spec_type: authorization
name: Authorization Model
version: "1.0"

model: RBAC

roles:
  - name: admin
    description: Full system access
    permissions:
      - "*"
      
  - name: seller
    description: Manage own products and orders
    permissions:
      - products:create
      - products:read
      - products:update
      - products:delete:own
      - orders:read:own
      - analytics:read:own
      
  - name: customer
    description: Browse and purchase products
    permissions:
      - products:read
      - cart:*
      - orders:create
      - orders:read:own
      - profile:*:own
      
  - name: guest
    description: Browse only
    permissions:
      - products:read

permissions:
  products:
    - create
    - read
    - update
    - delete
  orders:
    - create
    - read
    - update
    - cancel
  users:
    - create
    - read
    - update
    - delete
    - ban

resource_policies:
  - resource: products
    owner_field: seller_id
    actions:
      update: owner_only
      delete: owner_only
  - resource: orders
    owner_field: customer_id
    actions:
      read: owner_or_admin
      cancel: owner_only