DelegateAuthorization delegates authorization to the given delegate authorizer and prefixes the given reason with the reason after the given delegate authorizer executed.

IsDeepSubjectAccessReviewFrom returns whether this is a deep SAR request.

NewDecorator returns a new authorizer which is associated with the given key.

NewMaximalPermissionPolicyAuthorizer returns an authorizer that first checks if the request is for a bound resource or not.

NewRequiredGroupsAuthorizer returns an authorizer that a set of groups stored on the LogicalCluster object.

WithAuditLogging stores the given domain in the context to be used when logging audit events in the given authorizer chain.

WithDeepSARConfig modifies and returns the input rest.Config with an additional header making SARs to be deep.

WithDeepSubjectAccessReview attaches to the context that this request has set the DeepSubjectAccessReview header.

RequiredGroupsAnnotationKey is a comma-separated list (OR'ed) of semicolon separated groups (AND'ed) that a user must be a member of to be able to access the workspace.

SystemCRDAuthorizer protects the system CRDs from users who are admins in their workspaces.