOnly:

...

groups.yml

---
user_group1:
  - jre
  - sve

user_group2:
  - cjo
  - mgr

administrators:
  - rda
  - mal
...